module
ATutor 2.2.4 - Directory Traversal / Remote Code Execution,
| Disclosed | Created |
|---|---|
| 05/17/2019 | 06/29/2020 |
Disclosed
05/17/2019
Created
06/29/2020
Description
This module exploits an arbitrary file upload vulnerability together with
a directory traversal flaw in ATutor versions 2.2.4, 2.2.2 and 2.2.1 in
order to execute arbitrary commands.
It first creates a zip archive containing a malicious PHP file. The zip
archive takes advantage of a directory traversal vulnerability that will
cause the PHP file to be dropped in the root server directory (`htdocs`
for Windows and `html` for Linux targets). The PHP file contains an
encoded payload that allows for remote command execution on the
target server. The zip archive can be uploaded via two vectors, the
`Import New Language` function and the `Patcher` function. The module
first uploads the archive via `Import New Language` and then attempts to
execute the payload via an HTTP GET request to the PHP file in the root
server directory. If no session is obtained, the module creates another
zip archive and attempts exploitation via `Patcher`.
Valid credentials for an ATutor admin account are required. This module
has been successfully tested against ATutor 2.2.4 running on Windows 10
(XAMPP server).
a directory traversal flaw in ATutor versions 2.2.4, 2.2.2 and 2.2.1 in
order to execute arbitrary commands.
It first creates a zip archive containing a malicious PHP file. The zip
archive takes advantage of a directory traversal vulnerability that will
cause the PHP file to be dropped in the root server directory (`htdocs`
for Windows and `html` for Linux targets). The PHP file contains an
encoded payload that allows for remote command execution on the
target server. The zip archive can be uploaded via two vectors, the
`Import New Language` function and the `Patcher` function. The module
first uploads the archive via `Import New Language` and then attempts to
execute the payload via an HTTP GET request to the PHP file in the root
server directory. If no session is obtained, the module creates another
zip archive and attempts exploitation via `Patcher`.
Valid credentials for an ATutor admin account are required. This module
has been successfully tested against ATutor 2.2.4 running on Windows 10
(XAMPP server).
Authors
liquidsky (JMcPeters)Erik Wynter
Platform
Linux,Windows
Architectures
x86, x64
References
Module Options
To display the available options, load the module within the Metasploit console and run the commands ‘show options’ or ‘show advanced’:
msf > use exploit/multi/http/atutor_upload_traversal
msf /(l) > show actions
...actions...
msf /(l) > set ACTION < action-name >
msf /(l) > show options
...show and set options...
msf /(l) > run
NEW
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.