This Metasploit module exploits an OS command injection vulnerability in a web-accessible CGI script used to change passwords for locally-defined proxy user accounts. Valid credentials for such an account are required. Command execution will be in the context of the "nobody" account, but this account had broad sudo permissions, including to run the script /usr/local/bin/chrootpasswd (which changes the password for the Linux root account on the system to the value specified by console input once it is executed). The password for the proxy user account specified will *not* be changed by the use of this module, as long as the target system is vulnerable to the exploit. Very early versions of Endian Firewall (e.g. 1.1 RC5) require HTTP basic auth credentials as well to exploit this vulnerability. Use the USERNAME and PASSWORD advanced options to specify these values if required. Versions >= 3.0.0 still contain the vulnerable code, but it appears to never be executed due to a bug in the vulnerable CGI script which also prevents normal use (http://jira.endian.com/browse/UTM-1002). Versions 2.3.x and 2.4.0 are not vulnerable because of a similar bug (http://bugs.endian.com/print_bug_page.php?bug_id=3083). Tested successfully against the following versions of EFW Community: 1.1 RC5, 2.0, 2.1, 2.2, 2.5.1, 2.5.2. Should function against any version from 1.1 RC5 to 2.2.x, as well as 2.4.1 and 2.5.x.
93595333575588a0761fd710896979bd064097e42ff0603d14d9ecebcedd6cffThis is a Metasploit-style module system specifically for XXE exploit code. This allows a common interface, including the ability to automate downloads of numerous files, or automatically walk the directory structure if the vulnerable system is based on Java.
2a7816d21a64e47351a2d07b9a62e0b2608e025ddb24e5a5ec4f745d5b82bbfbThis is a Metasploit-style module system specifically for XXE exploit code. This allows a common interface, including the ability to automate downloads of numerous files, or automatically walk the directory structure if the vulnerable system is based on Java.
4e08b55a546faeff41068928bc3ca50a97d8ac5d5ac1c90754d365538b92d25d
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed