Pages

Saturday, 11 February 2012

Tim Thumb WordPRESS ExPLoit

Recently tim thumb wordpress 0 day exploit is released by MaxE it caches even remote files locally, without doing any proper sanitization. The file “timthumb.php” does however, check if to see if the target file is actually an image or not. This timthumb file is also quite often renamed to something else and is used in many themes.




TimThumbCraft – Image Crafting Tool

The easiest way to trick TimThumb into believing a remotely stored image (that also contains evil PHP code) is an actual image, is to either craft it yourself or by using an external tool. Here is small tool for the job which also has a few encoding features, payload types, and of course, options for custom images.
Feature List:

List known vulnerable themes
Choose between 2 images or select your own
Enter your own code or use the Reverse PHP Shell
Encode your PHP Payload, this applies only if “code” is chosen
Base64 and Hexadecimal encoding is currently supported
Hexadecimal output of the created file. (Can be used in paste’s, etc.)
MD5 calculation of filename, that the target server will most likely use

References:
Proof of Concept: http://www.exploit-db.com/exploits/17602/
TimThumbCraft: Download it here
Demo Video (LQ): http://www.youtube.com/watch?v=udyEOzHK08E
Demo Video (HQ): https://rapidshare.com/files/2016620847/timthumb.avi
Original Info: http://markmaunder.com/2011/zero-day-vulnerability-in-many-wordpress-themes/
Vulnerable Themes: http://blog.sucuri.net/2011/08/timthumb-security-vulnerability-list-of-themes-including-it.html

source: http://www.exploit-db.com/wordpress-timthumb-exploitation/

2 comments:

  1. I'm following this tutorial for a test, locally, with XAMPP.
    I can upload the image (test.php) but instead of creating the .php file in the "cache" of timthumb, is created only one image .PNG
    How can it be that is created only a PNG? The exploit does not work that way because, obviously, you can not execute commands.

    ReplyDelete