Nmap Development mailing list archives

[NSE] script for exploiting CVE-2014-8877 vulnerability

From: Mariusz Ziulek <mzet () owasp org>
Date: Fri, 19 Dec 2014 01:12:28 +0100

Hi List,

I've just completed script that exploits CVE-2014-8877 vulnerability. This
flaw was found recently in Wordpress CM Download Manager plugin
(https://wordpress.org/plugins/cm-download-manager/). Versions <= 2.0.0
are affected. 

Vulnerability allows to inject arbitrary PHP code via CMDsearch param.
The script simply injects system() function with OS shell command of choice
(provided as script's parameter) as an argument.

Testing and comments are appreciated.

Running the script:
nmap -P0 -p80 -n --script http-vuln-cve2014-8877 --script-args http-vuln-cve2014-8877.cmd="whoami", 
http-vuln-cve2014-8877.uri="/wordpress"

Where 'cmd' parameter is shell command for execution and 'uri' is path
to your Wordpress installation.

Revisions 1007950 (and below) of the plugin are affected so if any one
would like to test the script locally, here's a command to quickly fetch the
right (vulnerable) version of the plugin:

svn co -r 1007950 http://plugins.svn.wordpress.org/cm-download-manager/trunk/ cm-dw-manager

Regards,
Mariusz

Attachment: http-vuln-cve2014-8877.nse
Description:

_______________________________________________
Sent through the dev mailing list
http://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/

Current thread:

[NSE] script for exploiting CVE-2014-8877 vulnerability Mariusz Ziulek (Dec 18)
- Re: [NSE] script for exploiting CVE-2014-8877 vulnerability Patricio Castagnaro (Dec 19)