infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

also check for debian version number

bug/bundler_fix
Christian Mehlmauer 2015-12-16 15:19:33 +01:00
parent 67eba0d708
commit 30f90f35e9
No known key found for this signature in database
GPG Key ID: DCF54A05D6E62591
1 changed files with 19 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

26
modules/exploits/multi/http/joomla_http_header_rce.rb
View File

@ -19,8 +19,8 @@ class Metasploit3 < Msf::Exploit::Remote
by sending an UTF-8 character. The custom created payload is then executed once the session is read
from the databse. You also need to have a PHP version before 5.4.45 (including 5.3.x), 5.5.29 or 5.6.13.
In later versions the deserialisation of invalid session data stops on the first error and the
exploit will not work. On Ubuntu the PHP Patch was included in versions 5.5.9+dfsg-1ubuntu4.13 and
5.3.10-1ubuntu3.20.
exploit will not work. The PHP Patch was included in Ubuntu versions 5.5.9+dfsg-1ubuntu4.13 and
5.3.10-1ubuntu3.20 and in Debian in version 5.4.45-0+deb7u1.
},
'Author' =>
[
@ -67,20 +67,20 @@ class Metasploit3 < Msf::Exploit::Remote
end
php_version, rest = res.headers['X-Powered-By'].scan(/PHP\/([\d\.]+)(?:-(.+))?/i).flatten || ''
vprint_status("Found PHP version: #{php_version}")
version = Gem::Version.new(php_version)
vulnerable = false
# check for ubuntu specific versions. Was fixed in
# check for ubuntu and debian specific versions. Was fixed in
# * 5.5.9+dfsg-1ubuntu4.13
# * 5.3.10-1ubuntu3.20
# Changelogs (search for CVE-2015-6835):
# * 5.4.45-0+deb7u1
# Changelogs (search for CVE-2015-6835 or #70219):
# http://changelogs.ubuntu.com/changelogs/pool/main/p/php5/php5_5.5.9+dfsg-1ubuntu4.13/changelog
# http://changelogs.ubuntu.com/changelogs/pool/main/p/php5/php5_5.3.10-1ubuntu3.20/changelog
# http://metadata.ftp-master.debian.org/changelogs/main/p/php5/php5_5.4.45-0+deb7u2_changelog
if rest && rest.include?('ubuntu')
sub_version = rest.scan(/^\dubuntu([\d\.]+)/i).flatten.first || ''
vprint_status("Found Ubuntu PHP version: #{php_version}-#{sub_version}")
vprint_status("Found Ubuntu PHP version: #{res.headers['X-Powered-By']}")
if version > Gem::Version.new('5.5.9')
vulnerable = false
@ -91,7 +91,19 @@ class Metasploit3 < Msf::Exploit::Remote
else
vulnerable = true
end
elsif rest && rest.include?('+deb')
sub_version = rest.scan(/^\d+\+deb([\du]+)/i).flatten.first || ''
vprint_status("Found Debian PHP version: #{res.headers['X-Powered-By']}")
if version > Gem::Version.new('5.4.45')
vulnerable = false
elsif version == Gem::Version.new('5.4.45') && sub_version != '7u1'
vulnerable = false
else
vulnerable = true
end
else
vprint_status("Found PHP version: #{res.headers['X-Powered-By']}")
vulnerable = true if version <= Gem::Version.new('5.4.44')
vulnerable = true if version.between?(Gem::Version.new('5.5.0'), Gem::Version.new('5.5.28'))
vulnerable = true if version.between?(Gem::Version.new('5.6.0'), Gem::Version.new('5.6.12'))