(self)
| 11 | |
| 12 | class DshellPlugin(HTTPPlugin): |
| 13 | def __init__(self): |
| 14 | super().__init__( |
| 15 | name="Joomla CVE-2015-8562", |
| 16 | author="bg", |
| 17 | description='detect attempts to enumerate MS15-034 vulnerable IIS servers', |
| 18 | bpf='tcp and (port 80 or port 8080 or port 8000)', |
| 19 | output=AlertOutput(label=__name__), |
| 20 | optiondict={ |
| 21 | "raw_payload": { |
| 22 | "action": "store_true", |
| 23 | "help": "return the raw payload (do not attempt to decode chr encoding)", |
| 24 | } |
| 25 | }, |
| 26 | longdescription=''' |
| 27 | Detect and dissect malformed HTTP headers targeting Joomla |
| 28 | |
| 29 | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8562 |
| 30 | |
| 31 | Usage Examples: |
| 32 | --------------- |
| 33 | |
| 34 | Dshell> decode -d joomla *.pcap |
| 35 | [Joomla CVE-2015-8562] 2015-12-15 20:17:18 192.168.1.119:43865 <- 192.168.1.139:80 ** x-forwarded-for -> system('touch /tmp/2'); ** |
| 36 | |
| 37 | The module assumes the cmd payload is encoded using chr. To turn this off run: |
| 38 | |
| 39 | Dshell> decode -d joomla --joomla_raw_payload *.pcap |
| 40 | [Joomla CVE-2015-8562] 2015-12-15 20:17:18 192.168.1.119:43865 <- 192.168.1.139:80 ** x-forwarded-for -> "eval(chr(115).chr(121).chr(115).chr(116).chr(101).chr(109).chr(40).chr(39).chr(116).chr(111).chr(117).chr(99).chr(104).chr(32).chr(47).chr(116).chr(109).chr(112).chr(47).chr(50).chr(39).chr(41).chr(59)); ** |
| 41 | ''', |
| 42 | ) |
| 43 | |
| 44 | # Indicator of (potential) compromise |
| 45 | self.ioc = "JFactory::getConfig();exit" |
| 46 | self.ioc_bytes = bytes(self.ioc, "ascii") |
| 47 | |
| 48 | def attempt_decode(self, cmd): |
| 49 | ptext = '' |
nothing calls this directly
no test coverage detected