Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

add. exploit module vbulletin 5.x unauth RCE #12364

Merged
merged 7 commits into from
Dec 10, 2019
Merged

add. exploit module vbulletin 5.x unauth RCE #12364

merged 7 commits into from
Dec 10, 2019

Conversation

mekhalleh
Copy link
Contributor

@mekhalleh mekhalleh commented Sep 25, 2019
edited by h00die
Loading

Fixes #12360

https://seclists.org/fulldisclosure/2019/Sep/31

vBulletin 5.x 0day pre-auth RCE exploit
This should work on all versions from 5.0.0 till 5.5.4

Verification

List the steps needed to make sure this thing works

  • Start msfconsole
  • set exploit/multi/http/vbulletin_5x_unauth_rce
  • set RHOSTS 192.168.1.11
  • set LHOST 192.168.1.10
  • run

TODO : docs, try to dropper binary elf/pe for better experience.

@wvu wvu requested a review from dwelch-r7 September 26, 2019 04:50
@mekhalleh
Copy link
Contributor Author

Actually tested on Windows system host and vBulletin v5.4.5.

mod1_win

mod2_win

@mekhalleh
Copy link
Contributor Author

Tested on Linux system host and vBulletin v5.5.1.

mod3_lnx

mod4_lnx

@space-r7 space-r7 added docs and removed needs-docs labels Sep 30, 2019
h00die
h00die requested changes Oct 12, 2019
View reviewed changes
Copy link
Contributor

@h00die h00die left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

First look over, this is pretty good. Untested, some style things to change, will test once they get fixed up

documentation/modules/exploit/multi/http/vbulletin_5x_unauth_rce.md Outdated Show resolved Hide resolved
documentation/modules/exploit/multi/http/vbulletin_5x_unauth_rce.md Outdated Show resolved Hide resolved
documentation/modules/exploit/multi/http/vbulletin_5x_unauth_rce.md Outdated Show resolved Hide resolved
documentation/modules/exploit/multi/http/vbulletin_5x_unauth_rce.md Outdated Show resolved Hide resolved
documentation/modules/exploit/multi/http/vbulletin_5x_unauth_rce.md Outdated Show resolved Hide resolved
modules/exploits/multi/http/vbulletin_5x_unauth_rce.rb Outdated Show resolved Hide resolved
modules/exploits/multi/http/vbulletin_5x_unauth_rce.rb Outdated Show resolved Hide resolved
modules/exploits/multi/http/vbulletin_5x_unauth_rce.rb Outdated Show resolved Hide resolved
modules/exploits/multi/http/vbulletin_5x_unauth_rce.rb Outdated Show resolved Hide resolved
modules/exploits/multi/http/vbulletin_5x_unauth_rce.rb Outdated Show resolved Hide resolved
@space-r7 space-r7 added the needs-testing-environment PRs that need community testing and/or vulnerable test targets before they're able to be landed label Nov 6, 2019
@space-r7
Copy link
Contributor

space-r7 commented Nov 6, 2019

First look over, this is pretty good. Untested, some style things to change, will test once they get fixed up

Hi @h00die! Would you happen to have a test environment and if so, would you be willing to test this if you have the time? If not, I can verify with a pcap. Thanks!

@h00die
Copy link
Contributor

h00die commented Nov 10, 2019

@space-r7 I wanted to get around to this, but realistically I'm not going to be able to in a reasonable amount of time

@space-r7
Copy link
Contributor

@space-r7 I wanted to get around to this, but realistically I'm not going to be able to in a reasonable amount of time

Alrighty, no worries! Thank you!

Hey @mekhalleh, when you have time, could you please send a pcap of exploiting Vbulletin with your module to msfdev[at]metasploit.com? Thanks!

@mekhalleh
Copy link
Contributor Author

@space-r7 I wanted to get around to this, but realistically I'm not going to be able to in a reasonable amount of time

Alrighty, no worries! Thank you!

Hey @mekhalleh, when you have time, could you please send a pcap of exploiting Vbulletin with your module to msfdev[at]metasploit.com? Thanks!

it's sended.

@space-r7
Copy link
Contributor

Verified the pcap, will go ahead and land.

space-r7 added a commit that referenced this pull request Dec 10, 2019
@space-r7
Land #12364, add vBulletin widgetconfig RCE
a4ed143
@space-r7 space-r7 merged commit eb2817b into rapid7:master Dec 10, 2019
msjenkins-r7 pushed a commit that referenced this pull request Dec 10, 2019
@space-r7 @msjenkins-r7
Land #12364, add vBulletin widgetconfig RCE
a10148f
@space-r7
Copy link
Contributor

Release Notes

This adds an exploit module for vBulletin v5.0.0 through v5.5.4 that gains unauthenticated remote code execution by leveraging a flaw in the widget creation functionality. RCE can be leveraged by sending a POST request to ajax/render/widget_php with arbitrary data located in the widgetConfig[code] parameter.

@tperry-r7 tperry-r7 added the rn-modules release notes for new or majorly enhanced modules label Jan 14, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@bcoles bcoles bcoles left review comments

@space-r7 space-r7 space-r7 left review comments

@dwelch-r7 dwelch-r7 Awaiting requested review from dwelch-r7

@h00die h00die Awaiting requested review from h00die

Assignees
No one assigned
Labels
docs module needs-testing-environment PRs that need community testing and/or vulnerable test targets before they're able to be landed rn-modules release notes for new or majorly enhanced modules
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Add vBulletin 5.x unauth RCE
5 participants
@mekhalleh @space-r7 @h00die @bcoles @tperry-r7