Rapid7 Vulnerability & Exploit Database

ATutor 2.2.4 - Directory Traversal / Remote Code Execution,

Back to Search

ATutor 2.2.4 - Directory Traversal / Remote Code Execution,

Disclosed
05/17/2019
Created
06/29/2020

Description

This module exploits an arbitrary file upload vulnerability together with a directory traversal flaw in ATutor versions 2.2.4, 2.2.2 and 2.2.1 in order to execute arbitrary commands. It first creates a zip archive containing a malicious PHP file. The zip archive takes advantage of a directory traversal vulnerability that will cause the PHP file to be dropped in the root server directory (`htdocs` for Windows and `html` for Linux targets). The PHP file contains an encoded payload that allows for remote command execution on the target server. The zip archive can be uploaded via two vectors, the `Import New Language` function and the `Patcher` function. The module first uploads the archive via `Import New Language` and then attempts to execute the payload via an HTTP GET request to the PHP file in the root server directory. If no session is obtained, the module creates another zip archive and attempts exploitation via `Patcher`. Valid credentials for an ATutor admin account are required. This module has been successfully tested against ATutor 2.2.4 running on Windows 10 (XAMPP server).

Author(s)

  • liquidsky (JMcPeters)
  • Erik Wynter

Platform

Linux,Windows

Architectures

x86, x64

Development

Module Options

To display the available options, load the module within the Metasploit console and run the commands 'show options' or 'show advanced':

msf > use exploit/multi/http/atutor_upload_traversal
msf exploit(atutor_upload_traversal) > show targets
    ...targets...
msf exploit(atutor_upload_traversal) > set TARGET < target-id >
msf exploit(atutor_upload_traversal) > show options
    ...show and set options...
msf exploit(atutor_upload_traversal) > exploit

Time is precious, so I don’t want to do something manually that I can automate. Leveraging the Metasploit Framework when automating any task keeps us from having to re-create the wheel as we can use the existing libraries and focus our efforts where it matters.

– Jim O’Gorman | President, Offensive Security

;