New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Create exploit for Cisco Prime Infrastructure RCE #10765

Closed
wants to merge 4 commits into
base: master
from

Conversation

Projects
None yet
2 participants
@pedrib
Contributor

pedrib commented Oct 8, 2018

This module exploits two vulnerabilities in Cisco Prime Infrastructure to achieve RCE as root. The first vuln is an arbitrary file upload, allowing us to get rce as an unprivileged user. The second vuln is a privilege escalation to root.

This module has been tested in Prime 3.2 and 3.4. Please check the description and links on the module for more details, and have fun popping this easy shell.

pedrib added some commits Sep 17, 2018

@bcoles bcoles added the needs-docs label Oct 8, 2018

@bcoles

This comment has been minimized.

Show comment
Hide comment
@bcoles

bcoles Oct 8, 2018

Contributor

Hey @pedrib

Thanks for the modules. Please resubmit this from a unique branch.

Contributor

bcoles commented Oct 8, 2018

Hey @pedrib

Thanks for the modules. Please resubmit this from a unique branch.

@bcoles bcoles added the module label Oct 8, 2018

@pedrib

This comment has been minimized.

Show comment
Hide comment
@pedrib

pedrib Oct 8, 2018

Contributor

Created PR #10767

Contributor

pedrib commented Oct 8, 2018

Created PR #10767

@pedrib pedrib closed this Oct 8, 2018

@@ -0,0 +1,193 @@
##
# This module requires Metasploit: http://metasploit.com/download

This comment has been minimized.

@bcoles

bcoles Oct 8, 2018

Contributor

https

@bcoles

bcoles Oct 8, 2018

Contributor

https

end
def check

This comment has been minimized.

@bcoles

bcoles Oct 8, 2018

Contributor

Golfed / tidied:

  def check
    res = send_request_cgi({
      'uri'    => normalize_uri(datastore['TARGETURI'], 'swimtemp'),
      'method' => 'GET'
    })

    unless res
      vprint_error 'Connection failed'
      return CheckCode::Unknown
    end

    if res.code == 404 && res.body.length == 0
      # at the moment this is the best way to detect
      # a 404 in swimtemp only returns the error code with a body length of 0,
      # while a 404 to another webapp or to the root returns code plus a body with content
      return CheckCode::Detected
    end

    CheckCode::Safe
  end
@bcoles

bcoles Oct 8, 2018

Contributor

Golfed / tidied:

  def check
    res = send_request_cgi({
      'uri'    => normalize_uri(datastore['TARGETURI'], 'swimtemp'),
      'method' => 'GET'
    })

    unless res
      vprint_error 'Connection failed'
      return CheckCode::Unknown
    end

    if res.code == 404 && res.body.length == 0
      # at the moment this is the best way to detect
      # a 404 in swimtemp only returns the error code with a body length of 0,
      # while a 404 to another webapp or to the root returns code plus a body with content
      return CheckCode::Detected
    end

    CheckCode::Safe
  end
var_decoder = rand_text_alpha(rand(8) + 3)
var_tmp = rand_text_alpha(rand(8) + 3)
var_path = rand_text_alpha(rand(8) + 3)
var_tmp2 = rand_text_alpha(rand(8) + 3)

This comment has been minimized.

@bcoles

bcoles Oct 8, 2018

Contributor

Inconsistent indentation.

@bcoles

bcoles Oct 8, 2018

Contributor

Inconsistent indentation.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment