Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add phpstudy backdoor exploit module #12975

Merged
merged 6 commits into from Mar 10, 2020

Conversation

@AirEvan
Copy link
Contributor

AirEvan commented Feb 22, 2020

Supported versions that are affected are PHPStudy2016 and PHPStudy2018.

Neet to switch service version to php-5.4.45 + Apache

image

Verification

List the steps needed to make sure this thing works

  • Start msfconsole
  • use exploit/multi/http/phpstudy_backdoor_rce
  • set rhosts 192.168.56.104
  • checkor run

POC

image

@bcoles bcoles mentioned this pull request Feb 22, 2020
0 of 4 tasks complete
Copy link
Contributor

bcoles left a comment

Please also address msftidy issues :

--- Checking new and changed module syntax with tools/dev/msftidy.rb ---

modules/exploits/multi/http/phpstudy_backdoor_rce.rb - [INFO] No CVE references found. Please check before you land!
modules/exploits/multi/http/phpstudy_backdoor_rce.rb:49 - [WARNING] Spaces at EOL
modules/exploits/multi/http/phpstudy_backdoor_rce.rb:52 - [WARNING] Spaces at EOL
modules/exploits/multi/http/phpstudy_backdoor_rce.rb:65 - [WARNING] Spaces at EOL
@bcoles

This comment has been minimized.

Copy link
Contributor

bcoles commented Feb 22, 2020

Please add some module documentation for this module.

@bcoles bcoles added docs and removed needs-docs labels Feb 23, 2020
Copy link
Contributor

bcoles left a comment

A few more msftidy violations:

--- Checking new and changed module syntax with tools/dev/msftidy.rb ---
modules/exploits/multi/http/phpstudy_backdoor_rce.rb - [INFO] No CVE references found. Please check before you land!
modules/exploits/multi/http/phpstudy_backdoor_rce.rb:18 - [WARNING] Spaces at EOL
modules/exploits/multi/http/phpstudy_backdoor_rce.rb:59 - [WARNING] Spaces at EOL
modules/exploits/multi/http/phpstudy_backdoor_rce.rb:61 - [WARNING] Spaces at EOL
modules/exploits/multi/http/phpstudy_backdoor_rce.rb Outdated Show resolved Hide resolved
modules/exploits/multi/http/phpstudy_backdoor_rce.rb Outdated Show resolved Hide resolved
modules/exploits/multi/http/phpstudy_backdoor_rce.rb Outdated Show resolved Hide resolved
AirEvan added 2 commits Feb 23, 2020
@adamgalway-r7 adamgalway-r7 self-assigned this Mar 3, 2020
@adamgalway-r7

This comment has been minimized.

Copy link
Contributor

adamgalway-r7 commented Mar 4, 2020

@AirEvan, I'm having some issues changing the service version for PHPStudy to php-5.4.45 + Apache. Could you post a step by step guide, or better yet a video, showing how to set the correct service version for PHPStudy2016 & PHPStudy2018?

I've installed phpStudy 2018 on Windows 7 and with no further customization check returns The target is not exploitable., is this expected?

I've included a screenshot of my PHPStudy 2018 install:
Screenshot 2020-03-04 at 14 14 10
Is this the correct install?

@AirEvan

This comment has been minimized.

Copy link
Contributor Author

AirEvan commented Mar 5, 2020

@AirEvan, I'm having some issues changing the service version for PHPStudy to php-5.4.45 + Apache. Could you post a step by step guide, or better yet a video, showing how to set the correct service version for PHPStudy2016 & PHPStudy2018?

I've installed phpStudy 2018 on Windows 7 and with no further customization check returns The target is not exploitable., is this expected?

I've included a screenshot of my PHPStudy 2018 install:
Screenshot 2020-03-04 at 14 14 10
Is this the correct install?

sorry, This is a bug and has been fixed.
The requested file must be php.

@adamgalway-r7

This comment has been minimized.

Copy link
Contributor

adamgalway-r7 commented Mar 5, 2020

Hey @AirEvan, thanks for the quick response! I re-read through the breakdown you linked in your docs and figured out my install of PHPStudy isn't vulnerable as the PHP 5.4.5 php_xmlrpc.dll used in my install has a different MD5 hash from the one listed in the breakdown.

Good News:
Check works correctly for discerning non-vulnerable versions of PHPStudy.

Bad News:
I need an install of PHPStudy 20180211 (or another vulnerable version) but haven't had any luck finding a download online. Do you have a link or copy you could send my way?

@AirEvan

This comment has been minimized.

Copy link
Contributor Author

AirEvan commented Mar 5, 2020

Hey @AirEvan, thanks for the quick response! I re-read through the breakdown you linked in your docs and figured out my install of PHPStudy isn't vulnerable as the PHP 5.4.5 php_xmlrpc.dll used in my install has a different MD5 hash from the one listed in the breakdown.

Good News:
Check works correctly for discerning non-vulnerable versions of PHPStudy.

Bad News:
I need an install of PHPStudy 20180211 (or another vulnerable version) but haven't had any luck finding a download online. Do you have a link or copy you could send my way?

@adamgalway-r7
you can download This https://drive.google.com/file/d/1lO1YL5M94ercfS8iB6yW8WOItFCEQ9yQ/view?usp=sharing

image

sometimes it will prompt you to update, please click skip.
image

test:
https://www.youtube.com/watch?v=AOoJ4Xp56cc

@AirEvan AirEvan closed this Mar 5, 2020
@AirEvan AirEvan reopened this Mar 5, 2020
@adamgalway-r7 adamgalway-r7 merged commit 0e163c6 into rapid7:master Mar 10, 2020
3 checks passed
3 checks passed
Metasploit Automation - Sanity Test Execution Successfully completed all tests.
Details
Metasploit Automation - Test Execution Successfully completed all tests.
Details
continuous-integration/travis-ci/pr The Travis CI build passed
Details
@adamgalway-r7

This comment has been minimized.

Copy link
Contributor

adamgalway-r7 commented Mar 10, 2020

Release Notes

Exploits deliberate backdoor added to PHPStudy by malicious actors. By sending a request to a Vulnerable PHPStudy server with the Accept-Encoding header set to gzip,deflate, the contents of the Accept-Charset header will be executed if encoded in Base64.

@adamgalway-r7

This comment has been minimized.

Copy link
Contributor

adamgalway-r7 commented Mar 10, 2020

Great work @AirEvan, thanks for all the help!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked issues

Successfully merging this pull request may close these issues.

None yet

3 participants
You can’t perform that action at this time.